linux下Tomcat+OpenSSL配置單向&雙向認證(自制證書)
背景
因爲ios將在2017年1月1日起強制實施ATS安全策略,全部通信必須使用https傳輸,本文只針對自制證書,但目前尚不肯定自制證書是否能經過appstore審覈。php
一、必須支持傳輸層安全(TLS)協議1.2以上版本
二、證書必須使用SHA256或更高的哈希算法簽名
三、必須使用2048位以上RSA密鑰或256位以上ECC算法等等
四、證書必須是V3版本
以上是幾個注意點。主要針對ios的ATS策略css
環境
linux: CentOS6.8
tomcat: Apache Tomcat/7.0.63
OpenSSL: OpenSSL 1.1.0chtml
OpenSSL升級(若是須要)
我使用的是阿里雲服務器,linux自帶OpenSSL,只須要作一次升級,關於全新安裝請自行搜索。前端
1.查看版本 openssl version -a 2.更新zlib yum install -y zlib 3.下載(注意cd到本身須要的路徑下) wget https://www.openssl.org/source/openssl-1.1.0c.tar.gz 4.解壓安裝 tar zxf openssl-1.1.0c.tar.gz cd openssl-1.1.0c ./config --prefix=/usr/local/openssl make make install //重命名原來的openssl mv /usr/bin/openssl /usr/bin/openssl.ori mv /usr/include/openssl /usr/include/openssl.ori //將安裝好的openssl命令軟連到對應位置 ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl ln -s /usr/local/openssl/include/openssl /usr/include/openssl //在/etc/ld.so.conf文件中寫入openssl庫文件的搜索路徑 echo /usr/local/openssl/lib >> /etc/ld.so.conf ldconfig -v openssl version -a
因爲chrome必需要添加subjectAltName才能導入證書生效,否則會報錯ERR_CERT_COMMON_NAME_INVALID
因此必須進入/usr/local/openssl/ssl/openssl.cnf
把req_extensions這個註釋放開
req_extensions = v3_req # The extensions to add to a certificate request
而後添加以下內容
[ v3_req ]python
# Extensions to add to a certificate requestlinux
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_namesios
[alt_names]
DNS.1 = kb.example.com
DNS.2 = helpdesk.example.org
DNS.3 = systems.example.net
IP.1 = 192.168.0.100
IP.2 = 192.168.0.168
IP.3 = 192.168.0.169
IP.4 = 192.168.0.106git
建立證書目錄
//進入tmp目錄 cd /tmp //建立ca目錄,存放證書相關文件 mkdir ca //進入ca cd ca
製做根證書
1. 建立根證書密鑰文件(本身作CA) root.key openssl genrsa -des3 -out root.key 2048
輸出內容爲:
Generating RSA private key, 2048 bit long modulus .....................................................................................................................+++ ..........................+++ e is 65537 (0x010001) Enter pass phrase for root.key: ← 輸入一個新密碼 Verifying – Enter pass phrase for root.key: ← 從新輸入一遍密碼
2. 建立根證書的申請文件 root.csr openssl req -new -key root.key -out root.csr
輸出內容爲:
Enter pass phrase for root.key: ← 輸入前面建立的密碼 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. —– Country Name (2 letter code) [AU]:CN ← 國家代號,中國輸入CN State or Province Name (full name) [Some-State]:BeiJing ← 省的全名,拼音 Locality Name (eg, city) []:BeiJing ← 市的全名,拼音 Organization Name (eg, company) [Internet Widgits Pty Ltd]: hp ← 公司英文名 Organizational Unit Name (eg, section) []: hp← 能夠不輸入 Common Name (eg, YOUR name) []: ← 此時不輸入 Email Address []:admin@hp.com ← 電子郵箱,可隨意填 Please enter the following ‘extra’ attributes to be sent with your certificate request A challenge password []: ← 能夠不輸入 An optional company name []: ← 能夠不輸入
3. 建立一個自當前日期起爲期十年的根證書 root.crt
openssl x509 -req -days 3650 -sha256 -extfile /usr/local/openssl/ssl/openssl.cnf -extensions v3_ca -signkey root.key -in root.csr -out root.crt
輸出內容爲:
Signature ok
