https 證書生產及服務器配置

原創 飞鸟jiang 2018-08-27 13:48
# 單向認證


## server端


step1:爲服務端生成祕鑰庫


```
sudo keytool -genkeypair -alias server_key_pair_1 -validity 365 -keyalg RSA -keystore /usr/local/crm_keystore/server/carfinance.crm.server.keystore


"Enter keystore password",輸入要設置的keystore的password,例如輸入"carCrm747"


"Re-enter new password:",重複輸入"carCrm747"


"What is your first and last name?",注意要輸入的是服務的域名或者機器名等,例如輸入"localhost"


"What is the name of your organizational unit?",輸入無特殊要求,例如輸入"carfinance"


"What is the name of your organization?",輸入無特殊要求,例如輸入"mljr"


"What is the name of your City or Locality?",輸入無特殊要求,例如輸入"beijing"


"What is the name of your State or Province?",輸入無特殊要求,例如輸入"beijing"


"What is the two-letter country code for this unit?",輸入無特殊要求,例如輸入"cn"


"Enter key password for <server_key_pair_1> (RETURN if same as keystore password):",注意server_key_pair_1這個祕鑰的password必須和keystore保持一致,所以此處直接回車即可
```


step2:tomcat配置


修改tomcat的server.xml,將下面這段


```
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
     This connector uses the NIO implementation that requires the JSSE
     style configuration. When using the APR/native implementation, the
     OpenSSL style configuration is required as described in the APR/native
     documentation -->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS"/>
-->
```


改爲


```
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
     This connector uses the NIO implementation that requires the JSSE
     style configuration. When using the APR/native implementation, the
     OpenSSL style configuration is required as described in the APR/native
     documentation -->
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS" 
    keystoreFile="/usr/local/crm_keystore/server/carfinance.crm.server.keystore" keystorePass="carCrm747"/>
```


注意clientAuth="false"表示是單向認證,keystoreFile的值設爲服務端keystore的路徑,keystorePass是服務端keyStore的密碼


## cleint端


無特殊配置


## 驗證


step1:用修改過配置後的tomcat啓動carfinance-crm-httpsdemo-server模塊


step2:使用客戶端調用服務端接口


運行carfinance-crm-httpsdemo-client模塊的src/test/java目錄下的UnilateralHttpsClientTest的testGet()和testPost()方法分別測試https的GET請求和https的POST請求


# 雙向認證


## server端


step1:爲服務端生成祕鑰庫,注意事項和單向認證的step1相同


```
sudo keytool -genkeypair -alias server_key_pair_1 -validity 365 -keyalg RSA -keystore /usr/local/crm_keystore/server/carfinance.crm.server.keystore
```


keystore的password設置爲"carCrm747"


step2:導出服務端證書


```
sudo keytool -export -alias server_key_pair_1 -validity 365 -file /usr/local/crm_keystore/server/server_key_1.crt -keystore /usr/local/crm_keystore/server/carfinance.crm.server.keystore
```


需要輸入keystore密碼,輸入"carCrm747"


step3:用客戶端證書生產服務端信任證書庫(客戶端證書的生成參考後面的client端部分,這個步驟要在客戶端生成證書完成之後進行)


```
sudo keytool -import -alias client_crt -validity 365 -file /usr/local/crm_keystore/client/client_key_1.crt -keystore /usr/local/crm_keystore/server/carfinance.crm.server.truststore
```


注意這個步驟要爲truststore設置密碼,例如設爲"890890"


step4:tomcat配置
      
修改tomcat的server.xml,將下面這段
      
```
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
    This connector uses the NIO implementation that requires the JSSE
    style configuration. When using the APR/native implementation, the
    OpenSSL style configuration is required as described in the APR/native
    documentation -->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS"/>
-->
```
      
