http://m.w2bc.com/article/53896
https 单向认证
keytool -genkey -keyalg RSA -dname "cn=www.gangling.site,ou= www.gangling.site,o= gangling.site,l=jiangsu,st=nanjing,c=cn" -alias tomcat.server -keypass 123456 -keystore tomcat.keystore -storepass 123456 -validity 3650
keytool -certReq -alias tomcat.server -keystore tomcat.keystore -file ca.csr
keytool -export -alias tomcat.server -keystore tomcat.keystore -file ca.cer -storepass 123456
<Connector SSLEnabled="true" clientAuth="false"
maxThreads="150" port="8443"
protocol="org.apache.coyote.http11.Http11Protocol"或者HTTP/1.1
scheme="https" secure="true" sslProtocol="TLS"
keystoreFile="tomcat.keystore" keystorePass="123456"/>
keytool 双向认证
keytool -genkey -v -alias tomcat -keyalg RSA -validity 3650 -keystore c:\tomcat.keystore -dname "CN=localhost,OU=cn,O=cn,L=cn,ST=cn,c=cn" -storepass password -keypass password keytool -export -alias tomcat -keystore c:\tomcat.keystore -file c:\tomcat.cer -storepass password keytool -genkey -v -alias myKey -keyalg RSA -storetype PKCS12 -validity 3650 -keystore C:\my.p12 -dname "CN=MyKey,OU=cn,O=cn,L=cn,ST=cn,c=cn" -storepass password -keypass password keytool -export -alias myKey -keystore C:\my.p12 -storetype PKCS12 -storepass password -rfc -file C:\my.cer keytool -import -v -file C:\my.cer -keystore c:\tomcat.keystore -storepass password keytool -list -keystore c:\tomcat.keystore -storepass password
openssl 双向认证
生成CA证书
创建私钥 :
openssl genrsa -out ca/ca-key.pem 2048
创建证书请求 :
openssl req -new -out ca/ca-req.csr -key ca/ca-key.pem
自签署证书 :
openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey ca/ca-key.pem -days 3650
将证书导出成浏览器支持的.p12格式 :
openssl pkcs12 -export -clcerts -in ca/ca-cert.pem -inkey ca/ca-key.pem -out ca/ca.p12
生成Server证书
创建私钥 :
openssl genrsa -out server/server-key.pem 2048
创建证书请求
openssl req -new -out server/server-req.csr -key server/server-key.pem
自签署证书
openssl x509 -req -in server/server-req.csr -out server/server-cert.pem -signkey server/server-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650
将证书导出成浏览器支持的.p12格式 :
openssl pkcs12 -export -clcerts -in server/server-cert.pem -inkey server/server-key.pem -out server/server.p12
生成Clinet证书
创建私钥 :
openssl genrsa -out client/client-key.pem 2048
创建证书请求
openssl req -new -out client/client-req.csr -key client/client-key.pem
自签署证书 :
openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkey client/client-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650
根据CA证书生成jks文件
openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12
keytool -import -alias test3 -v -file client/client-cert.pem -keystore ca/truststore.jks -storepass 222222
keytool -list -keystore ca/truststore.jks -storepass 222222
keytool -delete -alias myKey -keystore ca/truststore.jks -storepass 222222
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="server.p12" keystorePass="111111" keystoreType="PKCS12"
truststoreFile="truststore.jks" truststorePass="222222" truststoreType="JKS"/>