注意了:
粘贴我总结的安装方法给大家分享
配置支持SSL的TOMCAT与APACHE
软件:
Java j2sdk-1_4_0_rc-win
Jakarta-tomcat-4.0-b1
Openssl for Linux
操作步骤:
1、 建立CA根证书(使用openssl)
1. 在openssl的apps目录下建立自己的CA目录,2. 例如:mageCA
mkdir mage
3. 生成CA密钥(用于签发证书)
openssl genrsa -out mageCA/ca-key.pem 1024
4. 生成待签名5. 的证书
openssl req -new -out mageCA/ca-req.csr -key mageCA/ca-key.pem
6. 用CA私钥自签名7.
openssl x509 -req -in mageCA/ca-req.csr -out mageCA/ca-cert.pem -signkey mageCA/ca-key.pem -days 365
2、 建立服3、 务器证书(使用java)注:%JDK_HOME%为j2sdk的安装目录
1. 在Java的工作目录,2. 也就是%JDK_HOME%的bin目录下建立自己的server目录,3. 例如:server
mkdir server
4. 生成server密钥对
%JDK_HOME%\bin\keytool -genkey -alias tomcat_server -validity 365 -keyalg RSA -keysize 1024 -keypass changeit -storepass changeit -dname "cn=localhost, ou=department, o=company, l=Beijing, st=Beijing, c=CN" -keystore server\server_keystore
注:-alias后的tomcat_server是密钥对的名字可替换为自己想要的名字
-keypass与-strorepass后的changeit为保护密码必须6位,将其替换为你要的密码即可。
-dname为包含的server信息。其中cn是服务器的名字一定要与WEB服务器中设置的一样。
5. 生成待签名6. 证书
%JDK_HOME%\bin\keytool -certreq -alias tomcat_server -sigalg MD5withRSA -file server\server.csr -keypass changeit -keystore server\server_keystore -storepass changeit参数意义同上
7. 用CA私钥签名8. (在linux上使用openssl)
1) 先将刚刚生成的server.csr文件ftp到linux上openssl的目录下的server子目录中。注意ftp的时候使用bin模式。
2) openssl x509 -req -in server/server.csr -out server/server-cert.pem -CA mageCA/ca-cert.pem -CAkey mageCA/ca-key.pem -days 365
4、 将CA根证书和服5、 务器证书导入Tomcat(使用Java)
1. 先导入CA根证书
1) 将CA根证书(ca-cert.pem)ftp到Java工作目录下的ca子目录中。注意ftp的时候使用bin模式。
2) %JDK_HOME%\bin\keytool -import -v -trustcacerts -storepass changeit -alias my_ca_root -file ca\ca-cert.pem -keystore %JDK_HOME%\jre\lib\security\cacerts注意此时的-storepass为默认的“changeit”。-alias为 CA根证书的别名3) 。
2. 再导入服3. 务器证书
1) 将服2) 务器证书(server-cert.pem)ftp到Java工作目录下的server子目录中。注意ftp的时候使用bin模式。
3) %JDK_HOME%\bin\keytool -import -v -trustcacerts -storepass changeit -alias tomcat_server -file server\server-cert.pem -keystore server\server_keystore注意此时的-storepass为刚才生成证书时输入的密码。-alias为服4) 务器证书的别名5)。
4. 查看证书
1) 查看CA证书
keytool -list -keystore %JDK_HOME%\jre\lib\security\cacerts
2) 查看服3) 务器证书
keytool -list -keystore server\server_keystore
5. 修改Tomcat的配置文件
用写字板修改conf目录下server.xml文件找到以下内容去掉其注释并修改。
<!-- Define an SSL HTTP/1.1 Connector on port 8443 -->
<Connector className="org.apache.catalina.connector.http.HttpConnector"
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="false"
acceptCount="10" debug="0" scheme="https" secure="true">
<Factory className="org.apache.catalina.net.SSLServerSocketFactory"
clientAuth="true" protocol="TLS"
keystoreFile="c:/jakarta-tomcat-4.0-b1/conf/server_keystore" keystorePass="780608"
/>
</Connector>
然后把文件server\server_keystore复制到目录%TCAT_HOME%\conf\下
6、 建立Client证书
1. 在openssl的apps目录下建立自己的Client目录,2. 例如:client
3. 生成Client密钥对
openssl genrsa -out client\client-key.pem 1024
4. 生成待签名5. 的证书
openssl req -new -out client\client-req.csr -key client\client-key.pem
6. 用CA私钥签名7.
