Tomcat Server/Client Self-Signed SSL Certificate

后端 未结 4 1999
死守一世寂寞
死守一世寂寞 2020-11-28 01:46

I have an Apache Tomcat 6.x server running with a self-signed SSL certificate. I want the client to present their own certificate to the server so I can authenticate them b

相关标签:
4条回答
  • 2020-11-28 02:25

    Finally got the solution to my problem, so I'll post the results here if anyone else gets stuck.

    Thanks to Michael Martin of Michael's Software Thoughts & Ramblings I discovered that:

    keytool by default uses the DSA algorithm when generating the self-signed cert. Earlier versions of Firefox accepted these keys without problem. With Firefox 3 beta 5, using DSA doesn't work, but using RSA does. Passing "-keyalg RSA" when generating the self-signed certificate creates a cert the Firefox 3 beta 5 fully accepts.

    I simply set that flag, cleared all caches in FireFox and it worked like a charm! I am using this as a test-setup for my project and I need to share this with other people, so I wrote a little batch script that creates two SSL certificates. One can be dropped into the Tomcat setup and the other is a .p12 file that can be imported into FireFox/IE. Thanks!

    Usage: first command-line argument is the username of the client. All passwords are "password" (with no quotations). Change any of the hard-coded bits to meet your needs.

    @echo off
    if "%1" == "" goto usage
    
    keytool -genkeypair -alias servercert -keyalg RSA -dname "CN=Web Server,OU=Unit,O=Organization,L=City,S=State,C=US" -keypass password -keystore server.jks -storepass password
    keytool -genkeypair -alias %1 -keystore %1.p12 -storetype pkcs12 -keyalg RSA -dname "CN=%1,OU=Unit,O=Organization,L=City,S=State,C=US" -keypass password -storepass password
    keytool -exportcert -alias %1 -file %1.cer -keystore %1.p12 -storetype pkcs12 -storepass password
    keytool -importcert -keystore server.jks -alias %1 -file %1.cer -v -trustcacerts -noprompt -storepass password
    keytool -list -v -keystore server.jks -storepass password
    del %1.cer
    goto end
    
    :usage
    echo Need user id as first argument: generate_keystore [username]
    goto end
    
    :end
    pause
    

    The results are two files. One called server.jks that you drop into Tomcat and another file called {username}.p12 that you import into your browser. The server.jks file has the client certificate added as a trusted cert.

    I hope someone else finds this useful.

    And here is the the XML that needs to be added to your Tomcat conf/sever.xml file (only tested on on Tomcat 6.x)

    <Connector
       clientAuth="true" port="8443" minSpareThreads="5" maxSpareThreads="75"
       enableLookups="true" disableUploadTimeout="true"
       acceptCount="100" maxThreads="200"
       scheme="https" secure="true" SSLEnabled="true"
       keystoreFile="${catalina.home}/conf/server.jks"
       keystoreType="JKS" keystorePass="password"
       truststoreFile="${catalina.home}/conf/server.jks"
       truststoreType="JKS" truststorePass="password"
       SSLVerifyClient="require" SSLEngine="on" SSLVerifyDepth="2" sslProtocol="TLS"
    />
    

    For Tomcat 7:

    <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
               port="8443" SSLEnabled="true"
               maxThreads="200" scheme="https" secure="true"
               keystoreFile="${catalina.base}/conf/server.jks" keystorePass="password"
               clientAuth="false" sslProtocol="TLS" />    
    
    0 讨论(0)
  • 2020-11-28 02:25

    To enable client authentication, you need to specify a "trust store" for Tomcat: a key store containing certificates from the root certification authorities that you trust, each flagged as a "trustEntry".

    This is specified by the Connector element's attributes: truststoreFile, truststorePass (which defaults to the value of keystorePass), and truststoreType (which defaults to "JKS").

    If a client is using a self-signed certificate, then its "root" CA is the certificate itself; it follows, then, that you need to import the client's self-signed certificate into Tomcat's trust store.

    If you have many clients, this will quickly become a hassle. In that case, you might want to look into signing certificates for your clients. The Java keytool command can't do this, but all of the necessary command-line utilities are available in OpenSSL. Or you could look into something like EJBCA on a large scale.

    Better yet, ask your clients to use an existing free CA, like startcom.org. This doesn't always work for server certificates, because StartCom's certificate isn't included in all browsers, but this situation is reversed, and the StartCom root certificate could easily be imported to the Tomcat trust store.

    0 讨论(0)
  • 2020-11-28 02:27

    Create certificate:

    keytool -genkey -alias tomcat -keyalg RSA -keystore /home/bob/mykeystore
    

    Enter all the data for the self signed certificate you need then edit Tomcat's server.xml and specify the keystore properties on the SSL connector, e.g.:

    <Connector port="8443" maxHttpHeaderSize="8192"
            maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
            enableLookups="false" disableUploadTimeout="true"
            acceptCount="100" scheme="https" secure="true"
            keystoreFile="/home/bob/mykeystore"
            clientAuth="false" sslProtocol="TLS" />
    

    or follow the Tomcat docs...

    http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

    0 讨论(0)
  • 2020-11-28 02:40

    The previous answers are useful to me, but don't have a shell tool version. So I wrote one.

    key_gen.sh:

    #! /bin/bash
    # a key generator for https,
    
    basename=server
    key_algorithm=RSA
    password_key=123456
    password_store=123456
    country=US
    
    # clean - pre
    rm "${basename}.jks"
    
    # generate server side
    keytool -genkeypair -alias "${basename}cert" -keyalg $key_algorithm -dname "CN=Web Server,OU=Unit,O=Organization,L=City,S=State,C=${country}" -keypass $password_key -keystore "${basename}.jks" -storepass $password_store
    

    For tomcat8, could add following config to server.xml:

        <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
            maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
            clientAuth="false" sslProtocol="TLS"
            acceptCount="75" keystoreFile="${catalina.home}/conf/server.jks" keystorePass="123456"
        />
    
    0 讨论(0)
提交回复
热议问题