subject=/C=CN/ST=BeiJing/L=BeiJing/O=MyCompany Corp./emailAddress=admin@mycompany.com Getting Private key Enter pass phrase for root.key: ← 輸入前面建立的密碼
4.根據CA證書生成truststore JKS文件 root.truststore //這一步只針對雙向認證,單向不須要 keytool -keystore root.truststore -keypass 123456 -storepass 123456 -alias ca -import -trustcacerts -file /tmp/ca/root.crt 鍵入回過後,提示是否信息此證書,輸入yes, 則生成truststore成功
製做service服務器端證書
1.建立服務器證書密鑰 server.key openssl genrsa -des3 -out server.key 2048
輸出內容爲:
Generating RSA private key, 2048 bit long modulus ...........................+++ ...............+++ e is 65537 (0x010001) Enter pass phrase for server.key: ← 輸入前面建立的密碼 Verifying - Enter pass phrase for server.key: ← 從新輸入一遍密碼 運行時會提示輸入密碼,此密碼用於加密key文件(參數des3即是指加密算法,固然也能夠選用其餘你認爲安全的算法.),之後每當需讀取此文件(經過openssl提供的命令或API)都需輸入口令.若是以爲不方便,也能夠去除這個口令,但必定要採起其餘的保護措施! 去除key文件口令的命令: openssl rsa -in server.key -out server.key
2.建立服務器證書的申請文件 server.csr openssl req -new -key server.key -out server.csr
輸出內容爲:
Enter pass phrase for server.key: ← 輸入前面建立的密碼 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. —– Country Name (2 letter code) [AU]:CN ← 國家名稱,中國輸入CN State or Province Name (full name) [Some-State]:BeiJing ← 省名,拼音 Locality Name (eg, city) []:BeiJing ← 市名,拼音 Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Corp. ← 公司英文名 Organizational Unit Name (eg, section) []: ← 能夠不輸入 Common Name (eg, YOUR name) []:www.xxx.com(15.31.213.183) ← 服務器主機名(或者IP),若填寫不正確,瀏覽器會報告證書無效,但並不影響使用 Email Address []:admin@mycompany.com ← 電子郵箱,可隨便填 Please enter the following ‘extra’ attributes to be sent with your certificate request A challenge password []: ← 能夠不輸入 An optional company name []: ← 能夠不輸入
建立完後能夠用命令openssl req -text -noout -in server.csr 驗證一下是否有以下信息
[root@localhost ca]# openssl req -text -noout -in server.csr
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = US, ST = Houston, L = Houston, O = hp, OU = hp, CN = 192.168.0.168, emailAddress = aaa
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:be:f8:d1:da:8f:fb:0c:24:a2:61:f6:f6:b2:85:
d9:e8:be:f9:07:73:5a:4d:96:c2:99:e7:ec:6f:3e:
a2:d0:58:f5:0a:4a:91:f9:6a:5a:51:28:10:b4:86:
cb:e6:6c:61:75:90:90:5c:93:81:dc:38:11:eb:0d:
1b:87:ea:f0:8f:73:6a:8e:37:92:03:19:b3:e2:5f:
77:3a:98:bf:00:99:e0:e2:dd:ca:44:4f:b3:59:ec:
8d:f6:bc:54:f5:b2:15:d0:e6:51:66:8b:9b:1d:06:
15:db:5b:25:b9:d5:99:5b:78:64:20:72:7e:2c:be:
54:9b:31:d7:b0:51:95:71:87:38:7d:bc:db:30:8a:
9f:b6:8e:09:4c:40:df:3a:fd:15:4d:c1:81:f8:7b:
28:e2:0d:2e:d0:92:db:19:1d:b4:fe:ca:e9:75:05:
e2:f8:72:49:a3:8d:80:4b:19:c3:05:9d:48:d4:fc:
51:c7:c4:82:d3:b1:b2:8b:00:50:74:b8:8f:af:16:
7d:6e:52:92:36:9a:53:18:e9:f7:62:04:cc:fa:17:
78:5a:bd:0f:c9:f3:d2:83:10:26:21:af:26:df:09:
38:92:34:f0:5b:7c:9e:8b:a1:c8:af:b6:4d:08:7f:
f6:fd:a3:77:b8:51:35:df:c6:e3:53:b7:fa:4d:1d:
53:d9
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:kb.example.com, DNS:helpdesk.example.org, DNS:systems.example.net, IP Address:192.168.0.100, IP Address:192.168.0.168, IP Address:192.168.0.169, IP Address:192.168.0.106
