1. Introduction to Keytool
Keytool is a Java data certificate management tool. Keytool stores keys and certificates in a file called keystore. The keystore contains two kinds of data:
1. Key entity - secret key or private key and paired public key (using asymmetric encryption)
2. Trusted certificate entries - containing only the public key
Alias (alias): each keystore is associated with a unique alias, which is usually case-insensitive
The storage location of the keystore
In the case where the generation location is not specified, the keystore will exist in the user's system default directory, such as: for the window xp system, it will be generated in the system's C:/Documents and Settings/UserName/ The file name is ".keystore"
keystore的生成:keytool -genkey -alias tomcat -keyalg RSA -keystore d:/mykeystore -dname "CN=localhost, OU=localhost, O=localhost, L=SH, ST=SH, C=CN" -keypass changeit -storepass -validity 180
Parameter Description:
-genkey means to create a new key
-dname indicates the Distinguished Names of the key,
CN=commonName
OU=organizationUnit
O=organizationName
L=localityName
S=stateName
C=country
Distinguished Names indicate the identity of the issuer of the key
-keyalg uses an encryption algorithm, here is RSA
-alias alias for key
-keypass the password of the private key, here set to changeit
-keystore The key is stored in the mykeystore file in the D: drive directory
-storepass access password, set here to changeit, this password provides the system to extract information from the mykeystore file
-validity The key is valid for 180 days (default is 90 days)
The cacerts Certificates File
The certificate file exists in the java.home/lib/security directory, which is the CA certificate warehouse of the Java system
2. Preparations
1. Verify that a certificate with the same name has been created
keytool -list -v -alias tomcat -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -storepass changeit
2. Delete the created certificate
keytool -delete -alias tomcat -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -storepass changeit
3. Create a certificate
1. Generate a certificate in the server:
(Note: When generating a certificate, the CN must be the same as the domain name of the server. If testing locally, use localhost)
keytool -genkey -alias tomcat -keyalg RSA -keystore d:/mykeystore -dname "CN=localhost, OU=localhost, O=localhost, L=SH, ST=SH, C=CN" -keypass changeit -storepass changeit
2. Export the certificate, to be installed by the client:
keytool -export -alias tomcat -keystore d:/mykeystore -file d:/mycerts.cer -storepass changeit
3. Client configuration: import the key for the client's JVM (import the certificate issued by the server into the JVM)
keytool -import -trustcacerts -alias tomcat -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file d:/mycerts.cer -storepass changeit
Fourth, configure Tomcat SSL
Modify the SSL service in server.xml
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="server.keystore" keystorePass="changeit"/>
5. Frequently Asked Questions
1. No trusted certificate found
The main reason is that the client does not import the certificate issued by the server into the JVM, you can use
keytool -list -alias tomcat -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -storepass changeit
to see if the certificate is actually imported into the JVM.
2. keytool错误:java.io.IOException:keystore was tampered with,or password was incorrect
The reason is whether there is .keystore in your home directory. If it exists, delete it and execute it again
Or delete "%JAVA_HOME%/jre/lib/security/cacerts and execute
It is recommended to delete cacerts directly and then import