lizongbo at 618119.com 工作,生活,Android,前端,Linode,Ubuntu,nginx,java,apache,tomcat,Resin,mina,Hessian,XMPP,RPC

2007年10月23日

tomcat启用apr的情况下使用非自签名证书进行ssl双向认证配置

Filed under: Tomcat — 标签:, , , , , — lizongbo @ 08:47

Tomcat的apr组件是使用JNI用来提升Tomcat的系统性能,在启用apr特性之后,Tomcat的 https功能不能使用JSSE的证书配置,
而需要使用OpenSSL,对于clientAuth的双向认证配置,也与一般方式不同,经过试验,摸索出配置步骤如下:

证书文件的制作步骤如下:

下载并安装openvpn,然后在
C:\Program Files\OpenVPN\easy-rsa下根据readme指导的步骤生成根证书,服务器证书(非自签名证书),客户端证书.

我的具体步骤:
1.命令行下进入 C:\Program Files\OpenVPN\easy-rsa
首先运行init-config.bat
当前目录下会生成openssl.cnf和vars.bat
2.编辑vars,bat,修改以下变量,保存文件.
set KEY_SIZE=2048
set KEY_COUNTRY=CN
set KEY_PROVINCE=GD
set KEY_CITY=ShenZhen
set KEY_ORG=zongbo.Inc
set KEY_EMAIL=lizongbo@618119.com

3.命令行下运行
vars.bat
clean-all
4.创建ca证书
1. vars
2. build-ca
5.创建服务器公匙密码
(由于KEY_SIZE设置成了2048,因此可能需要很长的是时间才能创建,此时可以改回1024)
1. vars
2. build-dh

6.创建服务器证书和key.
1. vars
2. build-key-server www

7.创建客户端证书(创建可导入的格式)
1. vars
2. build-key-pkcs12 lizongbo

以下是整个命令执行的过程

C:\Program Files\OpenVPN\easy-rsa>init-config

C:\Program Files\OpenVPN\easy-rsa>copy vars.bat.sample vars.bat
已复制 1 个文件。

C:\Program Files\OpenVPN\easy-rsa>copy .cnf.sample .cnf
已复制 1 个文件。

C:\Program Files\OpenVPN\easy-rsa>vars.bat

C:\Program Files\OpenVPN\easy-rsa>clean-all
系统找不到指定的文件。
已复制 1 个文件。
已复制 1 个文件。

C:\Program Files\OpenVPN\easy-rsa>vars

C:\Program Files\OpenVPN\easy-rsa>build-ca
Loading ‘screen’ into random state – done
Generating a 2048 bit RSA private key
…………………………………..+++
……………………………………………………………………..
……………………………………………………………………..
…………………….+++
writing new private key to ‘keys\ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:CN
State or Province Name (full name) [GD]:GD
Locality Name (eg, city) [ShenZhen]:ShenZhen
Organization Name (eg, company) [zongbo.Inc]:zongbo.Inc
Organizational Unit Name (eg, section) []:lzb.Inc
Common Name (eg, your name or your server’s hostname) []:ca.lizongbo.com
Email Address [lizongbo@618119.com]:lizongbo@618119.com

C:\Program Files\OpenVPN\easy-rsa>vars

C:\Program Files\OpenVPN\easy-rsa>build-dh
Loading ‘screen’ into random state – done
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
………………………………………………..+……………..+…..
……………………………………………………………..+……..
……………………………………………………………………..
………………….+…………………………………………………
……………………………………………………………………..
……………………………………………………………………..
…………………..+…………………………………………..+…..
…………………………………+………………………..+……….
……………………………………………………………..+……..
………………………………………………………….+…………
………………………….+…………………………………………
……………………………………………………………+……….
……………………………………………………………………..
…+…………………………………+………..+……………………
………………………………+…………………………………….
……………………………………………………………………..
.+………………………………………………………………+…..
……………………………………………………………………..
………………………………………………………….+…………
…………………………………………
C:\Program Files\OpenVPN\easy-rsa>vars

C:\Program Files\OpenVPN\easy-rsa>build-key-server www
Loading ‘screen’ into random state – done
Generating a 2048 bit RSA private key
……….+++
…………………………….+++
writing new private key to ‘keys\www.key
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:CN
State or Province Name (full name) [GD]:GD
Locality Name (eg, city) [ShenZhen]:ShenZhen
Organization Name (eg, company) [zongbo.Inc]:zongbo.Inc
Organizational Unit Name (eg, section) []:lzb.Inc
Common Name (eg, your name or your server’s hostname) []:www.618119.com
Email Address [lizongbo@618119.com]:lizongbo@618119.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:lizongbo
An optional company name []:lzb.cmp
Using configuration from openssl.cnf
Loading ‘screen’ into random state – done
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’CN’
stateOrProvinceName :PRINTABLE:’GD’
localityName :PRINTABLE:’ShenZhen’
organizationName :PRINTABLE:’zongbo.Inc’
organizationalUnitName:PRINTABLE:’lzb.Inc’
commonName :PRINTABLE:’www.618119.com
emailAddress :IA5STRING:’lizongbo@618119.com
Certificate is to be certified until Sep 17 02:27:21 2017 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

