Tomcat 服务器/客户端自签名 SSL 证书

发布于 2024-07-29 13:27:13 字数 312 浏览 8 评论 0原文

我有一个使用自签名 SSL 证书运行的 Apache Tomcat 6.x 服务器。 我希望客户端向服务器提供他们自己的证书,以便我可以根据用户数据库对他们进行身份验证。 我的一切都基于我在网上找到的示例,但该示例附带了预装证书和预构建的 JKS 数据存储区。 我想用自己的证书创建自己的数据存储,但没有运气。

如何为 Tomcat 创建数据存储?
如何为 Tomcat 创建自签名证书?

如何为客户端创建自签名证书?
如何强制Tomcat信任客户端的签名?

我已经玩 java keytool 好几个小时了。

I have an Apache Tomcat 6.x server running with a self-signed SSL certificate. I want the client to present their own certificate to the server so I can authenticate them based on a database of users. I have it all working based on an example I found online, but the example came with canned certificates and a pre-build JKS datastore. I want to create my own datastore with my own certs but am having no luck.

How do I create a datastore for Tomcat?
How do I create a self-signed certificate for Tomcat?

How do I create a self-signed certificate for the client?
How do I force Tomcat to trust the signature of the client?

I've been playing with java keytool for many hours now.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

二智少女 2024-08-05 13:27:13

终于找到了我的问题的解决方案,所以如果其他人遇到困难,我会将结果发布在这里。

感谢 Michael's Software Thoughts 的 Michael Martin 随笔 我发现:

keytool 默认使用 DSA
生成时的算法
自签名证书。 早期版本
Firefox 无需任何操作即可接受这些密钥
问题。 在 Firefox 3 beta 5 中,使用
DSA 不起作用,但使用 RSA 可以。
生成时传递“-keyalg RSA”
自签名证书创建一个
完全认证 Firefox 3 beta 5
接受。

我简单地设置了该标志,清除了 FireFox 中的所有缓存,它就像一个魅力! 我使用它作为我的项目的测试设置,并且需要与其他人共享它,因此我编写了一个小批处理脚本来创建两个 SSL 证书。 一个可以放入 Tomcat 安装程序中,另一个是可以导入到 FireFox/IE 中的 .p12 文件。 谢谢!

用法:第一个命令行参数是客户端的用户名。 所有密码均为“password”(不带引号)。 更改任何硬编码位以满足您的需求。

@echo off
if "%1" == "" goto usage

keytool -genkeypair -alias servercert -keyalg RSA -dname "CN=Web Server,OU=Unit,O=Organization,L=City,S=State,C=US" -keypass password -keystore server.jks -storepass password
keytool -genkeypair -alias %1 -keystore %1.p12 -storetype pkcs12 -keyalg RSA -dname "CN=%1,OU=Unit,O=Organization,L=City,S=State,C=US" -keypass password -storepass password
keytool -exportcert -alias %1 -file %1.cer -keystore %1.p12 -storetype pkcs12 -storepass password
keytool -importcert -keystore server.jks -alias %1 -file %1.cer -v -trustcacerts -noprompt -storepass password
keytool -list -v -keystore server.jks -storepass password
del %1.cer
goto end

:usage
echo Need user id as first argument: generate_keystore [username]
goto end

:end
pause

结果是两个文件。 一个名为 server.jks 的文件可放入 Tomcat,另一个名为 {username}.p12 的文件可导入到浏览器中。 server.jks 文件将客户端证书添加为可信证书。

我希望其他人发现这很有用。

以下是需要添加到 Tomcat conf/sever.xml 文件中的 XML(仅在 Tomcat 6.x 上测试)

<Connector
   clientAuth="true" port="8443" minSpareThreads="5" maxSpareThreads="75"
   enableLookups="true" disableUploadTimeout="true"
   acceptCount="100" maxThreads="200"
   scheme="https" secure="true" SSLEnabled="true"
   keystoreFile="${catalina.home}/conf/server.jks"
   keystoreType="JKS" keystorePass="password"
   truststoreFile="${catalina.home}/conf/server.jks"
   truststoreType="JKS" truststorePass="password"
   SSLVerifyClient="require" SSLEngine="on" SSLVerifyDepth="2" sslProtocol="TLS"
/>

对于 Tomcat 7:

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="8443" SSLEnabled="true"
           maxThreads="200" scheme="https" secure="true"
           keystoreFile="${catalina.base}/conf/server.jks" keystorePass="password"
           clientAuth="false" sslProtocol="TLS" />    

Finally got the solution to my problem, so I'll post the results here if anyone else gets stuck.

