一、前言
已有教程大部分是使用jdk自带keytool生成自签名证书,自己测试可以的,但是用于实际使用时,在ssl双向认证中服务器认证客户端时,不可避免的每增加一个客户,服务器端需要添加信任列表。
解决方法:使用同一ca(向第三方机构申请或者自己模拟一个)签名过的服务器和若干客户端,服务器只需要添加该ca的信任认证即可。
二、工具链接(推荐openssl)
1 keytool 签名: http://www.cnblogs.com/youxia/p/java002.html
2 openssl http://blog.csdn.net/sunyujia/article/details/3017405
3 关于缺失 openssl.cnf 手动创建放在\bin下,文件内容
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
################################################################
# openssl example configuration file.
# This is mostly used for generation of certificate requests.
#################################################################
[ ca ]
default_ca= CA_default # The default ca section
#################################################################
[ CA_default ]
dir=C:/Program Files/Apache Group/Apache2/conf/ssl # Where everything is kept
certs=$dir # Where the issued certs are kept
crl_dir= $dir/crl # Where the issued crl are kept
database= $dir/index.txt # database index file
new_certs_dir= $dir/new_certs # default place for new certs
certificate=$dir/CA/OrbixCA # The CA certificate
serial= $dir/serial # The current serial number
crl= $dir/crl.pem # The current CRL
private_key= $dir/CA/OrbixCA.pk # The private key
RANDFILE= $dir/.rand # private random number file
default_days= 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md= md5 # which message digest to use
preserve= no # keep passed DN ordering
# A few different ways of specifying how closely the request should
# conform to the details of the CA
policy= policy_match
# For the CA policy [policy_match]
countryName= match
stateOrProvinceName= match
organizationName= match
organizationalUnitName= optional
commonName= supplied
emailAddress= optional
# For the `anything' policy
# At this point in time, you must list all acceptable `object'
# types
[ policy_anything ]
countryName = optional
stateOrProvinceName= optional
localityName= optional
organizationName = optional
organizationalUnitName = optional
commonName= supplied
emailAddress= optional
[ req ]
default_bits = 1024
default_keyfile= privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
[ req_distinguished_name ]
countryName= Country Name (2 letter code)
countryName_min= 2
countryName_max = 2
stateOrProvinceName= State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg. YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName= An optional company name
三 补充
1 p12转jks
1
keytool -importkeystore -srckeystore server.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore server.jks
2 导入信任cer到jks
1
keytool -import -v -alias root -file root.cer -keystore server.jks
3 server.jks 应包含 server的秘钥,信任的root的公钥
4 浏览器里应该有的证书:root的包含公钥的证书(一般cer格式导入),由root签发的各个用户的含有秘钥的证书(一般p12格式导入)
5 应用服务器server.xml 一般配置
1
2
3
4
5
6
7
8
9
10
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="http" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="server.jks"
keystorePass="123456"
keystoreType="jks"
truststoreFile="server.jks"
truststorePass="123456"
truststoreType="JKS"
/>
