参考
http://www.cnblogs.com/tyjsjl/p/3359255.html
生成CA签名证书keystore
keytool -genkey -alias ca_server -keyalg RSA -keystore ca_server.jks -validity 3600 -storepass 123456 您的名字与姓氏是什么? [Unknown]: 您的组织单位名称是什么? [Unknown]: itian 您的组织名称是什么? [Unknown]: itian您所在的城市或区域名称是什么? [Unknown]: 北京 您所在的省/市/自治区名称是什么? [Unknown]: 海淀 该单位的双字母国家/地区代码是什么? [Unknown]: cn CN=zhang, OU=zhang, O=zhang, L=xian, ST=shanxi, C=cn是否正确? [否]: y 输入 <zhy_server> 的密钥口令 (如果和密钥库口令相同, 按回车): |
然后生成cer证书
keytool -export -alias ca_server -file zhy_server.cer -keystore ca_server.jks -storepass 123456 |
然后部署
<Connector SSLEnabled="true" acceptCount="100" clientAuth="false" disableUploadTimeout="true" enableLookups="true" keystoreFile="D:/Tomcat/conf/CA/twt_server.jks" keystorePass="123456" maxSpareThreads="75" maxThreads="200" minSpareThreads="5" port="8848" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS" />
这样访问,通过相应的url,如
https就能访问了.对于双向认证,我们同样需要生成客户端的cer和keystore,生成方式和上面相同,但信息不一定相同,假设我们生成了
ca_client.jks和ca_client.cer,但是cer需要特殊处理,命令如下
keytool -import -alias ca_client -file ca_client.cer -keystore ca_client_for_sever.jks |
此时配置修改如下
<Connector SSLEnabled="true" acceptCount="100" clientAuth="false" disableUploadTimeout="true" enableLookups="true" keystoreFile="D:/Tomcat/conf/CA/twt_server.jks" keystorePass="123456" maxSpareThreads="75" maxThreads="200" minSpareThreads="5" port="8848" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS" clientAuth="true" truststoreFile="D:/Tomcat/conf/CA/ca_client_for_sever.jks" />
双向认证,以Android为例子,Android只识别bks,因此需要通过相应的工具将其转为bks
public void setCertificates(InputStream... certificates) { try { CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); keyStore.load(null); int index = 0; for (InputStream certificate : certificates) { String certificateAlias = Integer.toString(index++); keyStore.setCertificateEntry(certificateAlias, certificateFactory.generateCertificate(certificate)); try { if (certificate != null) certificate.close(); } catch (IOException e) { } } SSLContext sslContext = SSLContext.getInstance("TLS"); TrustManagerFactory trustManagerFactory = TrustManagerFactory. getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init(keyStore); //初始化keystore KeyStore clientKeyStore = KeyStore.getInstance(KeyStore.getDefaultType()); clientKeyStore.load(mContext.getAssets().open("ca_client.bks"), "123456".toCharArray()); KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); keyManagerFactory.init(clientKeyStore, "123456".toCharArray()); sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), new SecureRandom()); HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory()); HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() { @Override public boolean verify(String hostname, SSLSession sslsession) { if("localhost".equals(hostname)){ return true; } else { return false; } } }); } catch (Exception e) { e.printStackTrace(); } }
读取cer证书
CertificateFactory certificatefactory = CertificateFactory .getInstance("X.509"); FileInputStream bais = new FileInputStream("srca.cer"); X509Certificate Cert = (X509Certificate) certificatefactory .generateCertificate(bais); bais.close(); System.out.println("版本号 " + Cert.getVersion()); System.out.println("序列号 " + Cert.getSerialNumber().toString(16)); System.out.println("全名 " + Cert.getSubjectDN()); System.out.println("签发者全名n" + Cert.getIssuerDN()); System.out.println("有效期起始日 " + Cert.getNotBefore()); System.out.println("有效期截至日 " + Cert.getNotAfter()); System.out.println("签名算法 " + Cert.getSigAlgName()); byte[] sig = Cert.getSignature(); System.out.println("签名:" + new BigInteger(sig).toString(16)); PublicKey pk = Cert.getPublicKey(); System.out.println("PublicKey:" + Base64.getEncoder().encodeToString(pk.getEncoded()));
如果从密钥库读取
String pass="080302"; String alias="mykey"; String name=".keystore"; FileInputStream in=new FileInputStream(name); KeyStore ks=KeyStore.getInstance("JKS"); ks.load(in,pass.toCharArray()); Certificate c=ks.getCertificate(alias); in.close(); System.out.println(c.toString( ));
原文:http://my.oschina.net/ososchina/blog/500973