改爲


```
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
    This connector uses the NIO implementation that requires the JSSE
    style configuration. When using the APR/native implementation, the
    OpenSSL style configuration is required as described in the APR/native
    documentation -->
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
    clientAuth="true" sslProtocol="TLS"
    keystoreFile="/usr/local/crm_keystore/server/carfinance.crm.server.keystore" keystorePass="carCrm747"
    truststoreFile="/usr/local/crm_keystore/server/carfinance.crm.server.truststore" truststorePass="890890"/>
```


注意clientAuth="true"表示是雙向認證,keystoreFile的值設爲服務端keystore的路徑,keystorePass是服務端keyStore的密碼,truststoreFile是服務端truststore的路徑,truststorePass是服務端truststore的密碼


## cleint端


step1:爲客戶端生成祕鑰庫


```
sudo keytool -genkeypair -alias client_key_pair_1 -validity 365 -keyalg RSA -keystore /usr/local/crm_keystore/client/carfinance.crm.client.keystore


"Enter keystore password",輸入要設置的keystore的password,例如輸入"123456"


"Re-enter new password:",重複輸入"123456"


"What is your first and last name?",輸入無特殊要求,例如輸入"httpsdemo-client"


"What is the name of your organizational unit?",輸入無特殊要求,例如輸入"carfinance"


"What is the name of your organization?",輸入無特殊要求,例如輸入"mljr"


"What is the name of your City or Locality?",輸入無特殊要求,例如輸入"beijing"


"What is the name of your State or Province?",輸入無特殊要求,例如輸入"beijing"


"What is the two-letter country code for this unit?",輸入無特殊要求,例如輸入"cn"


"Enter key password for <client_key_pair_1> (RETURN if same as keystore password):",輸入無特殊要求,例如直接回車使用和keystore相同的祕鑰
```


step2:導出客戶端證書


```
sudo keytool -export -alias client_key_pair_1 -validity 365 -file /usr/local/crm_keystore/client/client_key_1.crt -keystore /usr/local/crm_keystore/client/carfinance.crm.client.keystore
```


需要輸入keystore密碼,輸入"123456"


step3:用服務端證書生成客戶端信任證書庫(服務端證書的生成參考前面的server端部分,這個步驟要在服務端生成證書完成之後進行)


```
sudo keytool -import -alias server_crt -validity 365 -file /usr/local/crm_keystore/server/server_key_1.crt -keystore /usr/local/crm_keystore/client/carfinance.crm.client.truststore
```


注意這個步驟要爲truststore設置密碼,例如設爲"654321"


## 驗證


step1:用修改過配置後的tomcat啓動carfinance-crm-httpsdemo-server模塊


step2:使用客戶端調用服務端接口


運行carfinance-crm-httpsdemo-client模塊的src/test/java目錄下的UnilateralHttpsClientTest的testGet()和testPost()方法分別測試https的GET請求和https的POST請求,請求失敗,因爲沒有提供服務端信任的客戶端證書給服務端


運行carfinance-crm-httpsdemo-client模塊的src/test/java目錄下的MutualHttpsClientTest的testGet()和testPost()方法分別測試https的GET請求和https的POST請求,請求成功


# 參考


[http client官網](http://hc.apache.org/)


[troubleshoot: httpclient向HTTPS發送數據建立SSL連接時的異常](http://zhuyuehua.iteye.com/blog/1102347)


[troubleshoot: 單向認證中信任自簽名證書](http://stackoverflow.com/questions/1828775/how-to-handle-invalid-ssl-certificates-with-apache-httpclient)


[java tomcat 搭建SSL雙向認證以及httpclient代碼](http://ian.wang/118.htm)


[java tomcat 搭建SSL雙向認證以及httpclient代碼](http://yuur369.iteye.com/blog/1728058)


[HttpClient如何訪問需要提交客戶端證書的SSL服務](http://blog.csdn.net/wanglha/article/details/49272551)


[keystore type的使用](http://stackoverflow.com/questions/11536848/keystore-type-which-one-to-use)



















