Tomcat服务器/客户端自签名SSL证书
[英]Tomcat Server/Client Self-Signed SSL Certificate
问题描述
I have an Apache Tomcat 6.x server running with a self-signed SSL certificate. 
我有一个运行自签名SSL证书的Apache Tomcat 6.x服务器。 I want the client to present their own certificate to the server so I can authenticate them based on a database of users. 我希望客户端将自己的证书提供给服务器,以便我可以根据用户数据库对它们进行身份验证。 I have it all working based on an example I found online, but the example came with canned certificates and a pre-build JKS datastore. 我根据我在网上找到的一个例子来完成所有工作,但是这个例子附带了罐装证书和预构建的JKS数据存储。 I want to create my own datastore with my own certs but am having no luck. 我想用自己的证书创建自己的数据存储区但是没有运气。
How do I create a datastore for Tomcat? 如何为Tomcat创建数据存储区?
How do I create a self-signed certificate for Tomcat? 如何为Tomcat创建自签名证书?
How do I create a self-signed certificate for the client? 如何为客户端创建自签名证书?
How do I force Tomcat to trust the signature of the client? 如何强制Tomcat信任客户端的签名?
I've been playing with java keytool for many hours now. 我已经玩java keytool了好几个小时了。
4 个解决方案
解决方案1
60 已采纳 2009-07-27 16:56:05
Finally got the solution to my problem, so I'll post the results here if anyone else gets stuck. 终于得到了我的问题的解决方案,所以我会在这里发布结果,如果其他人卡住了。
Thanks to Michael Martin of Michael's Software Thoughts & Ramblings I discovered that: 感谢Michael的软件思想和Ramblings的迈克尔 ·马丁,我发现:
keytool by default uses the DSA algorithm when generating the self-signed cert.
I simply set that flag, cleared all caches in FireFox and it worked like a charm! 我只是设置了那个标志,清除了FireFox中的所有缓存,它就像一个魅力! I am using this as a test-setup for my project and I need to share this with other people, so I wrote a little batch script that creates two SSL certificates. 我使用它作为我的项目的测试设置,我需要与其他人分享,所以我写了一个创建两个SSL证书的小批处理脚本。 One can be dropped into the Tomcat setup and the other is a .p12 file that can be imported into FireFox/IE. 一个可以放入Tomcat设置,另一个是.p12文件,可以导入到FireFox / IE中。 Thanks! 谢谢!
Usage: first command-line argument is the username of the client. 用法:第一个命令行参数是客户端的用户名。 All passwords are "password" (with no quotations). 所有密码都是“密码”(没有引号)。 Change any of the hard-coded bits to meet your needs. 更改任何硬编码位以满足您的需求。
@echo off
if "%1" == "" goto usage
keytool -genkeypair -alias servercert -keyalg RSA -dname "CN=Web Server,OU=Unit,O=Organization,L=City,S=State,C=US" -keypass password -keystore server.jks -storepass password
keytool -genkeypair -alias %1 -keystore %1.p12 -storetype pkcs12 -keyalg RSA -dname "CN=%1,OU=Unit,O=Organization,L=City,S=State,C=US" -keypass password -storepass password
keytool -exportcert -alias %1 -file %1.cer -keystore %1.p12 -storetype pkcs12 -storepass password
keytool -importcert -keystore server.jks -alias %1 -file %1.cer -v -trustcacerts -noprompt -storepass password
keytool -list -v -keystore server.jks -storepass password
del %1.cer
goto end
:usage
echo Need user id as first argument: generate_keystore [username]
goto end
:end
pause
The results are two files. 结果是两个文件。 One called server.jks that you drop into Tomcat and another file called {username}.p12 that you import into your browser. 一个名为server.jks,您将其放入Tomcat,另一个名为{username} .p12的文件将导入您的浏览器。 The server.jks file has the client certificate added as a trusted cert. server.jks文件将客户端证书添加为受信任的证书。
I hope someone else finds this useful. 我希望其他人觉得这很有用。
And here is the the XML that needs to be added to your Tomcat conf/sever.xml file (only tested on on Tomcat 6.x) 这里是需要添加到Tomcat conf / sever.xml文件的XML(仅在Tomcat 6.x上测试过)
<Connector
clientAuth="true" port="8443" minSpareThreads="5" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${catalina.home}/conf/server.jks"
keystoreType="JKS" keystorePass="password"
