2019独角兽企业重金招聘Python工程师标准>>> 
制作service服务器端证书
1.创建服务器证书密钥 server.key
openssl genrsa -des3 -out server.key 2048
输出内容为:
Generating RSA private key, 2048 bit long modulus
...........................+++
...............+++
e is 65537 (0x010001)
Enter pass phrase for server.key: ← 输入前面创建的密码
Verifying - Enter pass phrase for server.key: ← 重新输入一遍密码
运行时会提示输入密码,此密码用于加密key文件(参数des3便是指加密算法,当然也可以选用其他你认为安全的算法.),以后每当需读取此文件(通过openssl提供的命令或API)都需输入口令.如果觉得不方便,也可以去除这个口令,但一定要采取其他的保护措施!
去除key文件口令的命令:
openssl rsa -in server.key -out server.key
2.创建服务器证书的申请文件 server.csr
openssl req -new -key server.key -out server.csr
输出内容为:
Enter pass phrase for server.key: ← 输入前面创建的密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:CN ← 国家名称,中国输入CN
State or Province Name (full name) [Some-State]:BeiJing ← 省名,拼音
Locality Name (eg, city) []:BeiJing ← 市名,拼音
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Corp. ← 公司英文名
Organizational Unit Name (eg, section) []: ← 可以不输入
Common Name (eg, YOUR name) []:www.xxx.com ← 服务器主机名(或者IP),若填写不正确,浏览器会报告证书无效,但并不影响使用
Email Address []:admin@mycompany.com ← 电子邮箱,可随便填
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: ← 可以不输入
An optional company name []: ← 可以不输入
3.创建自当前日期起有效期为期十年的服务器证书 server.crt
//openssl x509 -req -days 3650 -sha256 -extfile /usr/local/openssl/ssl/openssl.cnf -extensions v3_req -CA root.crt -CAkey root.key -CAcreateserial -in server.csr -out server.crt
openssl x509 -req -days 3650 -sha256 -in server.csr -out server.crt -signkey server.key
输出内容为:
Signature ok
subject=/C=CN/ST=BeiJing/L=BeiJing/O=MyCompany Corp./CN=www.mycompany.com/emailAddress=admin@mycompany.com
Getting CA Private Key
Enter pass phrase for root.key: ← 输入前面创建的密码
4.导出.p12文件 server.p12
openssl pkcs12 -export -in /tmp/ca/server.crt -inkey /tmp/ca/server.key -out /tmp/ca/server.p12 -name "server"
根据命令提示,输入server.key密码,创建p12密码。
5.将.p12 文件导入到keystore JKS文件 server.keystore
keytool -importkeystore -v -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass 123456 -destkeystore server.keystore -deststoretype jks -deststorepass 123456 -ext san=ip:127.0.0.1
这里srcstorepass后面的123456为server.p12的密码deststorepass后的123456为keyStore的密码
6.导出服务端RSA证书并将证书导入到客户端truststore文件中,信任库文件被客户端使用,用于对服务端身份验证
keytool -export -alias server -file webServicetomcat.cer -storepass 123456 -keystore server.keystore -storetype JKS
keytool -import -file webServicetomcat.cer -storepass 123456 -keystore client.truststore -alias tomcatkey -noprompt
补充问题
1.如果有需求对所有的请求都使用https访问的话,需要对tomcat 下的web.xml 添加以下代码:
[html] view plain copy
2.如果有需求对所有的请求都使用https访问的话,需要对tomcat 下的web.xml 添加以下代码:
[html] view plain copy
<login-config>
<!-- Authorization setting for SSL -->
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>
<!-- Authorization setting for SSL -->
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
注意:<url-pattern>根据自己的的需求进行修改
3.对Axis2进行配置
修改发布的axis2.xml,添加以下代码:
[html] view plain copy
<transportReceiver name="https" class="org.apache.axis2.transport.http.AxisServletListener">
<parameter name="port">8443</parameter>
</transportReceiver>
[html] view plain copy
<transportSender name="https"
class="org.apache.axis2.transport.http.CommonsHTTPTransportSender">
<parameter name="PROTOCOL">HTTP/1.1</parameter>
<parameter name="Transfer-Encoding">chunked</parameter>
</transportSender>
4.替换为https访问之后,在屏蔽了可信任的安全证书访问时,会提示无有效的安全证书的异常,如下:
添加了可信任的安全证书访问时,即可正常访问。信任证书可以是绝对路径下的也可以是项目路径下的。
System.setProperty("javax.net.ssl.trustStore", "D:\\apache-tomcat-8.0.43\\conf\\client.truststore");