Java-AcegiX509证书-Java外包网_PHP开发|软件开发|北京清如许

Java-AcegiX509证书-Java外包网

双向X.509证书
1,开发环境
MyEclipse8.5 Tomcat 6.0.22 Jdk 1.6.22
2,生成需要的证书
//先从网上下载 openssl 并安装 http://down.tech.sina.com.cn/content/13563.html
1,//创建私钥
D:\OpenSSL\bin>
D:\OpenSSL\bin>openssl genrsa -out d:/root-key.pem 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
.......................................++++++
...........................++++++
e is 65537 (0x10001)

2,//创建证书
D:\OpenSSL\bin>openssl req -new -out d:/root-req.csr -key d:/root-key.pem
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:86
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:org
Organizational Unit Name (eg, section) []:test org
Common Name (eg, YOUR name) []:test common
Email Address []:test@test.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:test

3,//自签置根证书
D:\OpenSSL\bin>openssl x509 -req -in d:/root-req.csr -out d:/root-cert.pem -sign
key d:/root-key.pem -days 365
Loading 'screen' into random state - done
Signature ok
subject=/C=86/ST=beijing/L=beijing/O=org/OU=test org/CN=test common/emailAddress
=test@test.com
Getting Private key
4,//使用 keytool 测试是否有效
d:\keytool -printcert -file d:/root-cert.pem
所有者:EMAILADDRESS=test@test.com, CN=test common, OU=test org, O=org, L=beijing
, ST=beijing, C=86
签发人:EMAILADDRESS=test@test.com, CN=test common, OU=test org, O=org, L=beijing
, ST=beijing, C=86
序列号:df0110400977cf52
有效期: Tue Nov 09 11:39:19 CST 2010 至Wed Nov 09 11:39:19 CST 2011
证书指纹:
         MD5:E3:FD:6D:8B:C1:FD:25:AD:CC:24:43:76:05:BD:49:CD
         SHA1:A0:CB:AF:14:EC:B5:EC:30:E0:4C:8A:B7:ED:0E:12:BB:DC:86:66:9E
         签名算法名称:SHA1withRSA
         版本: 1

///生成服务器证书/////

D:\OpenSSL\bin>openssl genrsa -out d:/server-key.pem 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
..++++++
................................++++++
e is 65537 (0x10001)

D:\OpenSSL\bin>openssl req -new -out d:/server-req.csr -key d:/server-key.pem
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:86
State or Province Name (full name) [Some-State]:test
Locality Name (eg, city) []:test
Organization Name (eg, company) [Internet Widgits Pty Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (eg, YOUR name) []:test
Email Address []:test@test.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:test

D:\OpenSSL\bin>openssl x509 -req -in d:/server-req.csr -out d:/server-cert.pem -
signkey d:/server-key.pem -CA d:/root-cert.pem -CAkey d:/root-key.pem -CAcreates
erial -days 3560
Loading 'screen' into random state - done
Signature ok
subject=/C=86/ST=test/L=test/O=test/OU=test/CN=test/emailAddress=test@test.com
Getting Private key
Getting CA Private Key
d:\keytool -printcert -file d:/server-cert.
pem
所有者:EMAILADDRESS=test@test.com, CN=test, OU=test, O=test, L=test, ST=test, C=
86
签发人:EMAILADDRESS=test@test.com, CN=test common, OU=test org, O=org, L=beijing
, ST=beijing, C=86
序列号:e07d6f0a99c7983b
有效期: Tue Nov 09 11:55:09 CST 2010 至Sat Aug 08 11:55:09 CST 2020
证书指纹:
         MD5:7A:02:3D:EF:51:DE:78:CF:4E:DA:32:9E:CF:56:BD:A4
         SHA1:0A:8C:76:2B:F9:CC:06:EE:C2:4D:8E:AF:06:D4:94:D1:5B:5D:A2:9B
         签名算法名称:SHA1withRSA
         版本: 1
//导出成浏览支持的.p12 PKCS12格式证书
D:\OpenSSL\bin>openssl pkcs12 -export -clcerts -in d:/server-cert.pem -inkey d:/
server-key.pem -out d:/server.p12
Loading 'screen' into random state - done
Enter Export Password:
Verifying - Enter Export Password:
/////生成客户端证书/////
D:\OpenSSL\bin>openssl genrsa -out d:/client-key.pem 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
...............++++++
.++++++
e is 65537 (0x10001)

