Tomcat 和 SSL 客户端证书
[英]Tomcat and SSL Client certificate
问题描述
I would like to have a following scenario:
我想有以下场景:
- create my own CA创建我自己的 CA
- create a server certificate and sign it with my CA创建服务器证书并使用我的 CA 对其进行签名
- create multiple client certificates and sign them with my CA创建多个客户端证书并使用我的 CA 对其进行签名
Next i would like to authenticate every client which presents a certificate signed by my CA.接下来,我想对每个提供由我的 CA 签名的证书的客户端进行身份验证。
Is it possible to realize such scenario without adding every single client certificate to my tomcat keystore?是否可以在不将每个客户端证书添加到我的 tomcat 密钥库的情况下实现这种场景? I just would like to only verify if the certificate the client presents is issued and signed by my CA.我只想验证客户提供的证书是否由我的 CA 颁发和签名。
3 个解决方案
解决方案1
7 已采纳 2012-07-20 11:47:27
Yes, that's certainly possible, and I have done exactly this. 是的,这当然是可能的,我已经做到了这一点。 If you configure Tomcat with a truststore containing your CA certificate then it should accept any client certificate signed by that CA. 如果使用包含CA证书的信任库配置Tomcat,则它应接受该CA签署的任何客户端证书。
I'll assume you have your CA key and root certificate already generated and you know how to use it to turn CSRs into certificates. 我假设您已经生成了CA密钥和根证书,并且您知道如何使用它将CSR转换为证书。
First generate your server key, and a corresponding CSR 首先生成服务器密钥和相应的CSR
$ openssl genrsa -out XXX.key 2048
$ openssl req -new -nodes -key XXX.key -out XXX.csr
Use your CA certificate to sign the CSR, producing a server certificate XXX.crt . 使用CA证书对CSR进行签名,生成服务器证书XXX.crt 。 Now package the server key, server cert and CA cert into a single PKCS#12 file 现在将服务器密钥,服务器证书和CA证书打包到一个PKCS#12文件中
$ cat XXX.crt ca-certificate.pem | openssl pkcs12 -export -inkey XXX.key -out XXX.p12 -name tomcat -caname myauthority
You will be prompted for several passwords by this process, set them all to the same value (it doesn't matter what this value is and it doesn't have to be a secure password, it just has to be non-empty - I use changeit ). 通过此过程将提示您输入多个密码,将它们全部设置为相同的值(这个值是什么并不重要,它不一定是安全密码,它必须是非空的 - 我使用changeit )。
This .p12 file can now act as the keystore for Tomcat. 此.p12文件现在可以充当Tomcat的密钥库 。 Next you need to create a separate JKS keystore containing just the CA certificate to use as the truststore . 接下来,您需要创建一个单独的JKS密钥库,其中仅包含要用作信任库的CA证书。
$ keytool -import -alias myauthority -keystore truststore.jks -file ca-certificate.pem
Again, reply to all password prompts with the same non-empty password, such as changeit . 再次,使用相同的非空密码回复所有密码提示,例如changeit 。
Finally you can configure Tomcat: 最后你可以配置Tomcat:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
connectionTimeout="20000"
keystoreFile="${catalina.home}/conf/XXX.p12"
keystoreType="PKCS12"
keystorePass="changeit"
truststoreFile="${catalina.home}/conf/truststore.jks"
truststoreType="JKS"
truststorePass="changeit"
clientAuth="true" sslProtocol="TLS" />
解决方案2
0 2021-11-15 16:19:09
Disclaimer: Use self-signed root certificate only in development environment.免责声明:仅在开发环境中使用自签名根证书。
For a more complete overview (step-by-step):如需更完整的概述(分步):
Create a root certificate
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365
Create a key and CSR
openssl genrsa -out mycert.key 2048
openssl req -new -nodes -key mycert.key -out mycert.csr
Sign the CSR with your root certificate
openssl x509 -req -in mycert.csr -CA cert.pem -CAkey key.pem -CAcreateserial -out mycert.pem
Create a PKCS#12 certificate with the cert and key
openssl pkcs12 -export -out mycert.p12 -inkey mycert.key -in mycert.pem
Create a separate JKS keystore containing just the CA certificate (to use as the truststore)
keytool -import -alias my-ca -keystore truststore.jks -file cert.pem
This works with the Tomcat configuration of Ian Roberts.这适用于 Ian Roberts 的 Tomcat 配置。
解决方案3
-1 2012-07-20 11:15:43
您应该查看openSSL: http : //openssl.org/或者如果您想免费获得现有CA(但每月必须这样做), 请访问 : http : //www.startssl.com/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.