通过jdk自制https证书并配置到nginx中

发表于 | 阅读次数:

java tomcat 搭建SSL双向认证以及httpclient代码

一、生成密钥库和证书

可参考以下密钥生成脚本,根据实际情况做必要的修改,其中需要注意的是:服务端的密钥库参数“CN”必须与服务端的IP地址相同,否则会报错,客户端的任意。
key.script

1 、生成服务器证书库

keytool -validity 365 -genkey -v -alias server -keyalg RSA -keystore /opt/web/ssl/server.keystore -dname “CN=localhost,OU=sumscope,O=sumscope,L=Pudong,ST=Shanghai,c=com” -storepass 111111 -keypass 111111

2 、生成客户端证书库

keytool -validity 365 -genkeypair -v -alias client -keyalg RSA -storetype PKCS12 -keystore /opt/web/ssl/client.p12 -dname “CN=client,OU=sumscope,O=sumscope,L=Pudong,ST=Shanghai,c=com” -storepass 222222 -keypass 222222

3 、从客户端证书库中导出客户端证书

keytool -export -v -alias client -keystore /opt/web/ssl/client.p12 -storetype PKCS12 -storepass 222222 -rfc -file /opt/web/ssl/client.cer

4 、从服务器证书库中导出服务器证书

keytool -export -v -alias server -keystore /opt/web/ssl/server.keystore -storepass 111111 -rfc -file /opt/web/ssl/server.cer

5 、生成客户端信任证书库(由服务端证书生成的证书库)

keytool -import -v -alias server -file /opt/web/ssl/server.cer -keystore /opt/web/ssl/client.truststore -storepass 222222

6 、将客户端证书导入到服务器证书库(使得服务器信任客户端证书)

keytool -import -v -alias client -file /opt/web/ssl/client.cer -keystore /opt/web/ssl/server.keystore -storepass 111111

7 、查看证书库中的全部证书

keytool -list -keystore /opt/web/ssl/server.keystore -storepass 111111

二、Tomat配置

使用文本编辑器编辑${catalina.base}/conf/server.xml
找到Connector port=”8443”的标签,取消注释,并修改成如下:

1
2
3
4
5
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="SSL"
keystoreFile="/opt/web/ssl/server.keystore" keystorePass="111111"
truststoreFile="/opt/web/ssl/server.keystore" truststorePass="111111" />

备注:
keystoreFile:指定服务器密钥库,可以配置成绝对路径,如“/opt/web/ssl/server.keystore”。
keystorePass:密钥库生成时的密码
truststoreFile:受信任密钥库,和密钥库相同即可
truststorePass:受信任密钥库密码

三、建立演示项目

项目结构图:
项目名称:SSL(随意)

1. SSLServlet.java

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
package ian.wang.ssl.servlet;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
import java.security.cert.X509Certificate;

public class SSLServlet extends HttpServlet {
    private static final String ATTR_CER = "javax.servlet.request.X509Certificate";
    private static final String CONTENT_TYPE = "text/plain;charset=UTF-8";
    private static final String DEFAULT_ENCODING = "UTF-8";
    private static final String SCHEME_HTTPS = "https";

    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        response.setContentType(CONTENT_TYPE);
        response.setCharacterEncoding(DEFAULT_ENCODING);
        PrintWriter out = response.getWriter();
        out.println("cmd=["+request.getParameter("cmd")+"], data=["+request.getParameter("data")+"]");
        X509Certificate[] certs = (X509Certificate[]) request.getAttribute(ATTR_CER);
        if (certs != null) {
            int count = certs.length;
            out.println("共检测到[" + count + "]个客户端证书");
            for (int i = 0; i < count; i++) {
                out.println("客户端证书 [" + (++i) + "]: ");
                out.println("校验结果:" + verifyCertificate(certs[--i]));
                out.println("证书详细:\r" + certs[i].toString());
            }
        } else {
            if (SCHEME_HTTPS.equalsIgnoreCase(request.getScheme())) {
                out.println("这是一个HTTPS请求,但是没有可用的客户端证书");
            } else {
                out.println("这不是一个HTTPS请求,因此无法获得客户端证书列表 ");
            }
        }
        out.close();
    }

    public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        doGet(request, response);
    }


    private boolean verifyCertificate(X509Certificate certificate) {
        boolean valid = false;
        try {
            certificate.checkValidity();
            valid=true;
        } catch (Exception e) {
            e.printStackTrace();
        }
        return valid;
    }
}

