Tomcat HTTPS密钥库证书 [英] Tomcat HTTPS keystore certificate
问题描述
使用SSL和Tomcat进入另一个问题:我已经配置了一个密钥库,其中包含密钥和证书(我希望向连接到该站点的客户端提供的服务器证书)。我已经为信任库做了同样的事情(我将需要客户端身份验证)。
Ran into another problem using SSL and Tomcat: I've configured a keystore which contains a key and a certificate (the server certificate I wish to present to the clients connecting to the site). I've done the same for the truststore (I'm going to need client authentication).
我现在遇到的问题是,当我连接到我的Tomcat实例时HTTPS,提供给我的证书(服务器证书)不是我的实际服务器证书,而是JKS密钥库中的密钥。使用-Djavax.net.debug = ssl显示它为客户端身份验证提供了正确的CA,但没有提供正确的服务器证书。
The problem I have now is that when I connect to my Tomcat instance via HTTPS, the certificate presented to me (the server certificate) is not my actual server certificate, but rather the key in the JKS keystore. Using -Djavax.net.debug=ssl reveals that it's presenting the correct CA for client authentication, but not the correct server certificate.
adding as trusted cert:
Subject: CN=A
Issuer: CN=A
Algorithm: RSA; Serial number: -
Valid from Tue Nov 10 14:48:31 CET 2009 until Mon Feb 08 14:48:31 CET 2010
adding as trusted cert:
Subject: X
Issuer: X
Algorithm: RSA; Serial number: -
Valid from Wed Jan 19 01:00:00 CET 2005 until Mon Jan 19 00:59:59 CET 2015I用占位符取代了真正的价值观。 A =服务器的域名(但在这种情况下,由于某种原因,这是密钥而不是证书)。 X = VeriSign CA(这应该是正确的)。我有一个现有的证书,我想用它来呈现给客户端,我使用keytool将其导入JKS密钥库。
I've replaced the real values with place holders. A = the domain name of the server (but in this case, for some reason this is the key and not the certificate). X = a VeriSign CA (this should be correct). I have an existing certificate I would like to use to present to the clients, which I imported into a JKS keystore using keytool.
Tomcat连接器配置:
The Tomcat connector configuration:
Connector port="444" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="conf/ssl/keystore.jks"
keystorePass="xx"
keyAlias="testkey"
truststoreFile="conf/ssl/truststore.jks"
truststorePass="xx"知道为什么我的Tomcat实例没有出示正确的证书?
Any idea why my Tomcat instance is not presenting the correct certificate?
推荐答案
问题是(显然 - 我无法确认这一点)是不可能正确的将先前生成的证书(和匹配的密钥)导入JKS密钥库并由Tomcat正确显示。
The problem is (apparently - I can not really confirm this) that it's impossible to properly import a previously generated certificate (and matching key) into a JKS keystore and have it presented properly by Tomcat.
我的问题发生的情况如下:
The situation in which my problem occurred is as follows:
- 我有一个证书文件,我自己使用OpenSSL从头开始生成(密钥+ CSR - >证书),由我自己的CA签名。
- 我希望配置Tomcat以便它呈现此特定证书给连接到我网站的用户。
- I have a certificate file, which I generated myself using OpenSSL from scratch (key + CSR -> certificate), signed by my own CA.
- I wish to configure Tomcat so that it presents this particular certificate to the users connecting to my site.
我找到的解决方案是:
-
将现有证书和的私钥转换为DER格式。例如(使用OpenSSL):
Convert the existing certificate and its private key to the DER format. For example (using OpenSSL):
对于私钥;
openssl pkcs8 -topk8 -nocrypt -in my_private_key.key -inform PEM -out my_private_key.der -outform DER
For实际的签名证书;
openssl x509 -in my_certificate.crt -inform PEM -out my_certificate.der -outform DER
使用自定义Java类将两个DER文件导入密钥库(JKS文件)。
Import both DER files into a keystore (JKS file) using a custom Java class.
java ImportKey my_private_key.der my_certificate.der
我没想到这个我自己(所有的功劳归于原始发明者)。这个Java类的源代码,以及更多细节可以找到此处和此处。我稍微修改了这个类,以便有一个第3(或第4)参数指定生成的JKS文件的输出位置。
I did not figure this out myself (all credit goes to the original inventor(s)).The source for this Java class, and some more details can be found here and here. I modified this class slightly so that there is a 3rd (or 4th) parameter that specifies the output location of the resulting JKS file.
最终结果是一个JKS密钥库,然后可以在Tomcat Connector配置中用作密钥库。上面的工具将生成带有密钥和JKS文件本身的默认密码的JKS文件,稍后可以使用 keytool -storepasswd 和 keytool更改这些密码。 keypasswd 。希望这对面临同样问题的人有所帮助。
The end result is a JKS keystore which can then be used in the Tomcat Connector configuration as the keystore. The above tool will generate the JKS file with default passwords for the key and JKS file itself, these can be changed later using keytool -storepasswd and keytool -keypasswd. Hope this helps for people facing the same issue.
这篇关于Tomcat HTTPS密钥库证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
