keytool工具生成自签名证书并且通过浏览器导入证书

1、生成服务器证书库

?

1	keytool -genkey -alias tomcat -keypass changeit -keyalg RSA -keysize 1024 -validity 365 -keystore /home/tomcat/server.keystore -storepass changeit -dname "CN=10.10.6.100,OU=shixun,O=shixun,L=beijing,ST=beijing,c=cn"

　　注：CN:要设定的域名或IP

2、生成客户端证书库

?

1	keytool -genkey -alias client -keypass changeit -keyalg RSA -keysize 1024 -validity 365 -storetype PKCS12 -keystore /home/tomcat/client.p12 -storepass changeit -dname "CN=client,OU=shixun,O=shixun,L=beijing,ST=beijing,c=cn"

3、导出客户端证书

keytool -export -alias client -keystore /home/tomcat/client.p12 -storetype PKCS12 -keypass changeit -file /home/tomcat/client.cer -storepass changeit

4、让服务器信任客户端证书,将客户端证书导入到服务器证书库

keytool -import -v -file /home/tomcat/client.cer -keystore /home/tomcat/server.keystore -storepass changeit

5、查看服务器证书库，可以看到2个证书文件,一个是服务器证书，一个是受信任的客户端证书：

keytool -list -v -keystore /home/tomcat/server.keystore -storepass changeit

6、通过浏览器导入客户端证书client.p12

双击客户端证书client.p12点击下一步输入密码即可导入IE浏览器即可实现访问。
Chrome和FireFox需要手工导入才能访问。
Chrome实现：
设置 → 显示高级设置... → 管理证书... → 个人 → 选择证书 → 确定
FireFox实现：
工具 → 选项 → 高级 → 证书 → 查看证书 → 导入 → 选择证书 → 确定

通过程序控制访问

solrj程序通过httpClient代理实现证书的安全访问。

示例代码：

public class DoubleSSL {  
    private String    httpUrl = "https://192.168.100.175:8443/solr";  
    // 客户端密钥库  
    private String    sslKeyStorePath          = "E:/ssl/server.keystore";  
    private String    sslKeyStorePassword      = "changeit";  
    // 客户端信任的证书  
    private String    sslTrustStore        = "E:/ssl/server.keystore";  
    private String    sslTrustStorePassword    = "123456";  
    public HttpClient testHttpsClient() {  
       SSLContext sslContext = null;  
       HttpClient httpClient = null;  
       try {  
           KeyStore kstore = KeyStore.getInstance("JKS");  
           kstore.load(new FileInputStream(sslKeyStorePath), sslKeyStorePassword.toCharArray());  
           KeyManagerFactory keyFactory =KeyManagerFactory.getInstance("sunx509");  
           keyFactory.init(kstore, sslKeyStorePassword.toCharArray());  
           KeyStore tstore = KeyStore.getInstance("jks");  
           tstore.load(new FileInputStream(sslTrustStore), sslTrustStorePassword.toCharArray());  
           TrustManager[] tm;  
           TrustManagerFactory tmf =TrustManagerFactory.getInstance("sunx509");  
           tmf.init(tstore);  
           tm = tmf.getTrustManagers();  
           sslContext = SSLContext.getInstance("SSL");  
           sslContext.init(keyFactory.getKeyManagers(),tm, null);  
       } catch (Exceptione) {  
           e.printStackTrace();  
       }  
       try {  
           httpClient = new DefaultHttpClient();  
           SSLSocketFactory socketFactory = new SSLSocketFactory(sslContext);  
           Scheme sch = new Scheme("https", 8443, socketFactory);  
    httpClient.getConnectionManager().getSchemeRegistry().register(sch);  
           HttpGet httpGet = new HttpGet(httpUrl);  
           HttpResponse response =httpClient.execute(httpGet);  
    System.out.println(response.getStatusLine().getStatusCode());  
       } catch (Exceptione) {  
           e.printStackTrace();  
       }  
       return httpClient;  
    }  
}  

7、配置tomcat服务器

将生成的server.keystore服务端证书拷贝到tomcat目录，修改tomcat下conf目录下的server.xml文件将8443端口注释打开

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

<Connector  port="8443"   protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"   maxThreads="150"   scheme="https"   secure="true"   clientAuth="true"   sslProtocol="TLS"   keystoreFile="/home/tomcat/server.keystore"   keystorePass="changeit"   truststoreFile="/home/tomcat/server.keystore"   truststorePass="changeit" />

8、设置tomcat强制https访问

在 tomcat /conf/web.xml 中的 </welcome- file-list> 后面加上这

<login-config>
<!-- Authorization setting for SSL -->
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>
<!-- Authorization setting for SSL -->
<web-resource-collection> 
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern> 
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint> 

 注：如果设置了clientAuth为true，则需要客户端证书验证，否则访问不了。

9、访问tomcat 8080端口会自动跳转到8443端口

http://10.10.6.100:8080