Tomcat服务器/客户端自签名SSL证书 [英] Tomcat Server/Client Self-Signed SSL Certificate

问题描述

我有一个运行有自签名SSL证书的Apache Tomcat 6.x服务器.我希望客户端将自己的证书提交给服务器，以便我可以基于用户数据库对它们进行身份验证.我可以在网上找到一个示例来完成所有工作，但是该示例附带了罐装证书和预构建的JKS数据存储区.我想用自己的证书创建自己的数据存储区，但是没有运气.

I have an Apache Tomcat 6.x server running with a self-signed SSL certificate. I want the client to present their own certificate to the server so I can authenticate them based on a database of users. I have it all working based on an example I found online, but the example came with canned certificates and a pre-build JKS datastore. I want to create my own datastore with my own certs but am having no luck.

如何为Tomcat创建数据存储区?
如何为Tomcat创建自签名证书?

How do I create a datastore for Tomcat?
How do I create a self-signed certificate for Tomcat?

如何为客户端创建自签名证书?
如何强制Tomcat信任客户端的签名?

How do I create a self-signed certificate for the client?
How do I force Tomcat to trust the signature of the client?

我已经使用Java Keytool玩了好几个小时了.

I've been playing with java keytool for many hours now.

推荐答案

最终解决了我的问题，因此，如果有人卡住，我将在此处发布结果.

Finally got the solution to my problem, so I'll post the results here if anyone else gets stuck.

感谢 Michael的软件思想和著作的Michael Martin.漫步我发现:

keytool默认情况下使用DSA 生成时的算法 自签名证书.的较早版本 Firefox接受了这些密钥，但没有 问题.在Firefox 3 beta 5中，使用 DSA不起作用，但是使用RSA起作用. 生成时传递"-keyalg RSA" 自签名证书会创建一个 全面认证Firefox 3 beta 5 接受.

keytool by default uses the DSA algorithm when generating the self-signed cert. Earlier versions of Firefox accepted these keys without problem. With Firefox 3 beta 5, using DSA doesn't work, but using RSA does. Passing "-keyalg RSA" when generating the self-signed certificate creates a cert the Firefox 3 beta 5 fully accepts.

我简单地设置了该标志，清除了FireFox中的所有缓存，它的工作就像一个魅力！我将其用作项目的测试设置，并且需要与其他人共享，因此我编写了一个小批处理脚本，该脚本创建了两个SSL证书.一个可以放入Tomcat设置中，另一个是.p12文件，可以将其导入FireFox/IE.谢谢！

I simply set that flag, cleared all caches in FireFox and it worked like a charm! I am using this as a test-setup for my project and I need to share this with other people, so I wrote a little batch script that creates two SSL certificates. One can be dropped into the Tomcat setup and the other is a .p12 file that can be imported into FireFox/IE. Thanks!

用法:第一个命令行参数是客户端的用户名.所有密码均为密码"(不带引号).更改任何硬编码的位以满足您的需求.

Usage: first command-line argument is the username of the client. All passwords are "password" (with no quotations). Change any of the hard-coded bits to meet your needs.

@echo off
if "%1" == "" goto usage

keytool -genkeypair -alias servercert -keyalg RSA -dname "CN=Web Server,OU=Unit,O=Organization,L=City,S=State,C=US" -keypass password -keystore server.jks -storepass password
keytool -genkeypair -alias %1 -keystore %1.p12 -storetype pkcs12 -keyalg RSA -dname "CN=%1,OU=Unit,O=Organization,L=City,S=State,C=US" -keypass password -storepass password
keytool -exportcert -alias %1 -file %1.cer -keystore %1.p12 -storetype pkcs12 -storepass password
keytool -importcert -keystore server.jks -alias %1 -file %1.cer -v -trustcacerts -noprompt -storepass password
keytool -list -v -keystore server.jks -storepass password
del %1.cer
goto end

:usage
echo Need user id as first argument: generate_keystore [username]
goto end

:end
pause

结果是两个文件.一个名为server.jks的文件，您放入了Tomcat，另一个名为{username} .p12的文件，您导入了浏览器. server.jks文件已将客户端证书添加为受信任的证书.

The results are two files. One called server.jks that you drop into Tomcat and another file called {username}.p12 that you import into your browser. The server.jks file has the client certificate added as a trusted cert.

我希望其他人觉得这有用.

I hope someone else finds this useful.

这是需要添加到Tomcat conf/sever.xml文件中的XML(仅在Tomcat 6.x上进行了测试)

And here is the the XML that needs to be added to your Tomcat conf/sever.xml file (only tested on on Tomcat 6.x)

<Connector
   clientAuth="true" port="8443" minSpareThreads="5" maxSpareThreads="75"
   enableLookups="true" disableUploadTimeout="true"
   acceptCount="100" maxThreads="200"
   scheme="https" secure="true" SSLEnabled="true"
   keystoreFile="${catalina.home}/conf/server.jks"
   keystoreType="JKS" keystorePass="password"
   truststoreFile="${catalina.home}/conf/server.jks"
   truststoreType="JKS" truststorePass="password"
   SSLVerifyClient="require" SSLEngine="on" SSLVerifyDepth="2" sslProtocol="TLS"
/>

对于Tomcat 7:

For Tomcat 7:

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="8443" SSLEnabled="true"
           maxThreads="200" scheme="https" secure="true"
           keystoreFile="${catalina.base}/conf/server.jks" keystorePass="password"
           clientAuth="false" sslProtocol="TLS" />    

这篇关于Tomcat服务器/客户端自签名SSL证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！