openssl x509 -req -in client\client-req.csr -out client\client-cert.pem -signkey client\client-key.pem -CA mageCA\ca-cert.pem -CAkey mageCA\ca-key.pem -CAcreateserial -days 365
8. 生成Client端可以导入的个人证书
openssl pkcs12 -export -clcerts -in client\client-cert.pem -inkey client\client-key.pem -out client\client.p12
7、 将CA证书与个人证书导入IE
1. 先导入CA根证书
1) 将已经ftp到Java工作目录下ca子目录中的ca-cert.pem改名2) 为ca-cert.cer
3) 在client端的IE中使用<工具>,< Internet选项>,<内容>,<证书>,<导入>,把我们生成的CA根证书导入,4) 使其成为用户信任的CA。
2. 再导入个人证书
1) 将个人证书(client.p12)ftp到Client端。注意ftp的时候使用bin模式。
2) 把client.p12导入到client端的IE中作为个人证书,3) 导入过程同4) 上
8、 启动并访问
1. 执行%TCAT_HOME%\bin\startup.bat启动Tomcat 4.x
2. 在IE浏览器的地址栏中输入https://localhost:8443,3. 如果前面的操作都正确的话,4.应该可以看到Tomcat的欢迎页面。同5. 时状态栏上的小锁处于闭合状态,6. 表示您已经成功地与服7.务器建立了要求客户端验证的SSL安全连接。
9、 其他
IE在进行服务器证书的认证的时候可能出现一个对话框说明有三项验证信息中的几项不副。1该安全证书不是由可信的验证机构发行2该安全证书的日期无效3安全证书上的名称和站点名称不匹配。
下面是APACHE的SSL设置。
密钥与证书的生成方式都一样然后是对http.conf的设置。
</IfModule>条件编译
<IfDefine HAVE_SSL>判断参数
##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>开始设置
# General setup for the virtual host
#DocumentRoot "/etc/httpd/htdocs"
#ServerName new.host.name
#ServerAdmin you@your.address
DocumentRoot "/var/www/ssl/"默认根路径
ServerName www.ssl.test
ServerAdmin you@your.address
ErrorLog logs/error_log
TransferLog logs/access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on启动SSL引擎
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite支持的加密模式
ALL:!ADH:!EXPORT57:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A test
# certificate can be generated with `make certificate' under
# built time. Keep in mind that if you've both a RSA and a DSA
# certificate you can configure both in parallel (to also allow
# the use of DSA ciphers, etc.)
#SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateFile /home/wig/openssl/apps/apache/apache-cert.pem服务器证书文件
#SSLCertificateFile /etc/httpd/conf/ssl.crt/server-dsa.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
#SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SSLCertificateKeyFile /home/wig/openssl/apps/apache/apache-key.pem服务器密钥对文件
#SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server-dsa.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateChainFile /home/wig/openssl/apps/mageCA/ca-cert.pem CA链证书文件(用来认证递归)
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/httpd/conf/ssl.crt
#SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt
SSLCACertificateFile /home/wig/openssl/apps/mageCA/ca-cert.pemCA证书文件
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/httpd/conf/ssl.crl
#SSLCARevocationPath /etc/httpd/conf/ssl.crl
#SSLCARevocationFile /etc/httpd/conf/ssl.crl/ca-bundle.crl
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
SSLVerifyClient require用户认证方式为必须认证(可选)
SSLVerifyDepth 10用户认证递归深度
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o CompatEnvVars:
# This exports obsolete environment variables for backward compatibility
# to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
# to provide compatibility to existing CGI scripts.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"
</VirtualHost>
</IfDefine>
然后在/etc/rc.d/init.d/httpd start -D HAVE_SSL启动APACHE就行了。