C:\Program Files\OpenVPN\easy-rsa>vars

C:\Program Files\OpenVPN\easy-rsa>build-key lizongbo
Loading ‘screen’ into random state – done
Generating a 2048 bit RSA private key
……………+++
……………………+++
writing new private key to ‘keys\lizongbo.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:CN
State or Province Name (full name) [GD]:GD
Locality Name (eg, city) [ShenZhen]:ShenZhen
Organization Name (eg, company) [zongbo.Inc]:zongbo.Inc
Organizational Unit Name (eg, section) []:lzb.Inc
Common Name (eg, your name or your server’s hostname) []:lizongbo
Email Address [lizongbo@618119.com]:lizongbo@618119.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:lizongbo
An optional company name []:lzb.cmp
Using configuration from openssl.cnf
Loading ‘screen’ into random state – done
DEBUG[load_index]: unique_subject = “yes”
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’CN’
stateOrProvinceName :PRINTABLE:’GD’
localityName :PRINTABLE:’ShenZhen’
organizationName :PRINTABLE:’zongbo.Inc’
organizationalUnitName:PRINTABLE:’lzb.Inc’
commonName :PRINTABLE:’lizongbo’
emailAddress :IA5STRING:’lizongbo@618119.com
Certificate is to be certified until Sep 17 02:28:38 2017 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

C:\Program Files\OpenVPN\easy-rsa>

证书文件的安装步骤如下:

在IE中 :
在资源管理其中,双击easy-rsa\keys\ca.crt,导入根证书.双击www.crt,导入服务器证书,双击lizongbo.p12,导入客户端证书.

在Firefox中:

主菜单–>工具–>选项–>加密,察看证书–>证书机构->导入,选择ca.crt,导入之后,选中刚导入的证书,然后点”编辑”,将三项新任设置全部打上钩.

切换面板到”web站点”,导入,选择www.crt,导入之后,选中刚导入的证书,然后点”编辑”,选择”信任此证书的认证”

切换到”您的证书”,导入,选择lizongbo.p12, 输入生成证书时设置的密码,导入成功.
(Firefox中如果不首先导入根证书,Firefox会提示-12227错误,”接收到错误或未期望的消息,错误号-12227 “, 与IE的表现不同)

Tomcat配置步骤如下:
1.下载tcnative-1.dll,来源:
http://tomcat.heanet.ie/native/1.1.10/binaries/win32/tcnative-1.dll
下载 :
http://www.apache.org/dist/tomcat/tomcat-6/v6.0.14/bin/apache-tomcat-6.0.14.zip

2.解压apache-tomcat-6.0.14.zip为D:\Java\apache-tomcat-6.0.14
复制tcnative-1.dll到D:\Java\apache-tomcat-6.0.14\bin

3.在D:\Java\apache-tomcat-6.0.14\conf下新建ca目录。
复制 C:\Program Files\OpenVPN\easy-rsa\keys下的www.crtwww.key,ca.crt到D:\Java\apache-tomcat-6.0.14\conf\ca\

4.编辑D:\Java\apache-tomcat-6.0.14\conf\server.xml
增加对https的配置,配置内容如下:

<Connector port=”22443″ maxHttpHeaderSize=”8192″ protocol=”HTTP/1.1″
maxThreads=”150″ minSpareThreads=”25″ maxSpareThreads=”75″
enableLookups=”false” disableUploadTimeout=”true”
acceptCount=”100″ scheme=”” secure=”true”
=”true”
SSLEngine=”on” bufferSize=”8192″
SSLEnabled=”true”
SSLProtocol=”all”
SSLCipherSuite=”ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL”
SSLCertificateFile=”..\conf\ca\www.crt
SSLCertificateKeyFile=”..\conf\ca\www.key
SSLCACertificateFile=”..\conf\ca\ca.crt”
SSLCACertificatePath=”..\conf\ca”
SSLVerifyDepth=”15″
SSLVerifyClient=”require”
/>

验证:

分别使用IE和Firefox访问https://www.618119.com:22443/,均可得到选择证书的提示,选择对应的客户端证书即可.

验证服务器的证书信息:

命令行下运行: openssl s_client -connect www.618119.com:22443 -prexit
即可看到ssl连接中携带的证书信息.

3 Comments »

  1. 这两天好多篇啊。

    Reply

    评论 by vicalloy — 2007年10月23日 @ 11:29

  2. 我根据以上情况去做不行呀:(

    Reply

    sailor reply on 七月 22nd, 2008:

    这两天好多篇啊。

    评论 by sailor — 2008年07月22日 @ 18:24

RSS feed for comments on this post.

Leave a comment

Powered by WordPress