Signature Algorithm: sha256WithRSAEncryption
39:1e:18:ec:c3:06:10:6d:49:75:03:ec:29:68:ae:cd:ad:e7:
c0:45:51:2a:ff:1d:06:fc:08:22:a3:61:d9:3e:92:b1:d4:5e:
d9:ff:42:58:94:0c:35:cc:b4:89:f1:6c:2d:d2:ca:76:30:f0:
95:e0:eb:1b:37:a8:d4:a4:a4:80:c8:19:76:6f:ad:e8:12:e1:
a1:9b:6b:28:ae:45:6d:3a:57:35:ff:36:9f:81:41:ca:4e:da:
9f:59:f2:61:12:bd:ef:8d:c9:ed:7f:48:78:03:39:fa:46:de:
e0:d7:ae:c1:fc:df:5f:21:b8:17:05:84:69:51:af:a0:0c:cb:
7d:fd:3b:b5:a8:ab:83:33:d7:fd:aa:c4:93:e3:dc:72:df:0d:
c3:2f:b2:61:af:a9:c0:cc:e2:b8:8d:09:5a:57:2f:26:4a:ec:
b4:b0:79:05:07:2c:a0:48:cc:a0:fb:70:93:d8:33:22:e2:58:
27:5d:48:dd:2b:ca:1d:c1:82:93:80:f8:87:f2:99:b7:6e:be:
a4:0b:34:a5:45:7b:f7:df:59:95:ce:0d:c5:0b:1c:b0:63:5f:
f5:61:d4:db:cc:a7:57:fe:28:b5:1a:f5:13:c3:0c:04:82:d2:
d1:b8:e0:23:c8:c5:c9:60:5c:b9:df:8f:85:1b:1a:fe:ed:c4:
1f:4d:3d:fdweb
3.建立自當前日期起有效期爲期十年的服務器證書 server.crt openssl x509 -req -days 3650 -sha256 -extfile /usr/local/openssl/ssl/openssl.cnf -extensions v3_req -CA root.crt -CAkey root.key -CAcreateserial -in server.csr -out server.crt
輸出內容爲:
Signature ok
subject=/C=CN/ST=BeiJing/L=BeiJing/O=MyCompany Corp./CN=www.mycompany.com/emailAddress=admin@mycompany.com Getting CA Private Key Enter pass phrase for root.key: ← 輸入前面建立的密碼
4.導出.p12文件 server.p12 openssl pkcs12 -export -in /tmp/ca/server.crt -inkey /tmp/ca/server.key -out /tmp/ca/server.p12 -name "server" 根據命令提示,輸入server.key密碼,建立p12密碼。
5.將.p12 文件導入到keystore JKS文件 server.keystore keytool -importkeystore -v -srckeystore /tmp/ca/server.p12 -srcstoretype pkcs12 -srcstorepass nova123456 -destkeystore /tmp/ca/server.keystore -deststoretype jks -deststorepass nova123456 這裏srcstorepass後面的nova123456爲server.p12的密碼deststorepass後的nova123456爲keyStore的密碼
製做client客戶端證書
1.建立客戶端證書密鑰文件 client.key openssl genrsa -des3 -out client.key 2048
輸出內容爲:
Generating RSA private key, 2048 bit long modulus ...............................+++ .........................+++ e is 65537 (0x010001) Enter pass phrase for client.key: ← 輸入一個新密碼 Verifying – Enter pass phrase for client.key: ← 從新輸入一遍密碼
2.建立客戶端證書的申請文件 client.csr openssl req -new -key client.key -out client.csr
輸出內容爲:
Enter pass phrase for client.key: ← 輸入上一步中建立的密碼 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. —– Country Name (2 letter code) [AU]:CN ← 國家名稱,中國輸入CN State or Province Name (full name) [Some-State]:BeiJing ← 省名稱,拼音 Locality Name (eg, city) []:BeiJing ← 市名稱,拼音 Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Corp. ← 公司英文名 Organizational Unit Name (eg, section) []: ← 能夠不填 Common Name (eg, YOUR name) []:Lenin ← 本身的英文名,能夠隨便填 Email Address []:admin@mycompany.com ← 電子郵箱,能夠隨便填 Please enter the following ‘extra’ attributes to be sent with your certificate request A challenge password []: ← 能夠不填 An optional company name []: ← 能夠不填
3.建立一個自當前日期起有效期爲十年的客戶端證書 client.crt openssl x509 -req -days 3650 -sha256 -extfile /usr/local/openssl/ssl/openssl.cnf -extensions v3_req -CA root.crt -CAkey root.key -CAcreateserial -in client.csr -out client.crt
