[转] Tomcat 配置 SSL

PS: keystore有自己的访问密码，这个保护层次要低一些，然后keystore里面存有自己的私钥，所以用户要破解的话，既要有keystore，又要有keystore的密码，p12是客户端keystore的一种形式，也需要密码去打开

第一步：为服务器生成证书
使用keytool为Tomcat生成证书，假定目标机器的域名是“localhost”，keystore文件存放在“E:\tomcat.keystore”，口令为“password”，使用如下命令生成

keytool -genkey -v -alias tomcat -keyalg RSA -keystore
tomcat.keystore -dname "CN=gavin-pc,OU=cn,o=cn,L=cn,ST=cn,C=cn"
-storepass changeit -keypass changeit

第二步：为客户端生成证书

下一步是为浏览器生成证书，以便让服务器来验证它。为了能将证书顺利导入至IE和Firefox，证书格式应该是PKCS12，因此，使用如下命令生成：

keytool -genkey -v -alias myKey -keyalg RSA -storetype PKCS12
-keystore my.p12 -dname "CN=MyKey,OU=cn,o=cn,L=cn,ST=cn,C=cn" -storepass
password1 -keypass

password2

第三步：让服务器信任客户端证书

由于是双向SSL认证，服务器必须要信任客户端证书，因此，必须把客户端证书添加为服务器的信任认证。由于不能直接将PKCS12格式的证书库导入，我们必须先把客户端证书导出

为一个单独的CER文件，使用如下命令：

keytool -export -alias myKey -keystore my.p12 -storetype PKCS12 -storepass password1 -rfc -file my.cer

通过以上命令，客户端证书就被我们导出到“C:\my.cer”文件了。下一步，是将该文件导入到服务器的证书库，添加为一个信任证书：

keytool -import -v -file my.cer -keystore tomcat.keystore -storepass changeit

最后：

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

    maxThreads="150" scheme="https" secure="true"

    clientAuth="false" sslProtocol="TLS"

    keystoreFile="e:/tomcat.keystore" keystorePass="changeit"          -> comment: tomcat access keystore
    truststoreFile="e:/tomcat.keystore" truststorePass="changeit"     
-> comment: tomcat truststore
/>

验证:其中，clientAuth指定是否需要验证客户端证书，如果该设置为“false”，则为单向SSL验证，SSL配置可到此结束。如果clientAuth设置为“true”，表示强制双向SSL验证 
　　　　<- comment: 单向认证是指服务器把证书发给客户端，客户端可以自由选择是否要验证，双向认证是指客户度也需要导入证书发给服务器去做验证

，必须验证客户端证书。如果clientAuth设置为“want”，则表示可以验证客户端证书，但如果客户端没有有效证书，也不强制验证。

true是 服务器不会颁发证书必须由客户端导入                                   -> comment: 证书导入使用

Here are example commands for generating your own Certificate Authority, and signing your own keys to distribute to end users. This tool may help as its graphical instead of command line: http://xca.sourceforge.net/

openssl req -newkey rsa:512 -nodes -out ca.csr -keyout ca.key

Fill in the questions. Use relevant data, but this information is only for you.

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Texas
Locality Name (eg, city) []:Dallas
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CrushFTP
Organizational Unit Name (eg, section) []:Development
Common Name (eg, YOUR name) []:www.domain.com
Email Address []:ben@crushftp.com
A challenge password []:
An optional company name []:

Now we get our private key for signing.

openssl x509 -req -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem
echo "02" > ca.srl

And finally, we import the public key for our signing into our trust store so we can validate all signed keys user's submit. This files name "crush.keystore_trust" is specific. It must be in the same folder as the real keystore file for the server port, and must have the exact same name and password, except its name ends with "_trust". So in this case we expect to have a keystore named "crush.keystore".

keytool -import -alias crushftp_ca -keystore crush.keystore_trust -trustcacerts -file ca.pem -storepass password

---

Now from here on, we just generate new signed certs for your clients. The key part is to set their username to be "NOLOGIN_myuser" if you want to force them to still enter a user/pass. Otherwise if you set their common name to a valid username, they will be able to login without a user/pass.

openssl req -newkey rsa:512 -nodes -out myuser.req -keyout myuser.key

Fill in the information on this client's key you are building. Note that the Common Name must be the username of the client, or "NOLOGIN_" and anything else.

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Texas
Locality Name (eg, city) []:Ft. Worth
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CrushFTP
Organizational Unit Name (eg, section) []:Development
Common Name (eg, YOUR name) []:myuser
Email Address []:ben@crushftp.com
A challenge password []:
An optional company name []:

Now we build the "myuser.p12" file that we need. This is what we will distribute to the end user for them to add to their browser to allow them access.

openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in myuser.req -out myuser.pem -days 365
openssl pkcs12 -export -clcerts -in myuser.pem -inkey myuser.key -out myuser.p12 -name "myuser_