|
I wrote about the encryption process and principles of HTTPS in my previous article, "HTTPS Excuse Encryption and Authentication".
1. HTTPS self-signed CA certificate and server configuration 1.1 Single Authentication - Server Configuration
Generate a server certificate
Self-visa document
A. Enter the keystore password: Here you need to enter a string larger than 6 characters. B. "What is your first and last name?" This is required and must be the domain name or IP of the host where TOMCAT is deployed (which is the access address you will enter in the browser in the future), otherwise the browser will pop up a warning window that the user certificate does not match the domain. C. What is the name of your organizational unit? "What is the name of your organization?" "What is the name of your city or region? "What is the name of your state or province?" "What is the two-letter country code of this unit?" "You can fill in as needed or not, and ask in the system "Is it correct?" If the requirements are met, use the keyboard to enter the letter "y", otherwise enter "n" to fill in the above information again. D. The key password entered is more important, it will be used in the tomcat configuration file, it is recommended to enter the same password as the keystore, and other passwords can also be set, after completing the above input, directly enter to find the generated file in the position you defined in the second step. Next, use server.jks to issue certificates C:Users�wkt>keytool -export -aliasserver -file server.cer -keystore server.jks
Root certificate issuance certificate
Configure Tomcat Locate the tomcat/conf/sever.xml file and open it as text. Find the label for port 8443 and modify it to: disableUploadTimeout="true" enableLookups="true" keystoreFile="C:Users�wktserver.jks" keystorePass="123456" maxSpareThreads="75" maxThreads="200" minSpareThreads="5" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS" /> Note: keystoreFile: the path where the jks file is stored, and keystorePass: the password when generating the certificate Test: Start the Tomcat server, enter the https://localhost:8443/ in the browser, and the browser prompts the following image to be successful.
The configuration is successful
1.2 Bidirectional authentication - server configuration Generate client certificates
Generate a pair of such files according to the method of generating certificates, which we name: client.jks, client.cer. Add client.cer to the client_for_server.jks file Configure the server: Change the label of port 8443 to: Note: truststoreFile: the file path of the trust certificate, truststorePass: the secret of the trust certificate Test: Start the Tomcat server, enter the https://localhost:8443/ in the browser, and the browser prompts the following image to be successful.
The configuration is successful
1.3 Export P12 certificate In the previous article, we learned that the server authentication client needs to import a P12 certificate on the client, so how to issue a P12 certificate with the root certificate. Windows computers can use Portecle to transfer:
Windows converts P12 certificates
2. Use a third-party server digital certificate For third-party CA certificates, all we need to do is to submit materials to purchase a server root certificate, the specific process is as follows: 1. First, you need to provide the server IP address to the third-party organization (Note: the IP address bound to the server certificate, the certificate can only be used to verify the server).
2. Here we ask the third-party organization to provide us with a certificate in .pfx format. 3. We get the pfx format certificate and convert it to the jks format certificate (using Portecle conversion) as shown in the figure below:
Certificate conversion
4. After getting the JKS format certificate, we use the server to configure Tomcat, find the tomcat/conf/sever.xml file, open it in text form, find the label of port 8443, and modify it to:
Configure the server
Note: keystoreFile: the path where the jks file is stored, and keystorePass: the password when generating the certificate 5. After completing the above operation is the server certificate configuration, start the Tomecat server, and enter it in the browserhttps://115.28.233.131:8443, which is displayed as follows, indicates success (the effect is the same as that of 12306):
Verification is successful
Note: If you want to do payment gateway certificates, server clients authenticate each other, you also need an identity authentication gateway, this gateway needs to purchase equipment, there are G2000 and G3000, G2000 is a 1U device, G3000 is a 3U device, the price may be 20 to 300,000 yuan. After purchasing the gateway, the third-party organization provides us with certificates, including server certificates and mobile certificates (which can be multiple mobile terminals), and these certificates must pass through their gateways, and the certificates given to us can be JKS format certificates.
| 
Posted on 3/22/2017 1:24:35 PM
Landlord