5. JSSE SSL双向认证
SSL双向认证就是要求Server端和Client端验证彼此的身份,当然得出示证明自己身份的可信证书。在上文中,我们成功的配置了Server端的SSL认证,生成了Server端的证书,同样的,也需要为Client端生成CA签发的证书。
5.1 Client端证书签发
Step1,生成Client端证书。使用OpenSSl生成Client端证书client-key.pem,
D:\Server\OpenSSL-Win32\bin>openssl genrsa -out client/client-key.pem 1024
Step3,创建Client端证书的CSR文件client-req.csr。
D:\Server\OpenSSL-Win32\bin>openssl req -new -out client/client-req.csr -key cli
ent/client-key.pem
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:haidian
Organization Name (eg, company) [Internet Widgits Pty Ltd]:bluesky
Organizational Unit Name (eg, section) []:Net Working Group
Common Name (eg, YOUR name) []:dinstone
Email Address []:dinstone@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:654321
An optional company name []:
Step2,使用CA证书来签发CSR(证书获取请求)文件client-req.csr,生成签名的Client证书client-cert.pem。
D:\Server\OpenSSL-Win32\bin>openssl x509 -req -in client/client-req.csr -out cli
ent/client-cert.pem -signkey client/client-key.pem -CA ca/ca-cert.pem -CAkey ca/
ca-key.pem -CAcreateserial -days 3650
Loading 'screen' into random state - done
Signature ok
subject=/C=CN/ST=Beijing/L=haidian/O=bluesky/OU=Net Working Group/CN=dinstone/em
ailAddress=dinstone@163.com
Getting Private key
Getting CA Private Key
Step3,导出Client端证书为浏览器支持的.p12格式的证书client.p12(其实,client.p12是pkcs12格式的密钥库,其中包含了Client端的私钥和公钥证书)。
D:\Server\OpenSSL-Win32\bin>openssl pkcs12 -export -clcerts -in client/client-ce
rt.pem -inkey client/client-key.pem -out client/client.p12
Loading 'screen' into random state - done
Enter Export Password:654321
Verifying - Enter Export Password:654321
5.2 双向认证配置
Step1,配置Connector,修改文件$Tomcat_Home\conf\server.xml如下片段
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="keystore/tomcat.jks" keystorePass="123456"
truststoreFile="keystore/tomcat.jks" truststorePass="123456"
clientAuth="true"
sslProtocol="TLS" />
说明:
l 将clientAuth设置为true,启用客户验证。
l 设置truststoreFile受信库文件,用来验证Client端证书。由于验证Client端证书的可信任CA证书已经导入到tomcat.jk密钥库中,所以这里直接指向keystore/tomcat.jks。truststoreFile值如果为空,则由系统属性javax.net.ssl.trustStore
指定,默认指向
$JDK_HOME/jre/lib/security/cacerts。
此时如果访问https://192.168.8.221:8443/,由于浏览器中还没有可用的证书,所以会提示用户选择Client证书,因此我们需要将Client端证书client.p12导入到浏览器中。
选择证书
Step2,将.p12格式的Client证书client.p12导入到浏览器的个人证书。操作如下:
l 选择IE的菜单【工具】->【Internet选项】->【内容】页签,如下图:
l 选择【证书(C)...】-> 【导入(I)...】,选择要导入的Client证书client.p12。如下图:
l 点击【下一步】,输入密码“654321”(该密码为密钥库client.p12的密码,这里为5.1节Step3中输入的密码),然后点击【下一步】,最后点击【完成】导入成功。如下图:
Step3,测试Https,启动Tomcat。访问https://192.168.8.221:8443/,看到Tomcat的欢迎页面而不会有安全警报,说明双向认证配置成功了。