Foreword: Recently, I have been doing an evaluation of the security, and one of the requirements is that the application system needs to use https encryption for communication.
Tools: apache-tomcat-7.0.79, jdk1.7, browser google or ie
First, the difference between https and http
1. http is a hypertext transfer protocol, and information is transmitted in clear text; https is a secure ssl encrypted transfer protocol.
2. http and https use completely different connection methods, http uses port 80, and https uses port 443.
2. Self-signed certificate
Self-signed certificates are self-generated certificates, not officially generated certificates. Official certificates need to be paid for.
In addition, the security certificate generated by keytool cannot use IP, and always use the domain name. Since I am testing here, it will be replaced by localhost.
3. Use JDK's own tool keyTool to generate self-signed certificates
1. Generate a certificate for the server
Open the CMD command, cd to the bin directory of jdk, or go to the bin directory first, hold down shift and right click to open the command window here
Use the keytool command to generate a certificate
keytool
-genkey
-alias tomcat (alias)
-keypass 123456 (alias password)
-keyalg RSA (algorithm)
-keysize 1024 (key length)
-validity 365 (validity, days unit)
-keystore D:/keys/tomcat.keystore (specify the location and certificate name of the generated certificate)
-storepass 123456 (password for obtaining keystore information)
keytool -genkey -alias tomcat -keypass 123456 -keyalg RSA -keysize 1024 -validity 365 - keystore D:/keys/tomcat.keystore -storepass 123456
Note that you need to create a folder keys in the D drive before generating, otherwise the folder will not be found
2. Generate a certificate for the client
Generate a certificate for the browser so that the server can verify it.
keytool -genkey -alias client1 -keypass 123456 -keyalg RSA -keysize 1024 -validity 365 -storetype PKCS12 -keystore D:/keys/client1.p12 -storepass 123456
Fourth, let the server trust the client certificate
1. Since the certificate library in PKCS12 format cannot be imported directly, you must first export the client certificate as a separate CER file, and use the following command:
keytool -export -alias client1 -keystore D:/keys/client1.p12 -storetype PKCS12 -keypass 123456 -file D:/keys/client1.cer
2. Import the file into the server's certificate store and add it as a trusted certificate:
keytool -import -v -file D:/keys/client1.cer -keystore D:/keys/tomcat.keystore -storepass 123456
5. Let the client trust the server certificate
1. Since it is a two-way SSL authentication, the client also needs to verify the server certificate. Therefore, the server certificate must be added to the "Trusted Root Certification Authorities" of the browser. Since the certificate library in keystore format cannot be imported directly, you must first export the server certificate as a separate CER file, and use the following command:
keytool -keystore D:/keys/tomcat.keystore -export -alias tomcat -file D:/keys/server.cer
2. Double-click the server.cer file, follow the prompts to install the certificate, and enter the certificate into "Trusted Root Certification Authorities".
After the import is successful, operate in the browser. Here is an example of Google Chrome:
Advanced Settings - HTTPS/SSL - Manage Certificates
Export the localhost certificate in the intermediate certificate authority (the name is the first and last name you filled in when you generated the certificate earlier) - and then import the exported certificate into the trusted root authority and it's OK.
Six, configure the tomcat server
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
clientAuth="true"
sslProtocol="TLS"
keystoreFile="D:/keys/tomcat.keystore"
keystorePass="123456"
truststoreFile="D:/keys/tomcat.keystore"
truststorePass="123456" />
Property description:
clientAuth: Set whether to authenticate two-way, the default is false, set to true to represent two-way authentication
keystoreFile: server certificate file path
keystorePass: server certificate password
truststoreFile: The root certificate used to verify the client certificate, in this case the server certificate
truststorePass: root certificate password
[Copyright Statement] Please indicate the source for reprinting: http://www.cnblogs.com/hsjava1/p/8991173.html