Thanks to Michael Martin of Michael's Software Thoughts & Ramblings I discovered that:

keytool by default uses the DSA
algorithm when generating the
self-signed cert. Earlier versions of
Firefox accepted these keys without
problem. With Firefox 3 beta 5, using
DSA doesn't work, but using RSA does.
Passing "-keyalg RSA" when generating
the self-signed certificate creates a
cert the Firefox 3 beta 5 fully
accepts.

I simply set that flag, cleared all caches in FireFox and it worked like a charm! I am using this as a test-setup for my project and I need to share this with other people, so I wrote a little batch script that creates two SSL certificates. One can be dropped into the Tomcat setup and the other is a .p12 file that can be imported into FireFox/IE. Thanks!

Usage: first command-line argument is the username of the client. All passwords are "password" (with no quotations). Change any of the hard-coded bits to meet your needs.

@echo off
if "%1" == "" goto usage

keytool -genkeypair -alias servercert -keyalg RSA -dname "CN=Web Server,OU=Unit,O=Organization,L=City,S=State,C=US" -keypass password -keystore server.jks -storepass password
keytool -genkeypair -alias %1 -keystore %1.p12 -storetype pkcs12 -keyalg RSA -dname "CN=%1,OU=Unit,O=Organization,L=City,S=State,C=US" -keypass password -storepass password
keytool -exportcert -alias %1 -file %1.cer -keystore %1.p12 -storetype pkcs12 -storepass password
keytool -importcert -keystore server.jks -alias %1 -file %1.cer -v -trustcacerts -noprompt -storepass password
keytool -list -v -keystore server.jks -storepass password
del %1.cer
goto end

:usage
echo Need user id as first argument: generate_keystore [username]
goto end

:end
pause

The results are two files. One called server.jks that you drop into Tomcat and another file called {username}.p12 that you import into your browser. The server.jks file has the client certificate added as a trusted cert.

I hope someone else finds this useful.

And here is the the XML that needs to be added to your Tomcat conf/sever.xml file (only tested on on Tomcat 6.x)

<Connector
   clientAuth="true" port="8443" minSpareThreads="5" maxSpareThreads="75"
   enableLookups="true" disableUploadTimeout="true"
   acceptCount="100" maxThreads="200"
   scheme="https" secure="true" SSLEnabled="true"
   keystoreFile="${catalina.home}/conf/server.jks"
   keystoreType="JKS" keystorePass="password"
   truststoreFile="${catalina.home}/conf/server.jks"
   truststoreType="JKS" truststorePass="password"
   SSLVerifyClient="require" SSLEngine="on" SSLVerifyDepth="2" sslProtocol="TLS"
/>

For Tomcat 7:

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="8443" SSLEnabled="true"
           maxThreads="200" scheme="https" secure="true"
           keystoreFile="${catalina.base}/conf/server.jks" keystorePass="password"
           clientAuth="false" sslProtocol="TLS" />    
无畏 2024-08-05 13:27:13

要启用客户端身份验证,您需要为 Tomcat 指定一个“信任存储”:一个密钥存储,其中包含来自您信任的根证书颁发机构的证书,每个证书都标记为“trustEntry”。

这是由 Connector 元素的属性指定的:truststoreFiletruststorePass(默认为 keystorePass 的值)、和 truststoreType (默认为“JKS”)。

如果客户端使用自签名证书,则其“根”CA 就是证书本身; 接下来,您需要将客户端的自签名证书导入 Tomcat 的信任存储中。

如果你有很多客户,这很快就会变得很麻烦。 在这种情况下,您可能需要考虑为您的客户签署证书。 Java keytool 命令无法执行此操作,但 OpenSSL 中提供了所有必需的命令行实用程序。 或者您可以大规模地研究诸如 EJBCA 之类的内容。

更好的是,要求您的客户使用现有的免费 CA,例如 startcom.org。 这并不总是适用于服务器证书,因为 StartCom 的证书并不包含在所有浏览器中,但这种情况相反,StartCom 根证书可以轻松导入到 Tomcat 信任存储中。

To enable client authentication, you need to specify a "trust store" for Tomcat: a key store containing certificates from the root certification authorities that you trust, each flagged as a "trustEntry".

