cmd command to enter the jdk directory: E:\program\Java\jdk1.7.0_55\bin
keytool -genkey -v -alias qiyufeng -keyalg RSA -keystore E:\key\qiyufeng.keystore -validity 36500
tomcat modify bin/server.xml:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true "
clientAuth="false" sslProtocol="TLS"
keystoreFile="E:\\key\\qiyufeng.keystore" keystorePass="haohao"
truststoreFile="E:\\key\\qiyufeng.keystore" truststorePass="haohao" / >
Configure the domain name hosts of qiyufeng.com to point to 127.0.0.1, visit: https://qiyufeng.com: 8443/
2. Configure the two-way verification method (two-way verification is required for large-value transactions or important transactions such as banks):
1. Generate a certificate for the server
"Run" console, enter the %JAVA_HOME%/bin directory, use the following command to enter the directory:
cd "c:\Program Files\Java\jdk1.6.0_11\bin"
Use keytool to generate a certificate for Tomcat, assuming that the domain name of the target machine is "localhost", the keystore file is stored in "D:\home\tomcat.keystore", and the password is "password". Use the following command to generate:
keytool -genkey -v -alias tomcat -keyalg RSA -keystore D:\home\tomcat. keystore -validity 36500 (parameter brief description: "D:\home\tomcat.keystore" means the path to save the certificate file, the name of the certificate file is tomcat.keystore; "-validity 36500" means the validity period of the certificate, 36500 means 100 years , the default value is 90 days "tomcat" for the custom certificate name).
Fill in the necessary parameters on the command line:
A. Enter the keystore password: a string with more than 6 characters needs to be entered here.
B. "What is your first and last name?" This is required and must be the domain name or IP of the TOMCAT deployment host [eg: gbcom.com or 10.1.25.251] (that is what you will enter in the browser in the future access address), otherwise the browser will pop up a warning window, prompting that the user's certificate does not match the domain. When doing development tests locally, you should fill in "localhost".
C. What is the name of your organizational unit? ", "What is your organization name? ", "What is the name of your city or region? ”, “What is the name of your state or province? ", "What is the two-letter country code for this unit? "You can fill in as needed or you can just press Enter without filling in, and the system will ask "Is it correct? ", compare the input information, if it meets the requirements, use the keyboard to enter the letter "y", otherwise enter "n" to re-fill the above information.
D. Enter the master password of <tomcat>, this is more important, and it will be in the tomcat configuration file It is recommended to enter the same password as the keystore, and other passwords can also be set. After completing the above input, press Enter to find the generated file in the location you defined in the second step.
2. Generate a certificate
for browse The certificate can be generated by the server so that the server can verify it. In order to successfully import the certificate into IE and Firefox, the certificate format should be PKCS12, so use the following command to generate:
keytool -genkey -v -alias mykey -keyalg RSA -storetype PKCS12 - keystore D:\home\mykey.p12 (mykey is custom).
The corresponding certificate store is stored in "D:\home\mykey.p12", and the CN of the client can be any value. Double-click the mykey.p12 file to store Import the certificate to the browser (client).
3. Let the server trust the client certificate.
Because of the two-way SSL authentication, the server must trust the client certificate. Therefore, the client certificate must be added as the trusted certificate of the server. To import the certificate library in PKCS12 format, you must first export the client certificate as a separate CER file, and use the following command:
keytool -export -alias mykey -keystore D:\home\mykey.p12 -storetype PKCS12 -storepass password -rfc -file D:\home\mykey.cer
(mykey is the same as the client-defined mykey, and the password is the password you set). Through the above command, the client certificate is exported to the "D:\home\mykey.cer" file.
The next step is to import the file into the server's certificate store and add it as a trusted certificate using the following command:
keytool -import -v -file D:\home\mykey.cer -keystore D:\home\tomcat.keystore
via list Command to view the certificate store of the server, you can see two certificates, one is the server certificate and the other is the trusted client certificate:
keytool -list -keystore D:\home\tomcat.keystore (tomcat sets the server certificate name for you ).
4. Let the client trust the server certificate
Since it is a two-way SSL authentication, the client also needs to verify the server certificate. Therefore, the server certificate must be added to the "trusted root certificate authority" of the browser. Since the certificate store in keystore format cannot be imported directly, the server certificate must be exported as a separate CER file, using the following command:
keytool -keystore D:\home\tomcat.keystore -export -alias tomcat -file D:\home \tomcat.cer (tomcat sets the server-side certificate name for you).
Through the above command, the server certificate is exported to the "D:\home\tomcat.cer" file. Double-click the tomcat.cer file, follow the prompts to install the certificate, and fill in the certificate into "Trusted Root Certification Authorities".
5. Configure the Tomcat server
Open /conf/server.xml in the Tomcat root directory, find the Connector port="8443" configuration section, and modify it as follows:
<Connector port="8443" protocol="org.apache.coyote.http11. Http11NioProtocol"
SSLEnabled="true" maxThreads="150" scheme="https"
secure="true" clientAuth="true" sslProtocol="TLS"
keystoreFile="D:\\home\\tomcat.keystore" keystorePass="123456 "
truststoreFile="D:\\home\\tomcat.keystore" truststorePass="123456" />
(tomcat should be the same as the generated server certificate name)
Attribute description:
clientAuth: Set whether to authenticate two-way, the default is false, set to true represents two-way authentication
keystoreFile:
truststorePass: root certificate password
6. Test Enter: https://localhost:8443/
in the browser, the interface for selecting the client certificate will pop up, click "OK", you will enter the tomcat home page, there will be a "lock" icon after the address bar , indicating that the current session has passed HTTPS two-way authentication, and the information transmitted in the next session has been encrypted by SSL information.