sl的原理和细节配置在之前两个博文中已经提到了。接下来总结下ssl的具体配置。主要感谢三篇文章。
ssl双向认证的客户端游览器的实现:
http://blog.csdn.net/jasonhwang/archive/2008/04/26/2329589.aspx
http://blog.csdn.net/jasonhwang/archive/2008/04/29/2344768.aspx
ssl双向认证的java调用实现:
http://www.blogjava.net/stone2083/archive/2007/12/20/169015.html
ssl双向认证的客户端游览器的实现主要是在Linux下实现的,稍微修改路径就可以在windows下实现。
注意:若客户端游览器没有ca证书的话,也是可以访问服务器的,客户端的ca证书是用来验证服务器是否有效的,若没有ca证书,游览器会弹出警告,让客户决定是否访问。
对于服务器端,用于签名的ca证书已经加入到trustKeyStore中,用于server认证客户端是否可信。
下面是主要代码:
env.bat:
set OPENSSL_HOME=C:\temp\testca
set SERVER=%OPENSSL_HOME%\Server
set CLIENT=%OPENSSL_HOME%\Client
set CA=%OPENSSL_HOME%\CA
set CONF=%OPENSSL_HOME%\conf
gentestca.conf:
[req]
default_keyfile = $ENV::OPENSSL_HOME/CA/cakey.pem
default_md = md5
prompt = no
distinguished_name = ca_distinguished_name
x509_extensions = ca_extensions
[ca_distinguished_name]
organizationName = VictorOrg
organizationalUnitName = VictorDepartment
commonName = VictorCA
emailAddress = ca_admin@victororg.com
[ca_extensions]
basicConstraints = CA:true
testca.conf:
[ ca ]
default_ca = testca # The default ca section
需要配置
[ testca ]
dir = $ENV::OPENSSL_HOME # top dir
database = $dir/index.txt # index file.
new_certs_dir = $dir/newcerts # new certs dir
certificate = $ENV::CA/cacert.pem # The CA cert
serial = $dir/serial # serial no file
private_key = $ENV::CA/cakey.pem # CA private key
RANDFILE = $ENV::CA/.rand # random number file
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # message digest method to use
unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
policy = policy_any # default policy
[ policy_any ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
generateCA.bat:
openssl req -x509 -newkey rsa:2048 -out CA/cacert.pem -outform PEM -days 2190 -config "%OPENSSL_HOME%\conf\gentestca.conf"
openssl pkcs12 -export -clcerts -in CA/cacert.pem -inkey CA/cakey.pem -out CA/root.p12
keytool -keystore %CA%\truststore.jks -keypass 444444 -storepass 444444 -alias ca -import -trustcacerts -file %CA%\cacert.pem
generateServer.bat:
openssl req -newkey rsa:1024 -keyout %SERVER%\serverkey.pem -keyform PEM -out %SERVER%\serverreq.pem -outform PEM -subj "/O=ABCom/OU=servers/CN=servername"
openssl ca -in %SERVER%\serverreq.pem -out %SERVER%\servercert.pem -config "%CONF%\testca.conf"
openssl pkcs12 -export -in %SERVER%\servercert.pem -inkey %SERVER%\serverkey.pem -out %SERVER%\server.p12 -name tomcat -CAfile "%CA%\cacert.pem" -caname root -chain
generateClient.bat:
openssl req -newkey rsa:1024 -keyout %CLIENT%\clientkey.pem -keyform PEM -out %CLIENT%\clientreq.pem -outform PEM -subj "/O=TestCom/OU=TestOU/CN=testuser1"
openssl ca -in %CLIENT%\clientreq.pem -out %CLIENT%\clientcert.pem -config "%CONF%\testca.conf"
openssl pkcs12 -export -in %CLIENT%\clientcert.pem -inkey %CLIENT%\clientkey.pem -out %CLIENT%\client.p12 -name client -chain -CAfile "%CA%\cacert.pem"
tomcat 中 server.xml:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
maxhttpheadersize="8192"
minsparethreads="25" maxsparethreads="75"
clientAuth="true" sslProtocol="TLS"
disableUploadTimeout="true" enableLookups="false" acceptCount="100"
keystoreType="PKCS12" keystoreFile="C:/temp/ca_9_13/server.p12" keystorePass="333333"
truststoreType="JKS" truststoreFile="C:/temp/ca_9_13/truststore.jks" truststorePass="444444"
/>
ssl双向认证的java调用实现:
用java代码调用服务器的https时,必须在客户端地java代码中的trustKeyStore加入服务器的ca,因为程序不能像人一样主观判断该网站是否可以访问。
env.bat,gentestca.conf,testca.conf,generateCA.bat与上面配置一致。
generateServerKeyStore.bat
:
keytool -keystore %SERVER%\server.jks -keypass 222222 -storepass 222222 -alias serverkey -genkey -keyalg RSA -dname "CN=servername, OU=servers, O=ABCom"