2. web.xml

说明:该演示项目强制使用了SSL,即普通的HTTP请求也会强制重定向为HTTPS请求,配置在最下面,可以去除,这样HTTP和HTTPS都可以访问。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
 http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
    <session-config>
        <session-timeout>30</session-timeout>
    </session-config>
    <servlet>
        <servlet-name>SSLServlet</servlet-name>
        <servlet-class>ian.wang.ssl.servlet.SSLServlet</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>SSLServlet</servlet-name>
        <url-pattern>/sslServlet</url-pattern>
    </servlet-mapping>
    <!-- 强制SSL配置,即普通的请求也会重定向为SSL请求 -->
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>SSL</web-resource-name>
            <url-pattern>/*</url-pattern> <!-- 全站使用SSL -->
        </web-resource-collection>
        <user-data-constraint>
            <description>SSL required</description>
            <!-- CONFIDENTIAL: 要保证服务器和客户端之间传输的数据不能够被修改,且不能被第三方查看到 -->
            <!-- INTEGRAL: 要保证服务器和client之间传输的数据不能够被修改 -->
            <!-- NONE: 指示容器必须能够在任一的连接上提供数据。(即用HTTP或HTTPS,由客户端来决定) -->
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
</web-app>

3. index.jsp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<%@ page language="java" pageEncoding="UTF-8"%>
<!doctype html>
<html lang="zh-cn">
<head>
  <title>客户端证书上传</title>
  <meta http-equiv="pragma" content="no-cache">
  <meta http-equiv="cache-control" content="no-cache">
  <meta http-equiv="expires" content="0">
</head>
<body>
<form action="sslServlet" method="post">
  <input type="submit" value="提交证书"/>
</form>
</body>
</html>

四、演示及配置

发布演示项目,通过浏览器访问: http://127.0.0.1:8080/SSLhttps://127.0.0.1:8443/SSL ,提示无法访问,需要导入客户端SSL证书:
双击“client.p12”或在浏览器的工具,输入生成密钥时的客户端密码“222222”,刷新浏览器即可正常访问了。

五、HttpClient模拟SSL Post请求

1. HttpClientUtil.java

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
package ian.wang.ssl.util;

import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.NameValuePair;
import org.apache.http.client.HttpClient;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.conn.scheme.Scheme;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.message.BasicNameValuePair;
import org.apache.http.util.EntityUtils;

import java.io.File;
import java.io.FileInputStream;
import java.io.InputStream;
import java.security.KeyStore;
import java.util.*;

public class HttpClientUtil {

    private static final String KEY_STORE_TYPE_JKS = "jks";
    private static final String KEY_STORE_TYPE_P12 = "PKCS12";
    private static final String SCHEME_HTTPS = "https";
    private static final int HTTPS_PORT = 8443;
    private static final String HTTPS_URL = "https://localhost:8443/sslServlet";
    private static final String KEY_STORE_CLIENT_PATH = "/opt/web/ssl/client.p12";
    private static final String KEY_STORE_TRUST_PATH = "/opt/web/ssl/client.truststore";
    private static final String KEY_STORE_PASSWORD = "222222";
    private static final String KEY_STORE_TRUST_PASSWORD = "222222";

    public static void main(String[] args){
        String url=HTTPS_URL;
        Map params=new HashMap();
        params.put("cmd","test");
        params.put("data","证书1");
        String charset="utf-8";
        doSSLPost( url, params,  charset);
    }

