博客

系统环境：

windows xp / jdk6 / tomcat7 / openssl

openssl 使用的是官方1.0.0.d 下载地址：http://www.openssl.org/related/binaries.html

软件环境准备：

默认安装openssl，路径为c:\OpenSSL-Win32。在e盘建一个名为cawork的目录。

－到c:\openssl-win32\bin目录下找到openssl.cfg，拷贝到cawork中，打开它，编辑[ CA_default ]节中的dir项目，设为.，即当前目录。如下：

dir=. #Where everything is kept

－在cawork中建一个空的index.txt文件（保存已签发的证书信息，openssl用的，我们不用管，但是一定要建）

－在cawork中建一个serial文件，里面写上“01”2个字符（没有双引号），这个文件用于签发证书时的编号

－在cawork中建一个空的目录 newcerts，用于存放签发证书的副本（没啥用，但是不建的话会报错）

具体操作步骤：

1. 生成根证书及对应的私钥，并设置密码

E:\cawork>openssl req -utf8 -x509 -newkey rsa:2048 -out root.cer -keyout rootKey.pem -days 3650

Loading ‘screen’ into random state – done

Generating a 2048 bit RSA private key

……+++

……………………………………………+++

writing new private key to ‘rootKey.pem’

Enter PEM pass phrase:  输入私钥的密码，后面会用到。这里我用的是rootkey

Verifying – Enter PEM pass phrase: （重复输入）

—–

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [AU]:（下面填一些证书的信息）

State or Province Name (full name) [Some-State]:

Locality Name (eg, city) []:

Organization Name (eg, company) [Internet Widgits Pty Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (eg, YOUR name) []:

Email Address []:

执行完毕，我们得到几个文件：根证书文件 root.cer   私钥文件 rootKey.pem

2. 生成服务器证书请求及对应的私钥，并设置密码

E:\cawork>openssl req -newkey rsa:1024 -keyout serverKey.pem -out serverRequest.pem -days 365

Loading ‘screen’ into random state – done

Generating a 1024 bit RSA private key

……………………………………………++++++

.++++++

writing new private key to ‘serverKey.pem’

Enter PEM pass phrase: 输入私钥的密码，后面会用到。这里我用的是serverkey

Verifying – Enter PEM pass phrase: （重复输入）

—–

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [AU]:

State or Province Name (full name) [Some-State]:

Locality Name (eg, city) []:

Organization Name (eg, company) [Internet Widgits Pty Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (eg, YOUR name) []:www.cas-server.com（必须和域名相符合，不然部署的时候会提示证书有问题）

Email Address []:

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

执行完毕，得到服务器的证书请求文件serverRequest.pem和私钥文件 serverKey.pem

3. 发布证书

E:\cawork>c:\openssl-win32\bin\openssl.exe ca -config “./openssl.cfg” -cert root.cer -keyfile rootKey.pem -in serverRequest.pem -out server.cer

Using configuration from ./openssl.cfg

Loading ‘screen’ into random state – done

Enter pass phrase for rootKey.pem: （rootkey）

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: Aug 22 08:23:15 2011 GMT

Not After : Aug 21 08:23:15 2012 GMT

Subject:

countryName               = AU

stateOrProvinceName       = Some-State

organizationName          = Internet Widgits Pty Ltd

commonName                = www.cas-server.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

48:8E:0E:46:D4:CC:26:6C:B9:4A:61:19:FC:AB:8D:DA:4E:9E:FA:5C

X509v3 Authority Key Identifier:

keyid:BE:83:33:87:FD:A0:ED:0C:6A:F7:2A:8A:B0:C4:0C:B8:AC:C1:67:07

Certificate is to be certified until Aug 21 08:23:15 2012 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

这样就得到了服务器证书server.cer

4.按上面2、3两步可以再生成用于客户端认证的证书。

5. 把服务器证书连同根证书导出成pkcs12格式的证书

E:\cawork>openssl pkcs12 -export -in server.cer -inkey serverKey.pem -out server.p12 -chain -CAfile root.cer

Loading ‘screen’ into random state – done

Enter pass phrase for serverKey.pem:（serverkey）

Enter Export Password:（server）

Verifying – Enter Export Password:（server）

6.配置tomcat，修改/conf/server.xml的内容

<Connector port=”8443″ protocol=”HTTP/1.1″ SSLEnabled=”true”

maxThreads=”150″ scheme=”https” secure=”true”

keystoreFile=”E:/cawork/server.p12″ keystorePass=”server” keystoreType=”pkcs12″

clientAuth=”false” sslProtocol=”TLS” />