Openssl Tomcat Config Example

#4.2 建立自己的CA

#4.2.1 建立工作目录
mkdir ca

4.2.2 生成CA私钥以及自签名根证书
4.2.2.1 生成CA私钥
openssl genrsa -out ca\ca-key.pem 1024

4.2.2.2 生成待签名证书
openssl req -new -out ca\ca-req.csr -key ca\ca-key.pem

4.2.2.3 用CA私钥进行自签名
openssl x509 -req -in ca\ca-req.csr -out ca\ca-cert.pem -signkey ca\ca-key.pem -days 365

4.3 设置Tomcat 4.x
在本文中用符号"%JDK_HOME%"来表示JDK的安装位置,用符号"%TCAT_HOME%" 表示Tomcat的安装位置。

4.3.1建立工作目录
mkdir server

4.3.2 生成server端证书
4.3.2.1 生成KeyPair
%JDK_HOME%\bin\keytool -genkey -alias tomcat_server -validity 365 -keyalg RSA -keysize 1024 -keypass changeit -storepass changeit -dname "cn=localhost, ou=department, o=company, l=Beijing, st=Beijing, c=CN" -keystore server\server_keystore

4.3.2.2 生成待签名证书
%JDK_HOME%\bin\keytool -certreq -alias tomcat_server -sigalg MD5withRSA -file server\server.csr -keypass changeit -keystore server\server_keystore -storepass changeit

4.3.2.3 用CA私钥进行签名
openssl x509 -req -in server\server.csr -out server\server-cert.pem -CA ca\ca-cert.pem -CAkey ca\ca-key.pem -CAcreateserial -days 365

CA签署server证书
#openssl x509 -req -in server\server.csr -out server/server.crt -CA ca/ca.crt -CAkey ca/ca.key -CAcreateserial -days 365
#openssl x509 -req -in server\server.csr -out server/server-cert.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 365

4.3.2.4 导入信任的CA根证书到JSSE的默认位置(%JDK_ROOT %/jre/security/cacerts)
%JDK_HOME%\bin\keytool -import -v -trustcacerts -storepass changeit -alias my_ca_root -file ca\ca-cert.pem -keystore %JDK_HOME%\jre\lib\security\cacerts

4.3.2.5 把CA签名后的server端证书导入keystore
%JDK_HOME%\bin\keytool -import -v -trustcacerts -storepass changeit -alias tomcat_server -file server\server-cert.pem -keystore server\server_keystore

4.3.2.6 查看server端证书
keytool -list -keystore %JDK_HOME%\jre\lib\security\cacerts
keytool -list -keystore server\server_keystore

4.3.3 修改server.xml使Tomcat支持SSL
首先找到以下内容,去掉对其的注释。然后参照红色部分修改。如果配置Tomcat不验证客户身份,可以设置

clientAuth="false"。
<Connector className="org.apache.catalina.connector.http.HttpConnector"
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true"
acceptCount="10" debug="0" scheme="https" secure="true">
<Factory className="org.apache.catalina.net.SSLServerSocketFactory"
clientAuth="true" protocol="TLS"
keystoreFile="%TCAT_HOME%/conf/server_keystore" keystorePass="changeit"
/>

然后把文件server\server_keystore复制到目录%TCAT_HOME%\conf\下。

4.4 在IE中安装个人证书
4.4.1 建立工作目录
mkdir client

4.4.2 生成client私钥并用CA私钥签名

4.4.2.1 生成client私钥
openssl genrsa -out client\client-key.pem 1024

4.4.2.2 生成待签名证书
openssl req -new -out client\client-req.csr -key client\client-key.pem

4.4.2.3 用CA私钥进行签名
openssl x509 -req -in client\client-req.csr -out client\client.crt -signkey client\client-key.pem

-CA ca\ca-cert.pem -CAkey ca\ca-key.pem -CAcreateserial -days 365

4.4.2.4 生成client端的个人证书
因为JSSE1.0.2没有完全实现了对PKCS#12格式文件的操作(只能读取,不能输出),所以在这里需要用openssl制作client端的个人证书(包含私钥)。
openssl pkcs12 -export -clcerts -in client\client.crt -inkey client\client-key.pem -out client\client.p12

4.4.2.5 安装信任的根证书
把ca\ca-key.pem改名为ca\ca-key.cer,在client端的IE中使用"工具 ' Internet选项 ' 内容 ' 证书 ' 导入"把我们生成的CA根证书导入,使其成为用户信任的CA。

4.4.3 安装个人证书
把client.p12导入到client端的IE中作为个人证书,导入过程同4.4.2.5。

4.5 用IE浏览器使用SSL协议访问Tomcat

4.5.1 启动Tomcat 4.x
执行%TCAT_HOME%\bin\startup.bat启动Tomcat 4.x

4.5.2 用IE访问Tomcat 4.x
在IE浏览器的地址栏中输入https://localhost:8443,如果前面的操作都正确的话,应该可以看到Tomcat的欢迎页面。同时状态栏上的小锁处于闭合状态,表示您已经成功地与服务器建立了要求客户端验证的SSL安全连接。

5 结论
以上我们实现了为Tomcat 4.x配置要求客户端验证的SSL的全过程。对于其它类型的服务器,例如Apache,Netscape Enterprise Server, Websphere,Weblogic等,一般只是在服务器端保存证书的方式略有不同,但它们的原理都是类似的,配置时可以在本文中办法的基础上做出相应的调整。

