Tomcat 和 SSL 客户端证书 [英] Tomcat and SSL Client certificate
问题描述
我想有以下场景:
- 创建我自己的 CA
- 创建服务器证书并使用我的 CA 对其进行签名
- 创建多个客户端证书并使用我的 CA 对其进行签名
接下来,我想对每个提供由我的 CA 签署的证书的客户端进行身份验证.
Next i would like to authenticate every client which presents a certificate signed by my CA.
是否可以在不将每个客户端证书添加到我的 tomcat 密钥库的情况下实现这种场景?我只想验证客户提供的证书是否由我的 CA 颁发和签名.
Is it possible to realize such scenario without adding every single client certificate to my tomcat keystore? I just would like to only verify if the certificate the client presents is issued and signed by my CA.
推荐答案
是的,这当然是可能的,而我正是这样做的.如果您使用包含 CA 证书的信任库配置 Tomcat,那么它应该接受由该 CA 签署的任何客户端证书.
Yes, that's certainly possible, and I have done exactly this. If you configure Tomcat with a truststore containing your CA certificate then it should accept any client certificate signed by that CA.
我假设您已经生成了 CA 密钥和根证书,并且您知道如何使用它来将 CSR 转换为证书.
I'll assume you have your CA key and root certificate already generated and you know how to use it to turn CSRs into certificates.
首先生成您的服务器密钥,以及相应的 CSR
First generate your server key, and a corresponding CSR
$ openssl genrsa -out XXX.key 2048
$ openssl req -new -nodes -key XXX.key -out XXX.csr
使用您的 CA 证书签署 CSR,生成服务器证书 XXX.crt.现在将服务器密钥、服务器证书和 CA 证书打包成一个 PKCS#12 文件
Use your CA certificate to sign the CSR, producing a server certificate XXX.crt. Now package the server key, server cert and CA cert into a single PKCS#12 file
$ cat XXX.crt ca-certificate.pem | openssl pkcs12 -export -inkey XXX.key -out XXX.p12 -name tomcat -caname myauthority
此过程将提示您输入多个密码,将它们全部设置为相同的值(该值是什么并不重要,它不必是安全密码,只需非-空 - 我使用 changeit).
You will be prompted for several passwords by this process, set them all to the same value (it doesn't matter what this value is and it doesn't have to be a secure password, it just has to be non-empty - I use changeit).
这个.p12 文件现在可以作为Tomcat 的keystore.接下来,您需要创建一个单独的 JKS 密钥库,其中仅包含用作 truststore 的 CA 证书.
This .p12 file can now act as the keystore for Tomcat. Next you need to create a separate JKS keystore containing just the CA certificate to use as the truststore.
$ keytool -import -alias myauthority -keystore truststore.jks -file ca-certificate.pem
再次,使用相同的非空密码回复所有密码提示,例如changeit.
Again, reply to all password prompts with the same non-empty password, such as changeit.
终于可以配置Tomcat了:
Finally you can configure Tomcat:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
connectionTimeout="20000"
keystoreFile="${catalina.home}/conf/XXX.p12"
keystoreType="PKCS12"
keystorePass="changeit"
truststoreFile="${catalina.home}/conf/truststore.jks"
truststoreType="JKS"
truststorePass="changeit"
clientAuth="true" sslProtocol="TLS" />
这篇关于Tomcat 和 SSL 客户端证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