D:\OpenSSL\bin>openssl req -new -out d:/client-req.csr -key d:/client-key.pem
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:86
State or Province Name (full name) [Some-State]:test
Locality Name (eg, city) []:test
Organization Name (eg, company) [Internet Widgits Pty Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (eg, YOUR name) []:test
Email Address []:test@test.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:test

D:\OpenSSL\bin>openssl x509 -req -in d:/client-req.csr -out d:/client-cert.pem -
signkey d:/client-key.pem -CA d:/root-cert.pem -CAkey d:/root-key.pem -CAcreates
erial -days 365
Loading 'screen' into random state - done
Signature ok
subject=/C=86/ST=test/L=test/O=test/OU=test/CN=test/emailAddress=test@test.com
Getting Private key
Getting CA Private Key
d:\keytool -printcert -file d:/client-cert.
pem
所有者:EMAILADDRESS=test@test.com, CN=test, OU=test, O=test, L=test, ST=test, C=
86
签发人:EMAILADDRESS=test@test.com, CN=test common, OU=test org, O=org, L=beijing
, ST=beijing, C=86
序列号:e07d6f0a99c7983c
有效期: Tue Nov 09 12:11:32 CST 2010 至Wed Nov 09 12:11:32 CST 2011
证书指纹:
         MD5:78:FB:B7:2D:66:BD:AE:23:1D:23:1C:92:3B:27:54:E3
         SHA1:53:84:C0:A7:68:D4:EA:D1:13:E2:B1:68:41:4F:AF:B0:D6:23:6F:1E
         签名算法名称:SHA1withRSA
         版本: 1
//导出成浏览支持的.p12 PKCS12格式证书
D:\OpenSSL\bin>openssl pkcs12 -export -clcerts -in d:/client-cert.pem -inkey d:/
client-key.pem -out d:/client.p12
Loading 'screen' into random state - done
Enter Export Password:
Verifying - Enter Export Password:

//将证书导入 tomcat trustStore
D:\OpenSSL\bin>keytool -import -v -trustcacerts -storepass 123456 -alias root -f
ile d:/root-cert.pem -keystore root.jks
所有者:EMAILADDRESS=test@test.com, CN=test common, OU=test org, O=org, L=beijing
, ST=beijing, C=86
签发人:EMAILADDRESS=test@test.com, CN=test common, OU=test org, O=org, L=beijing
, ST=beijing, C=86
序列号:df0110400977cf52
有效期: Tue Nov 09 11:39:19 CST 2010 至Wed Nov 09 11:39:19 CST 2011
证书指纹:
         MD5:E3:FD:6D:8B:C1:FD:25:AD:CC:24:43:76:05:BD:49:CD
         SHA1:A0:CB:AF:14:EC:B5:EC:30:E0:4C:8A:B7:ED:0E:12:BB:DC:86:66:9E
         签名算法名称:SHA1withRSA
         版本: 1
信任这个认证？ [否]： y
认证已添加至keystore中
[正在存储 root.jks]

//复制 server.p12 client.p12 root.jks 到tomcat conf
//server.xml

//使用 PKCS12配置
client.p12    server.p12    root.jks 复制到 tomcat conf 目录下

   <Connector port="8443" maxHttpHeaderSize="8192"    SSLEnabled="true"
            enableLookups="false" disableUploadTimeout="true"
            acceptCount="100" scheme="https" secure="true"
            sslProtocol="TLS"   clientAuth="true" keystoreFile="D:/Tomcat 6.0/conf/server.p12"
            keystoreType="PKCS12" keystorePass="123456" truststoreFile="D:/Tomcat 6.0/conf/root.jks"
   truststoreType="JKS" truststorePass="123456"
   />
3,测试截图
1,没有向浏览导入证书

IEl浏览器不给提示，我把显示友好错误信息的勾去掉了。还是不显示。

2,导入证书

双击证书导入即可。下一步，输入密码，我以上用的密码都是：123456

3,测试正常图

上一篇：JavaJfreeChart 生成柱状图　扇形图　折线图
下一篇：SSH2代码生成工SSH2代码生成工具 PowerBy 清如许UnicodePowerBy