keytool工具生成自签名证书并且通过浏览器导入证书-白红宇

keytool工具生成自签名证书并且通过浏览器导入证书

阅读量：4941 次

发布时间：2019-06-11

本文共 3641 字，大约阅读时间需要 12 分钟。

1、生成服务器证书库

keytool -genkey -alias tomcat -keypass changeit -keyalg RSA -keysize 1024 -validity 365 -keystore /home/tomcat/server.keystore -storepass changeit -dname "CN=10.10.6.100,OU=shixun,O=shixun,L=beijing,ST=beijing,c=cn"

　　注：CN:要设定的域名或IP

2、生成客户端证书库

keytool -genkey -alias client -keypass changeit -keyalg RSA -keysize 1024 -validity 365 -storetype PKCS12 -keystore /home/tomcat/client.p12 -storepass changeit -dname "CN=client,OU=shixun,O=shixun,L=beijing,ST=beijing,c=cn"

3、导出客户端证书

keytool -export -alias client -keystore /home/tomcat/client.p12 -storetype PKCS12 -keypass changeit -file /home/tomcat/client.cer -storepass changeit

4、让服务器信任客户端证书,将客户端证书导入到服务器证书库

keytool -import -v -file /home/tomcat/client.cer -keystore /home/tomcat/server.keystore -storepass changeit

5、查看服务器证书库，可以看到2个证书文件,一个是服务器证书，一个是受信任的客户端证书：

keytool -list -v -keystore /home/tomcat/server.keystore -storepass changeit

6、通过浏览器导入客户端证书client.p12

双击客户端证书client.p12点击下一步输入密码即可导入IE浏览器即可实现访问。

Chrome和FireFox需要手工导入才能访问。

Chrome实现：

设置 → 显示高级设置... → 管理证书... → 个人 → 选择证书 → 确定

FireFox实现：

工具 → 选项 → 高级 → 证书 → 查看证书 → 导入 → 选择证书 → 确定

通过程序控制访问

solrj程序通过httpClient代理实现证书的安全访问。

示例代码：

public class DoubleSSL {      private String    httpUrl = "https://192.168.100.175:8443/solr";      // 客户端密钥库      private String    sslKeyStorePath          = "E:/ssl/server.keystore";      private String    sslKeyStorePassword      = "changeit";      // 客户端信任的证书      private String    sslTrustStore        = "E:/ssl/server.keystore";      private String    sslTrustStorePassword    = "123456";      public HttpClient testHttpsClient() {         SSLContext sslContext = null;         HttpClient httpClient = null;         try {             KeyStore kstore = KeyStore.getInstance("JKS");             kstore.load(new FileInputStream(sslKeyStorePath), sslKeyStorePassword.toCharArray());             KeyManagerFactory keyFactory =KeyManagerFactory.getInstance("sunx509");             keyFactory.init(kstore, sslKeyStorePassword.toCharArray());             KeyStore tstore = KeyStore.getInstance("jks");             tstore.load(new FileInputStream(sslTrustStore), sslTrustStorePassword.toCharArray());             TrustManager[] tm;             TrustManagerFactory tmf =TrustManagerFactory.getInstance("sunx509");             tmf.init(tstore);             tm = tmf.getTrustManagers();             sslContext = SSLContext.getInstance("SSL");             sslContext.init(keyFactory.getKeyManagers(),tm, null);         } catch (Exceptione) {             e.printStackTrace();         }         try {             httpClient = new DefaultHttpClient();             SSLSocketFactory socketFactory = new SSLSocketFactory(sslContext);             Scheme sch = new Scheme("https", 8443, socketFactory);      httpClient.getConnectionManager().getSchemeRegistry().register(sch);             HttpGet httpGet = new HttpGet(httpUrl);             HttpResponse response =httpClient.execute(httpGet);      System.out.println(response.getStatusLine().getStatusCode());         } catch (Exceptione) {             e.printStackTrace();         }         return httpClient;      }  }

7、配置tomcat服务器

将生成的server.keystore服务端证书拷贝到tomcat目录，修改tomcat下conf目录下的server.xml文件将8443端口注释打开

8、设置tomcat强制https访问

在 tomcat /conf/web.xml 中的 </welcome- file-list> 后面加上这


     
      
      
       CLIENT-CERT
      
      
       Client Cert Users-only Area
      
     
     
      
       
       
        SSL
       
       
        /*
        
      
      
       
        CONFIDENTIAL