keytool -export -alias serverkey -keypass 222222 -storepass 222222 -keystore %SERVER%\server.jks -file %SERVER%\server.crt
keytool -import -alias serverkey -keypass 222222 -storepass 222222 -file %SERVER%\server.crt -keystore %CLIENT%\tclient.keystore
generateClientKeyStore.bat:
keytool -genkey -alias clientkey -keystore %CLIENT%\client.jks -keypass 777777 -storepass 777777 -keyalg RSA -dname "CN=servername, OU=servers, O=ABCom"
keytool -export -alias clientkey -keystore %CLIENT%\client.jks -file %CLIENT%\client.crt -keypass 777777 -storepass 777777
keytool -import -alias clientkey -file %CLIENT%\client.crt -keystore %SERVER%\tserver.keystore -keypass 777777 -storepass 777777
tomcat 中 server.xml:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
maxhttpheadersize="8192"
minsparethreads="25" maxsparethreads="75"
clientAuth="true" sslProtocol="TLS"
disableUploadTimeout="true" enableLookups="false" acceptCount="100"
keystoreFile="C:\temp\keystore_9_14\server.jks" keystorePass="222222" keystoreType="JKS"
truststoreFile="C:\temp\keystore_9_14\tserver.keystore" truststorePass="777777" truststoreType="JKS"
/>
客户端java代码:
public class HttpsTest {
public static final String CLIENT_KEY_STORE_PASSWORD = "777777";
public static final String CLIENT_TRUST_KEY_STORE_PASSWORD = "222222";
private static class TrustAnyHostnameVerifier implements HostnameVerifier {
public boolean verify(String hostname, SSLSession session) {
return true;
}
}
public static void main(String[] args) throws NoSuchAlgorithmException, KeyStoreException, CertificateException, FileNotFoundException, IOException, UnrecoverableKeyException, KeyManagementException {
SSLContext ctx = SSLContext.getInstance("SSL");
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
KeyStore ks = KeyStore.getInstance("JKS");
KeyStore tks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream("C:/temp/keystore_9_14/client.jks"), CLIENT_KEY_STORE_PASSWORD.toCharArray());
tks.load(new FileInputStream("C:/temp/keystore_9_14/tclient.keystore"), CLIENT_TRUST_KEY_STORE_PASSWORD.toCharArray());
kmf.init(ks, CLIENT_KEY_STORE_PASSWORD.toCharArray());
tmf.init(tks);
ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
String url = "https://****:8443/****";
URL myURL = new URL(url);
HttpsURLConnection httpsConn = (HttpsURLConnection) myURL.openConnection();
httpsConn.setHostnameVerifier(new TrustAnyHostnameVerifier());
httpsConn.setSSLSocketFactory(ctx.getSocketFactory());
httpsConn.setRequestMethod("GET");
httpsConn.setRequestProperty("Connection", "Keep-Alive");
httpsConn.setUseCaches(false);
httpsConn.setReadTimeout(60000);
httpsConn.setRequestProperty("Content-Type","text/html; charset=UTF-8");
if (httpsConn.getResponseMessage().equalsIgnoreCase("ok")) {
System.out.println("ok");
} else {
System.out.println("error");
}
}
}
代码下载:密码123456
分享到:
相关推荐
java实现_SSL双向认证,里面详细介绍怎样实现,还包括完整的实现代码,直接可用
IOS,Android SSL双向认证HTTPS方式请求及配置证书
Tomcat6配置使用SSL双向认证
本demo使用HttpsURLConnection方式的SSL双向认证,实现oauth2.0客户端请求方式,并且实现了普通post接口请求,及多图上传的post请求接口,做了网络请求的封装。
Tomcat配置SSL双向认证简单实例
主要介绍了详解Nginx SSL快速双向认证配置(脚本),小编觉得挺不错的,现在分享给大家,也给大家做个参考。一起跟随小编过来看看吧
要实现SSL双向认证, 你必须同时配置Web服务器证书和客户端证书, 并且需要在服务器和客户端之间正确安装根证书。如此方可实现如文所示双向认证。
双向SSL认证配置说明,结合数字证书,实现服务器与客户端双向安全通信认证。
为了更加安全有效的访问网页,配置SSL可以有效加密我们的应用。
本文档基于JDK+apache-tomcat运行环境进行客户端和服务器端https配置,即SSL双向认证配置
tomcat下配置ssl双向认证介绍,有具体的步骤截图。
通过jmeter配置, 实现https双向认证,从而实现https双向认证客户端的模拟,可以完成https双向认证的测试
WEB服务器与客户端之间有时需要进行SSL的双向认证,在配置次认证时往往步骤非常负责,本分将手把手将您如何配置服务器端的mutual auth
Word文档,图文介绍如何配置Tomcat6,实现SSL双向认证通讯
使用activemq依赖库连接, 该项目为java工程,内有ssl证书生成方式链接,不清楚可私信
Java环境中配置SSL双向认证。在Java环境中配置Https双向认证,需要使用JDK自带的keytool工具,在命令行方式下,生成服务器证书申请文CSR,然后到CA签发服务器证书。
Nginx双向SSL认证配置详细步骤