輸出內容爲:
Signature ok
subject=/C=CN/ST=BeiJing/L=BeiJing/O=MyCompany Corp./CN=www.mycompany.com/emailAddress=admin@mycompany.com Getting CA Private Key Enter pass phrase for root.key: ← 輸入上面建立的密碼
4.導出.p12文件 client.p12 openssl pkcs12 -export -in /tmp/ca/client.crt -inkey /tmp/ca/client.key -out /tmp/ca/client.p12 -name "client" 根據命令提示,輸入client.key密碼,建立p12密碼。
- 解釋
| 名稱 | |
|---|---|
| crt證書 | 只含有公鑰 |
| p12證書 | 是包含證書(含公鑰)和私鑰 |
| JKS(Java key store) | 存放密鑰的容器。.jks .keystore .truststore等 |
| KeyStore | 服務器的密鑰存儲庫,存服務器的公鑰私鑰證書 |
| TrustStore | 服務器的信任密鑰存儲庫,存CA公鑰 |
- 單向認證須要文件
| 名稱 | |
|---|---|
| root.crt | 客戶端使用的CA根證書 |
| server.keystore | 服務端證書存放的容器 |
- 雙向認證須要文件
| 名稱 | |
|---|---|
| root.crt | 客戶端使用的CA根證書 |
| client.p12 | 客戶端證書包含私鑰 |
| root.truststore | CA公鑰存放到受信賴的容器 |
| server.keystore | 服務端證書存放的容器 |
單向認證
客戶端只須要安裝root.crt這個CA根證書
服務器端配置server.keystore算法
配置Tomcat
1.關閉tomcat tomcat的bin目錄下執行 shutdown.sh
2.將keystore文件(server.keystore) 放在web服務器上 cp /tmp/ca/server.keystore /你的tomcat根目錄/conf
3.修改server.xml配置文件
cd /你的tomcat根目錄/conf vi server.xml
找到下面被註釋的代碼,刪除註釋符並修改內容(vi命令操做)
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/你的tomcat根目錄/conf/server.keystore" keystorePass="123456" clientAuth="false" sslEnabledProtocols="TLSv1.2" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" />
4.啓動tomcat tomcat的bin目錄下執行 startup.sh
5.訪問https服務 https://localhost:8443/ https://192.168.1.1:8443/ 你的IP
雙向認證
客戶端須要安裝root.crt這個CA根證書,client.p12這個客戶端證書
服務器端配置server.keystore,root.truststore
配置Tomcat
1.關閉tomcat tomcat的bin目錄下執行 shutdown.sh
2.將keystore文件(server.keystore) 放在web服務器上 cp /tmp/ca/server.keystore /你的tomcat根目錄/conf 將truststore文件(root.truststore) 放在web服務器上 cp /tmp/ca/root.truststore /你的tomcat根目錄/conf
3.修改server.xml配置文件
cd /你的tomcat根目錄/conf vi server.xml
找到下面被註釋的代碼,刪除註釋符並修改內容(vi命令操做)
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/你的tomcat根目錄/conf/server.keystore" keystorePass="123456" truststoreFile="/你的tomcat根目錄/conf/root.truststore" truststorePass="123456" clientAuth="true" sslEnabledProtocols="TLSv1.2" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" /> 注意!clientAuth爲true。這裏和單向的不一樣。
4.啓動tomcat tomcat的bin目錄下執行 startup.sh
5.訪問https服務 https://localhost:8443/ https://192.168.1.1:8443/ 你的IP
完成。可讓你的前端經過https協議訪問你的接口了,注意此時的接口是8443.
ios開發
請參考下面文章
https請求之iOS客戶端---AFNetworking
參考文章
1.SSL證書生成方法
2.Tomcat6配置使用SSL雙向認證(使用openssl生成證書)
3.Linux下生成https自簽名證書,解決蘋果發佈問題從新整理
4.用tomcat配置https自簽名證書,解決 ios7.1以上系統, 蘋果inHouse發佈
做者:易明INM連接:https://www.jianshu.com/p/045f95c008a0來源:簡書簡書著做權歸做者全部,任何形式的轉載都請聯繫做者得到受權並註明出處。
- 1. nginx SSL證書配置(雙向認證)
- 2. emqx使用自制CA證書登錄配置(雙向認證)
- 3. HTTPS證書配置(單向認證)
- 4. HTTPS 單向認證、雙向認證
- 5. Https單向認證和雙向認證
- 6. https單向認證和雙向認證
- 7. spring boot配置Https單向認證和雙向認證
- 8. https 單向認證和雙向認證配置
- 9. Nginx單向認證和雙向認證安裝配置
- 10. nginx配置Https單向認證和雙向認證
- 更多相關文章...
- • PHP 表單驗證 - PHP教程
- • XML 驗證 - XML 教程
- • IDEA下SpringBoot工程配置文件沒有提示
- • IntelliJ IDEA 代碼格式化配置和快捷鍵
-
每一个你不满意的现在,都有一个你没有努力的曾经。