【轉(zhuǎn)自】http://hi.baidu.com/kangqii/blog/item/f8495043f70c3a1572f05d4e.html

最近要做一個(gè)CRM,登錄時(shí)數(shù)字證書(shū)要有驗(yàn)證的功能,在用戶(hù)登錄時(shí)除了效驗(yàn)用戶(hù)名密碼,還需驗(yàn)證其數(shù)字證書(shū)
相關(guān)資源:IBM developerWroks中國(guó)中的tomcat4中使用SSLjavaeye中的Acegi X.509雙向認(rèn)證
tomcat4中使用SSL中的異同:jdk1.4中已經(jīng)包含JSSE
AcegiX.509雙向認(rèn)證中的異同:tomcat6配置文件多了SSLEnabled="true"屬性
1.生成CA證書(shū)目前不使用第三方權(quán)威機(jī)構(gòu)的CA來(lái)認(rèn)證,自己充當(dāng)CA的角色

1.創(chuàng)建私鑰 :C:\OpenSSL\apps>openssl genrsa -out root/root-key.pem 1024
2.創(chuàng)建證書(shū)請(qǐng)求 :C:\OpenSSL\apps>openssl req -new -out root/root-req.csr -key root/root-key.pem
3.自簽署證書(shū) :C:\OpenSSL\apps>openssl x509 -req -in root/root-req.csr -out root/root-cert.pem -signkey
root/root-key.pem -days 3650
4.將證書(shū)導(dǎo)出成瀏覽器支持的.p12格式 :C:\OpenSSL\apps>openssl pkcs12 -export -clcerts -in root/root-cert.pem -inkey
root/root-key.pem -out root/root.p12

2.生成server證書(shū)
1.創(chuàng)建私鑰 :C:\OpenSSL\apps>openssl genrsa -out server/server-key.pem 1024
2.創(chuàng)建證書(shū)請(qǐng)求 :C:\OpenSSL\apps>openssl req -new -out server/server-req.csr -key server/server-key.pem
3.自簽署證書(shū) :C:\OpenSSL\apps>openssl x509 -req -in server/server-req.csr -out server/server-cert.pem -signkey
server/server-key.pem -CA root/root-cert.pem -CAkey root/root-key.pem -CAcreateserial -days 3650
4.將證書(shū)導(dǎo)出成瀏覽器支持的.p12格式 :C:\OpenSSL\apps>openssl pkcs12 -export -clcerts -in server/server-cert.pem -inkey
server/server-key.pem -out server/server.p12

3.生成client證書(shū)
1.創(chuàng)建私鑰 :C:\OpenSSL\apps>openssl genrsa -out client/client-key.pem 1024
2.創(chuàng)建證書(shū)請(qǐng)求 :C:\OpenSSL\apps>openssl req -new -out client/client-req.csr -key client/client-key.pem
3.自簽署證書(shū) :C:\OpenSSL\apps>openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkey
client/client-key.pem -CA root/root-cert.pem -CAkey root/root-key.pem -CAcreateserial -days 3650
4.將證書(shū)導(dǎo)出成瀏覽器支持的.p12格式 :C:\OpenSSL\apps>openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey
client/client-key.pem -out client/client.p12

4.根據(jù)root證書(shū)生成jks文件
C:\OpenSSL\apps\root>keytool -import -v -trustcacerts -storepass password -alias root -file root-cert.pem
-keystore root.jks

5.配置tomcat ssl,修改conf/server.xmltomcat6中多了SSLEnabled="true"屬性
keystorefile, truststorefile設(shè)置為你正確的相關(guān)路徑

xml 代碼

  1. <connector secure="true" scheme="https" protocol="HTTP/1.1" port="8443"
  2. sslenabled="true" maxhttpheadersize="8192" maxthreads="150"
  3. minsparethreads="25" maxsparethreads="75" enablelookups="false"
  4. disableuploadtimeout="true" acceptcount="100" sslprotocol="TLS"
  5. clientauth="true" keystorefile="d:/path/bin/x509/server.p12"
  6. keystoretype="PKCS12" keystorepass="123456" truststorefile="d:/path/bin/x509/root.jks"
  7. truststoretype="JKS" truststorepass="123456"/>

6.將root.p12,client.p12分別導(dǎo)入到IE中去(打開(kāi)IE->;Internet選項(xiàng)->內(nèi)容->證書(shū))

root.p12導(dǎo)入至受信任的根證書(shū)頒發(fā)機(jī)構(gòu),client.p12導(dǎo)入至個(gè)人
7.訪問(wèn)你的應(yīng)用http://ip:8443,如果配置正確的話(huà)會(huì)出現(xiàn)請(qǐng)求你數(shù)字證書(shū)的對(duì)話(huà)框
8.在jsp中取得符合x(chóng).509格式的證書(shū)

java 代碼

  1. <%??????
  2. //獲得certificate chain???
  3. ???????? X509Certificate[] ca=(X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate");?????
  4. if(ca==null)?????
  5. ?????? {?????
  6. ???????? out.println("No cert info!");?????
  7. ?????? } else {?????
  8. ???????? String?? serial=ca[0].getSerialNumber().toString();?????
  9. ???????? String DN=ca[0].getSubjectDN().toString();???????
  10. ?????? }?????
  11. ?????? %>?

文章來(lái)源:http://x-spirit.spaces.live.com/Blog/cns!CC0B04AE126337C0!792.entry