Tomcat 服务器/客户端自签名 SSL 证书 [英] Tomcat Server/Client Self-Signed SSL Certificate

问题描述

我有一个使用自签名 SSL 证书运行的 Apache Tomcat 6.x 服务器.我希望客户端向服务器提供他们自己的证书，以便我可以根据用户数据库对其进行身份验证.我根据我在网上找到的一个示例进行了所有操作，但该示例带有罐装证书和预构建的 JKS 数据存储.我想用我自己的证书创建我自己的数据存储，但我没有运气.

I have an Apache Tomcat 6.x server running with a self-signed SSL certificate. I want the client to present their own certificate to the server so I can authenticate them based on a database of users. I have it all working based on an example I found online, but the example came with canned certificates and a pre-build JKS datastore. I want to create my own datastore with my own certs but am having no luck.

如何为 Tomcat 创建数据存储?
如何为 Tomcat 创建自签名证书?

How do I create a datastore for Tomcat?
How do I create a self-signed certificate for Tomcat?

如何为客户端创建自签名证书?
如何强制Tomcat信任客户端的签名?

How do I create a self-signed certificate for the client?
How do I force Tomcat to trust the signature of the client?

我已经玩 Java keytool 好几个小时了.

I've been playing with java keytool for many hours now.

推荐答案

我的问题终于有了解决方案，所以如果有人遇到困难，我会在这里发布结果.

Finally got the solution to my problem, so I'll post the results here if anyone else gets stuck.

感谢 Michael 的软件思想 & 的 Michael Martin散文我发现:

keytool 默认使用 DSA生成时的算法自签名证书.早期版本Firefox 接受了这些密钥，但没有问题.使用 Firefox 3 beta 5，使用DSA 不起作用，但使用 RSA 可以.生成时传递-keyalg RSA"自签名证书创建一个完全认证 Firefox 3 beta 5接受.

keytool by default uses the DSA algorithm when generating the self-signed cert. Earlier versions of Firefox accepted these keys without problem. With Firefox 3 beta 5, using DSA doesn't work, but using RSA does. Passing "-keyalg RSA" when generating the self-signed certificate creates a cert the Firefox 3 beta 5 fully accepts.

我只是简单地设置了那个标志，清除了 FireFox 中的所有缓存，它就像一个魅力！我使用它作为我项目的测试设置，我需要与其他人共享它，所以我编写了一个小批处理脚本来创建两个 SSL 证书.一个可以放入 Tomcat 设置中，另一个是可以导入 FireFox/IE 的 .p12 文件.谢谢！

I simply set that flag, cleared all caches in FireFox and it worked like a charm! I am using this as a test-setup for my project and I need to share this with other people, so I wrote a little batch script that creates two SSL certificates. One can be dropped into the Tomcat setup and the other is a .p12 file that can be imported into FireFox/IE. Thanks!

用法:第一个命令行参数是客户端的用户名.所有密码都是password"(不带引号).更改任何硬编码位以满足您的需要.

Usage: first command-line argument is the username of the client. All passwords are "password" (with no quotations). Change any of the hard-coded bits to meet your needs.

@echo off
if "%1" == "" goto usage

keytool -genkeypair -alias servercert -keyalg RSA -dname "CN=Web Server,OU=Unit,O=Organization,L=City,S=State,C=US" -keypass password -keystore server.jks -storepass password
keytool -genkeypair -alias %1 -keystore %1.p12 -storetype pkcs12 -keyalg RSA -dname "CN=%1,OU=Unit,O=Organization,L=City,S=State,C=US" -keypass password -storepass password
keytool -exportcert -alias %1 -file %1.cer -keystore %1.p12 -storetype pkcs12 -storepass password
keytool -importcert -keystore server.jks -alias %1 -file %1.cer -v -trustcacerts -noprompt -storepass password
keytool -list -v -keystore server.jks -storepass password
del %1.cer
goto end

:usage
echo Need user id as first argument: generate_keystore [username]
goto end

:end
pause

结果是两个文件.一个名为 server.jks 的文件，您放入 Tomcat，另一个文件名为 {username}.p12，您导入浏览器.server.jks 文件将客户端证书添加为受信任的证书.

The results are two files. One called server.jks that you drop into Tomcat and another file called {username}.p12 that you import into your browser. The server.jks file has the client certificate added as a trusted cert.

我希望其他人觉得这很有用.

I hope someone else finds this useful.

这里是需要添加到 Tomcat conf/sever.xml 文件中的 XML(仅在 Tomcat 6.x 上测试)

And here is the the XML that needs to be added to your Tomcat conf/sever.xml file (only tested on on Tomcat 6.x)

<Connector
   clientAuth="true" port="8443" minSpareThreads="5" maxSpareThreads="75"
   enableLookups="true" disableUploadTimeout="true"
   acceptCount="100" maxThreads="200"
   scheme="https" secure="true" SSLEnabled="true"
   keystoreFile="${catalina.home}/conf/server.jks"
   keystoreType="JKS" keystorePass="password"
   truststoreFile="${catalina.home}/conf/server.jks"
   truststoreType="JKS" truststorePass="password"
   SSLVerifyClient="require" SSLEngine="on" SSLVerifyDepth="2" sslProtocol="TLS"
/>

对于 Tomcat 7:

For Tomcat 7:

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="8443" SSLEnabled="true"
           maxThreads="200" scheme="https" secure="true"
           keystoreFile="${catalina.base}/conf/server.jks" keystorePass="password"
           clientAuth="false" sslProtocol="TLS" />    

这篇关于Tomcat 服务器/客户端自签名 SSL 证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！