    private static void doSSLPost(String url, Map<String, String> map, String charset) {
        HttpClient httpClient = new DefaultHttpClient();
        String result = null;
        try {
            KeyStore keyStore = KeyStore.getInstance(KEY_STORE_TYPE_P12);
            KeyStore trustStore = KeyStore.getInstance(KEY_STORE_TYPE_JKS);
            InputStream ksIn = new FileInputStream(KEY_STORE_CLIENT_PATH);
            InputStream tsIn = new FileInputStream(new File(KEY_STORE_TRUST_PATH));
            try {
                keyStore.load(ksIn, KEY_STORE_PASSWORD.toCharArray());
                trustStore.load(tsIn, KEY_STORE_TRUST_PASSWORD.toCharArray());
            } finally {
                try {
                    ksIn.close();
                } catch (Exception ignore) {
                }
                try {
                    tsIn.close();
                } catch (Exception ignore) {
                }
            }
            SSLSocketFactory socketFactory = new SSLSocketFactory(keyStore, KEY_STORE_PASSWORD, trustStore);
            Scheme sch = new Scheme(SCHEME_HTTPS, HTTPS_PORT, socketFactory);
            httpClient.getConnectionManager().getSchemeRegistry().register(sch);
            HttpPost httpPost = new HttpPost(url);
            //设置参数
            if (map != null) {
                List<NameValuePair> list = new ArrayList<NameValuePair>();
                Iterator iterator = map.entrySet().iterator();
                while (iterator.hasNext()) {
                    Map.Entry<String, String> elem = (Map.Entry<String, String>) iterator.next();
                    list.add(new BasicNameValuePair(elem.getKey(), elem.getValue()));
                }
                httpPost.setEntity(new UrlEncodedFormEntity(list, charset));
            }
            HttpResponse response = httpClient.execute(httpPost);
            if (response != null) {
                HttpEntity resEntity = response.getEntity();
                if (resEntity != null) {
                    result = EntityUtils.toString(resEntity, charset);
                }
            }
            System.out.println("result={" + result + "}");
        }catch(Exception e){
            e.printStackTrace();
        } finally {
            httpClient.getConnectionManager().shutdown();
        }
    }
}

六、使用浏览器访问 https应用截图

1. 打开浏览器,访问测试网址:https://101.231.124.155:8443/ssl

于该应用配置了 Tomcat SSL双向认证,需要客户端提供证书文件导入成功了,才能正常访问。在Firefox 浏览器中,导入客户端证书, 在 Firefox 选项 - 高级 - 证书 中, 点击 查看证书。

2. 点击“导入”, 选择客户端证书文件 client.p12

3. 输入客户端证书密码

4. 客户端证书验证成功后,显示证书如下

5. 打开网址,输入: https://101.231.124.155:8443 ,浏览器会提示 选择已安装的证书,点击“确认”。

6. 显示如下,则表示SSL证书导入成功, 测试页面正常显示了。

七、通过jdk自制https证书并配置到nginx中

1、转换证书

常用证书格式:JKS(.keystore), 微软(.pfx), OPSSL之PEM(.key + .crt) , 其中tomcat使用JKS格式,nginx使用PEM格式。

由于生成的证书是jks格式,nginx不能直接使用,需要转换成PEM格式,这要用到jks2pfx工具进行转换。

jks2pfx的命令格式:

jks2pfx.bat keystore password alias exportname

keystore: KeyStore文件绝对路径
password: KeyStore文件对应的密码
password: KeyStore文件对应的密码
alias:生成证书CSR时,所起的ALias别名
exportname:准备导出的文件名称(不要带扩展名)

例如:

JKS2PFX.bat d:\lgy.com.keystore 123456 lgy.com exportfile

该命令将server.jks中别名为lgy.com的SSL证书导出,运行后将在jks2pfx的按照目录产生3个文件:
exportfile.key、exportfile.crt、exportfile.pfx;

2、 nginx配置

nginx配置请参照nginx配置https