标签:
参考
http://www.cnblogs.com/tyjsjl/p/3359255.html
生成CA签名证书keystore
| keytool -genkey -alias ca_server -keyalg RSA -keystore ca_server.jks -validity 3600 -storepass 123456 您的名字与姓氏是什么? [Unknown]: 您的组织单位名称是什么? [Unknown]: itian 您的组织名称是什么? [Unknown]: itian您所在的城市或区域名称是什么? [Unknown]: 北京 您所在的省/市/自治区名称是什么? [Unknown]: 海淀 该单位的双字母国家/地区代码是什么? [Unknown]: cn CN=zhang, OU=zhang, O=zhang, L=xian, ST=shanxi, C=cn是否正确? [否]: y 输入 <zhy_server> 的密钥口令 (如果和密钥库口令相同, 按回车): |
然后生成cer证书
| keytool -export -alias ca_server -file zhy_server.cer -keystore ca_server.jks -storepass 123456 |
然后部署
<Connector SSLEnabled="true" acceptCount="100" clientAuth="false" disableUploadTimeout="true" enableLookups="true" keystoreFile="D:/Tomcat/conf/CA/twt_server.jks" keystorePass="123456" maxSpareThreads="75" maxThreads="200" minSpareThreads="5" port="8848" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS" />
这样访问,通过相应的url,如https就能访问了.
对于双向认证,我们同样需要生成客户端的cer和keystore,生成方式和上面相同,但信息不一定相同,假设我们生成了
ca_client.jks和ca_client.cer,但是cer需要特殊处理,命令如下
| keytool -import -alias ca_client -file ca_client.cer -keystore ca_client_for_sever.jks |
此时配置修改如下
<Connector SSLEnabled="true" acceptCount="100" clientAuth="false" disableUploadTimeout="true" enableLookups="true" keystoreFile="D:/Tomcat/conf/CA/twt_server.jks" keystorePass="123456" maxSpareThreads="75" maxThreads="200" minSpareThreads="5" port="8848" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS" clientAuth="true" truststoreFile="D:/Tomcat/conf/CA/ca_client_for_sever.jks" />
双向认证,以Android为例子,Android只识别bks,因此需要通过相应的工具将其转为bks
public void setCertificates(InputStream... certificates)
{ try
{
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(null); int index = 0; for (InputStream certificate : certificates)
{
String certificateAlias = Integer.toString(index++);
keyStore.setCertificateEntry(certificateAlias, certificateFactory.generateCertificate(certificate)); try
{ if (certificate != null)
certificate.close();
} catch (IOException e)
{
}
}
SSLContext sslContext = SSLContext.getInstance("TLS");
TrustManagerFactory trustManagerFactory = TrustManagerFactory.
getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(keyStore); //初始化keystore
KeyStore clientKeyStore = KeyStore.getInstance(KeyStore.getDefaultType());
clientKeyStore.load(mContext.getAssets().open("ca_client.bks"), "123456".toCharArray());
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(clientKeyStore, "123456".toCharArray());
sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), new SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession sslsession) {
if("localhost".equals(hostname)){
return true;
} else {
return false;
}
}
});
} catch (Exception e)
{
e.printStackTrace();
}
}
读取cer证书
CertificateFactory certificatefactory = CertificateFactory
.getInstance("X.509");
FileInputStream bais = new FileInputStream("srca.cer");
X509Certificate Cert = (X509Certificate) certificatefactory
.generateCertificate(bais);
bais.close();
System.out.println("版本号 " + Cert.getVersion());
System.out.println("序列号 " + Cert.getSerialNumber().toString(16));
System.out.println("全名 " + Cert.getSubjectDN());
System.out.println("签发者全名n" + Cert.getIssuerDN());
System.out.println("有效期起始日 " + Cert.getNotBefore());
System.out.println("有效期截至日 " + Cert.getNotAfter());
System.out.println("签名算法 " + Cert.getSigAlgName());
byte[] sig = Cert.getSignature();
System.out.println("签名:" + new BigInteger(sig).toString(16));
PublicKey pk = Cert.getPublicKey();
System.out.println("PublicKey:"
+ Base64.getEncoder().encodeToString(pk.getEncoded()));
如果从密钥库读取
String pass="080302";
String alias="mykey";
String name=".keystore";
FileInputStream in=new FileInputStream(name);
KeyStore ks=KeyStore.getInstance("JKS");
ks.load(in,pass.toCharArray());
Certificate c=ks.getCertificate(alias);
in.close();
System.out.println(c.toString( ));
标签:
原文地址:http://my.oschina.net/ososchina/blog/500973
