服务器Tomcat中的客户端身份验证
我想配置SSL以进行相互认证.
i want to configure SSL for mutual authentication.
我使用eclipse + tomcat 8.
I work with eclipse + tomcat 8.
我这样做:
我以这种方式创建了私钥:
I created private keys in this way:
openssl genrsa -des3 -out client_key.pem 2048
openssl genrsa -des3 -out server_key.pem 2048
我创建了自签名证书:
openssl req -new -x509 -key client_key.pem -out client.pem -days 365 -config <path to>\openssl.cnf
openssl req -new -x509 -key server_key.pem -out server.pem -days 365 -config <path to>\openssl.cnf
我创建了信任库并导入了证书:
I created truststore and import certificates:
keytool –importcert -trustcacerts –keystore clienttruststore.jks –storetype jks –storepass <truststore_password> -file <path-to-file>\server.pem
keytool –importcert -trustcacerts –keystore servertruststore.jks –storetype jks –storepass <server_truststore_password> -file <path-to-file>\client.pem
我分别为服务器和客户端组合了证书和私钥:
I combined the certificate and the private key for the server and client respectively:
openssl pkcs12 –export –inkey client_key.pem –in client.pem –out client.p12
openssl pkcs12 –export –inkey server_key.pem –in server.pem –out server.p12
最后,我将密钥库转换为pkcs12格式:
and finally i converted the keystore in pkcs12 format:
keytool –importkeystore –srckeystore client.p12 –srcstoretype pkcs12 –destkeystore client.jks –deststoretype jks
keytool –importkeystore –srckeystore server.p12 –srcstoretype pkcs12 –destkeystore server.jks –deststoretype jks
在此之后,我在Tomcat上配置了SSL/TLS支持.因此,我在服务器"文件夹中配置了server.xml并以这种方式设置了连接器:
After this, i configured configure SSL/TLS support on Tomcat. So, i configured server.xml in Servers folder and setup the connector in this way:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="path\to\server.jks" keystorePass="*******" keystoreType="JKS"
truststoreFile="path\to\servertruststore.jks" truststorePass="********" truststoreType="JKS" />
最后,我清理并构建项目.
Finally i clean and build the project.
我在Eclipse中创建了一个动态Web项目,称为"myproject".它运作良好.
I created a Dynamic Web Project in Eclipse that called "myproject". It works well.
问题在于,当myproject在服务器上的URL https://localhost:8443/myproject 上运行时Google Chrome浏览器显示红色三角形(此页面不安全(HTTPS损坏)).
The problem is that when myproject runs on server at URL https://localhost:8443/myproject
Google Chrome shows the red triangle (This page is insecure (broken HTTPS)).
- 怎么了?
- 我在哪里将client.jks和clienttruststore.jks放在我的项目中?
此图显示了问题:
-
您的证书是自签名的,这意味着它们不是由CA签名的,这意味着Chrome无法信任它们,除非您手动批准它们.
Your certificates are self signed, meaning they are not signed by CA, meaning Chrome cannot trust them unless you approve them manually.
在生成证书时,您是否提供CN?它必须与您使用的主机名匹配(在本例中为localhost),如果CN不匹配,除非您手动批准,否则Chrome将不允许SSL.
When generating certificate did you provide CN? It must match the hostname that you are using (in your case it's localhost), if CN doesn't match, Chrome will not allow SSL unless you approve it manually.
您说过要进行双向身份验证,但是您配置了 clientAuth ="false" ,它应该为true.至于密钥库,您应该对证书使用相同的密钥库,因此,当客户端与其证书连接时,tomcat将验证相应的证书是否位于密钥库中.
You said you want the mutual authentication, but you configured clientAuth="false" It should be true. As for the keystore, you supposed to use the same keystore for the certificates, therefore when client connects with it's certificate, tomcat will validate that corresponding certificate is located in the keystore.
希望有帮助.