This is specified by the Connector element's attributes: truststoreFile, truststorePass (which defaults to the value of keystorePass), and truststoreType (which defaults to "JKS").

If a client is using a self-signed certificate, then its "root" CA is the certificate itself; it follows, then, that you need to import the client's self-signed certificate into Tomcat's trust store.

If you have many clients, this will quickly become a hassle. In that case, you might want to look into signing certificates for your clients. The Java keytool command can't do this, but all of the necessary command-line utilities are available in OpenSSL. Or you could look into something like EJBCA on a large scale.

Better yet, ask your clients to use an existing free CA, like startcom.org. This doesn't always work for server certificates, because StartCom's certificate isn't included in all browsers, but this situation is reversed, and the StartCom root certificate could easily be imported to the Tomcat trust store.

蓬勃野心 2024-08-05 13:27:13

创建证书:

keytool -genkey -alias tomcat -keyalg RSA -keystore /home/bob/mykeystore

输入所需的自签名证书的所有数据,然后编辑 Tomcat 的 server.xml 并指定 SSL 连接器上的密钥库属性,例如:

<Connector port="8443" maxHttpHeaderSize="8192"
        maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
        enableLookups="false" disableUploadTimeout="true"
        acceptCount="100" scheme="https" secure="true"
        keystoreFile="/home/bob/mykeystore"
        clientAuth="false" sslProtocol="TLS" />

或遵循 Tomcat 文档...

http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto .html

Create certificate:

keytool -genkey -alias tomcat -keyalg RSA -keystore /home/bob/mykeystore

Enter all the data for the self signed certificate you need then edit Tomcat's server.xml and specify the keystore properties on the SSL connector, e.g.:

<Connector port="8443" maxHttpHeaderSize="8192"
        maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
        enableLookups="false" disableUploadTimeout="true"
        acceptCount="100" scheme="https" secure="true"
        keystoreFile="/home/bob/mykeystore"
        clientAuth="false" sslProtocol="TLS" />

or follow the Tomcat docs...

http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

街角迷惘 2024-08-05 13:27:13

前面的答案对我有用,但没有 shell 工具版本。 所以我写了一篇。

key_gen.sh:

#! /bin/bash
# a key generator for https,

basename=server
key_algorithm=RSA
password_key=123456
password_store=123456
country=US

# clean - pre
rm "${basename}.jks"

# generate server side
keytool -genkeypair -alias "${basename}cert" -keyalg $key_algorithm -dname "CN=Web Server,OU=Unit,O=Organization,L=City,S=State,C=${country}" -keypass $password_key -keystore "${basename}.jks" -storepass $password_store

对于tomcat8,可以将以下配置添加到server.xml

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
        maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
        clientAuth="false" sslProtocol="TLS"
        acceptCount="75" keystoreFile="${catalina.home}/conf/server.jks" keystorePass="123456"
    />

The previous answers are useful to me, but don't have a shell tool version. So I wrote one.

key_gen.sh:

#! /bin/bash
# a key generator for https,

basename=server
key_algorithm=RSA
password_key=123456
password_store=123456
country=US

# clean - pre
rm "${basename}.jks"

# generate server side
keytool -genkeypair -alias "${basename}cert" -keyalg $key_algorithm -dname "CN=Web Server,OU=Unit,O=Organization,L=City,S=State,C=${country}" -keypass $password_key -keystore "${basename}.jks" -storepass $password_store

For tomcat8, could add following config to server.xml:

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
        maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
        clientAuth="false" sslProtocol="TLS"
        acceptCount="75" keystoreFile="${catalina.home}/conf/server.jks" keystorePass="123456"
    />
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文