truststoreFile="${catalina.home}/conf/server.jks"
truststoreType="JKS" truststorePass="password"
SSLVerifyClient="require" SSLEngine="on" SSLVerifyDepth="2" sslProtocol="TLS"
/>
For Tomcat 7: 对于Tomcat 7:
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" SSLEnabled="true"
maxThreads="200" scheme="https" secure="true"
keystoreFile="${catalina.base}/conf/server.jks" keystorePass="password"
clientAuth="false" sslProtocol="TLS" />
解决方案2
3 2009-07-24 23:42:15
To enable client authentication, you need to specify a "trust store" for Tomcat: a key store containing certificates from the root certification authorities that you trust, each flagged as a "trustEntry". 要启用客户端身份验证,您需要为Tomcat指定“信任存储”:包含来自您信任的根证书颁发机构的证书的密钥存储区,每个都标记为“trustEntry”。
This is specified by the Connector element's attributes: truststoreFile , truststorePass (which defaults to the value of keystorePass ), and truststoreType (which defaults to "JKS"). 这由Connector元素的属性指定: truststoreFile , truststorePass (默认为keystorePass的值)和truststoreType (默认为“JKS”)。
If a client is using a self-signed certificate, then its "root" CA is the certificate itself; 如果客户端使用自签名证书,则其“根”CA是证书本身; it follows, then, that you need to import the client's self-signed certificate into Tomcat's trust store. 然后,您需要将客户端的自签名证书导入Tomcat的信任存储区。
If you have many clients, this will quickly become a hassle. 如果你有很多客户,这将很快成为一个麻烦。 In that case, you might want to look into signing certificates for your clients. 在这种情况下,您可能希望查看为您的客户签名证书。 The Java keytool command can't do this, but all of the necessary command-line utilities are available in OpenSSL. Java keytool命令无法执行此操作,但OpenSSL中提供了所有必需的命令行实用程序。 Or you could look into something like EJBCA on a large scale. 或者你可以大规模地研究类似EJBCA的东西。
Better yet, ask your clients to use an existing free CA, like startcom.org . 更好的是,要求您的客户使用现有的免费CA,例如startcom.org 。 This doesn't always work for server certificates, because StartCom's certificate isn't included in all browsers, but this situation is reversed, and the StartCom root certificate could easily be imported to the Tomcat trust store. 这并不总是适用于服务器证书,因为StartCom的证书不包含在所有浏览器中,但这种情况相反,并且可以轻松地将StartCom根证书导入Tomcat信任库。
解决方案3
2 2009-07-24 22:21:53
Create certificate: 创建证书:
keytool -genkey -alias tomcat -keyalg RSA -keystore /home/bob/mykeystore
Enter all the data for the self signed certificate you need then edit Tomcat's server.xml and specify the keystore properties on the SSL connector, eg: 输入所需的自签名证书的所有数据,然后编辑Tomcat的server.xml并在SSL连接器上指定密钥库属性,例如:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
keystoreFile="/home/bob/mykeystore"
clientAuth="false" sslProtocol="TLS" />
or follow the Tomcat docs... 或者关注Tomcat文档......
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
解决方案4
1 2015-04-22 11:57:00
The previous answers are useful to me, but don't have a shell tool version. 以前的答案对我很有用,但没有shell工具版本。 So I wrote one. 所以我写了一个。
key_gen.sh: key_gen.sh:
#! /bin/bash
# a key generator for https,
basename=server
key_algorithm=RSA
password_key=123456
password_store=123456
country=US
# clean - pre
rm "${basename}.jks"
# generate server side
keytool -genkeypair -alias "${basename}cert" -keyalg $key_algorithm -dname "CN=Web Server,OU=Unit,O=Organization,L=City,S=State,C=${country}" -keypass $password_key -keystore "${basename}.jks" -storepass $password_store
For tomcat8 , could add following config to server.xml : 对于tomcat8 ,可以将以下配置添加到server.xml :
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
acceptCount="75" keystoreFile="${catalina.home}/conf/server.jks" keystorePass="123456"
/>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.