参考资料

Tomcat SSL Configuration HOW-TO
SSL3.0规范
Description of the Secure Sockets Layer (SSL) Handshake (Q257591)
keytool - Key and Certificate Management Tool
Openssl使用手册

C:\>cd \usr\local\tomcat
 
C:\usr\local\tomcat>set JDK_HOME=%JAVA_HOME%
 
C:\usr\local\tomcat>mkdir ca
 
C:\usr\local\tomcat>mkdir server
 
C:\usr\local\tomcat>openssl genrsa -out ca\ca-key.pem 1024
Generating RSA private key, 1024 bit long modulus
...............++++++
........++++++
e is 65537 (0x10001)
 
C:\usr\local\tomcat>openssl req -new -out ca\ca-req.csr -key ca\ca-key.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:company
Organizational Unit Name (eg, section) []:department
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
 
C:\usr\local\tomcat>openssl x509 -req -in ca\ca-req.csr -out ca\ca-cert.pem -signkey ca\ca-key.pem -days 365
Signature ok
subject=/C=CN/ST=Beijing/L=Beijing/O=company/OU=department/CN=localhost
Getting Private key
 
C:\usr\local\tomcat>%JDK_HOME%\bin\keytool -genkey -alias tomcat_server -validity 365 -keyalg RSA -keysize 1024 -keypass changeit -storepass changeit
-dname "cn=localhost, ou=department, o=company, l=Beijing, st=Beijing, c=CN" -keystore server\server_keystore
 
C:\usr\local\tomcat>%JDK_HOME%\bin\keytool -certreq -alias tomcat_server -sigalg MD5withRSA -file server\server.csr -keypass changeit -keystore server
\server_keystore -storepass changeit
 
C:\usr\local\tomcat>openssl x509 -req -in server\server.csr -out server\server-cert.pem -CA ca\ca-cert.pem -CAkey ca\ca-key.pem -CAcreateserial -days
365
Signature ok
subject=/C=CN/ST=Beijing/L=Beijing/O=company/OU=department/CN=localhost
Getting CA Private Key
 
C:\usr\local\tomcat>%JDK_HOME%\bin\keytool -import -v -trustcacerts -storepass changeit -alias my_ca_root -file ca\ca-cert.pem -keystore %JDK_HOME%\jr
e\lib\security\cacerts
所有者: CN=localhost, OU=department, O=company, L=Beijing, ST=Beijing, C=CN
发布者: CN=localhost, OU=department, O=company, L=Beijing, ST=Beijing, C=CN
序列号: 946ea08b9a8b6e29
有效期开始日期: Thu Apr 04 07:12:26 CST 2013, 截止日期: Fri Apr 04 07:12:26 CST 2014
证书指纹:
         MD5: EF:48:36:25:71:15:08:EF:76:0B:B9:C0:63:B5:84:8F
         SHA1: 05:65:B5:61:AD:52:43:F6:26:D3:DD:78:35:6B:B5:94:F1:6F:04:45
         SHA256: 5F:A1:48:E2:C0:4A:B4:FF:BE:E3:83:DE:0B:79:30:E7:2E:2D:2A:09:BD:96:D8:BF:C2:4C:96:B6:D8:09:87:54
         签名算法名称: SHA1withRSA
         版本: 1
是否信任此证书? []:  Y
证书已添加到密钥库中
[正在存储C:\usr\java\jdk1.7.0_17\jre\lib\security\cacerts]
 
C:\usr\local\tomcat>%JDK_HOME%\bin\keytool -import -v -trustcacerts -storepass changeit -alias tomcat_server -file server\server-cert.pem -keystore se
rver\server_keystore
证书回复已安装在密钥库中
[正在存储server\server_keystore]
 
C:\usr\local\tomcat>keytool -list -keystore %JDK_HOME%\jre\lib\security\cacerts
输入密钥库口令:
 
密钥库类型: JKS
密钥库提供方: SUN
 
您的密钥库包含 80 个条目
 
...
my_ca_root, 2013-4-4, trustedCertEntry,
证书指纹 (SHA1): 05:65:B5:61:AD:52:43:F6:26:D3:DD:78:35:6B:B5:94:F1:6F:04:45
...
 
C:\usr\local\tomcat>keytool -list -keystore server\server_keystore
输入密钥库口令:
 
密钥库类型: JKS
密钥库提供方: SUN
 
您的密钥库包含 1 个条目
 
tomcat_server, 2013-4-4, PrivateKeyEntry,
证书指纹 (SHA1): 4E:34:F1:73:50:39:46:D9:9D:0D:B5:38:2A:C1:96:1A:4B:B2:62:A4
 
# edit server.xml and add the keystoreFile line
C:\usr\local\tomcat>vi conf\server.xml
 
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
               keystoreFile="C:/usr/local/tomcat/server/server_keystore" keystorePass="changeit"
               />
 
C:\usr\local\tomcat>bin\startup
Using CATALINA_BASE:   "C:\usr\local\tomcat"
Using CATALINA_HOME:   "C:\usr\local\tomcat"
Using CATALINA_TMPDIR: "C:\usr\local\tomcat\temp"
Using JRE_HOME:        "c:\usr\java\jdk1.7.0_17\..\jre7"
Using CLASSPATH:       "C:\usr\local\tomcat\bin\bootstrap.jar;C:\usr\local\tomcat\bin\tomcat-juli.jar"