發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

24-5-18 X

自 3 月 31 號回來之後,這兩個月像是失去了方向一般,對很多事都提不起興趣。 今天和 X 聊了聊,他還是以前那個熟悉的樣子。 高中的時候,他是我們班裏公認的第一,我們是普通班,但他有着實驗班的實力,事實上,高考時他全校第三,後來去了美國

Higurashi-kagome 2024-06-01 14:30:43

【dubbo】如何測試一個dubbo服務呢?

rpc服務框架——dubbo https://cn.dubbo.apache.org/zh-cn/blog/2023/02/23/一文幫你快速瞭解-dubbo-核心能力/ 自制項目: https://github.com/Jinwenxin

金大鑫要堅持 2024-06-01 14:29:53

kubeconfig 多個集羣配置 如何切換

kubectl config get-contexts kubectl config use-context <context-name> kubectl config current-context

hiningrise 2024-06-01 14:27:53

兩臺windowserver服務器配置Redis哨兵集羣

十年河東,十年河西,莫欺少年窮 學無止境,精益求精 redis下載地址:https://github.com/tporadowski/redis/releases  這裏選擇壓縮版,不選擇安裝版 1、集羣環境  主機master: 局域網

天才臥龍 2024-06-01 14:24:12

oidc-client.js踩坑吐槽貼

前言 前面選用了IdentityServer4做爲認證授權的基礎框架,感興趣的可以看上篇<微服務下認證授權框架的探討>,已經初步完成了authorization-code與implicit的簡易demo(html+js 在IIS部署的站點)

提伯斯 2024-06-01 14:23:02

微盟電商-以造數工廠爲底座的低成本自動化應用實現(一)

微盟電商-以造數工廠爲底座的低成本自動化應用實現 SAAS服務的特點是能夠以同一套代碼基礎,服務各種使用場景的客戶,由此帶來的業務組合與配置的多樣性是造成測試在造數環節以及自動化測試的實施階段面臨繁瑣與困難的根本原因。如何確保自動化的高效實

保軍Baojun 2024-06-01 14:20:12

Mac Brew install慢的問題

# 替換brew.git: jimmy@MacBook-Pro Library % cd "$(brew --repo)" jimmy@MacBook-Pro Homebrew % git remote set-url origin htt

阿 軍 2024-06-01 14:18:02

Vue devDependencies 與 dependencies 能別

Vue devDependencies 與 dependencies 能別,如何往 項目的node_modules安裝組件 概述 devDependencies 用於本地環境開發 只會在開發環境下依賴的模塊,生產環境不會被打入包內(通過

阿 軍 2024-06-01 14:18:02

mysql 超大大數據庫複製前可執行的加速導入的SQL

use 數據庫;set global innodb_flush_log_at_trx_commit=0;set global max_allowed_packet=1024*1024*20;set global bulk_insert_bu

菊花茶 2024-06-01 14:14:21

css25 CSS Tables

https://www.w3schools.com/css/css_table.asp css25 CSS Tables CSS Tables The look of an HTML table can be greatly improv

emanlee 2024-06-01 14:13:21

css29 CSS Layout - The z-index Property

https://www.w3schools.com/css/css_z-index.asp   CSS Layout - The z-index Property     The z-index property specifies th

emanlee 2024-06-01 14:13:21

css28 CSS Layout - The position Property

https://www.w3schools.com/css/css_positioning.asp CSS Layout - The position Property The position property specifies t

emanlee 2024-06-01 14:13:21

css26 CSS Layout - The display Property

https://www.w3schools.com/css/css_display_visibility.asp     CSS Layout - The display Property The display property is

emanlee 2024-06-01 14:13:21

css31 CSS Layout - float and clear

https://www.w3schools.com/css/css_float.asp   CSS Layout - float and clear     The CSS float property specifies how an

emanlee 2024-06-01 14:13:21

css27 CSS Layout - width and max-width

https://www.w3schools.com/css/css_max-width.asp   CSS Layout - width and max-width     Using width, max-width and margi

emanlee 2024-06-01 14:13:21