使用Httpclient實現SSL雙向認證
1、生成伺服器端證書
Java程式碼
keytool -genkey -keyalg RSA -dname "cn=localhost,ou=sango,o=none,l=china,st=beijing,c=cn" -alias server -keypass password -keystore server.jks -storepass password -validity 3650
keytool -genkey -keyalg RSA -dname "cn=localhost,ou=sango,o=none,l=china,st=beijing,c=cn" -alias server -keypass password -keystore server.jks -storepass password -validity 3650
2、生成客戶端證書
Java程式碼
keytool -genkey -keyalg RSA -dname "cn=sango,ou=sango,o=none,l=china,st=beijing,c=cn" -alias custom -storetype PKCS12 -keypass password -keystore custom.p12 -storepass password -validity 3650
keytool -genkey -keyalg RSA -dname "cn=sango,ou=sango,o=none,l=china,st=beijing,c=cn" -alias custom -storetype PKCS12 -keypass password -keystore custom.p12 -storepass password -validity 3650
客戶端的CN可以是任意值。
3、由於是雙向SSL認證,伺服器必須要信任客戶端證書,因此,必須把客戶端證書新增為伺服器的信任認證。由於不能直接將PKCS12格式的證書庫匯入,我們必須先把客戶端證書匯出為一個單獨的CER檔案,使用如下命令,先把客戶端證書匯出為一個單獨的cer檔案:
Java程式碼
keytool -export -alias custom -file custom.cer -keystore custom.p12 -storepass password -storetype PKCS12 -rfc
keytool -export -alias custom -file custom.cer -keystore custom.p12 -storepass password -storetype PKCS12 -rfc
然後,新增客戶端證書到伺服器中(將已簽名數字證書匯入金鑰庫)
Java程式碼
keytool -import -v -alias custom -file custom.cer -keystore server.jks -storepass password
keytool -import -v -alias custom -file custom.cer -keystore server.jks -storepass password
4、檢視證書內容
Java程式碼
keytool -list -v -keystore server.jks -storepass password
keytool -list -v -keystore server.jks -storepass password
5、配置tomcat service.xml檔案
Xml程式碼
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="D:/server.jks" keystorePass="password"
truststoreFile="D:/server.jks" truststorePass="password"
/>
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="D:/server.jks" keystorePass="password"
truststoreFile="D:/server.jks" truststorePass="password"
/>
clientAuth="true"表示雙向認證
6、匯入客戶端證書到瀏覽器
雙向認證需要強制驗證客戶端證書。雙擊“custom.p12”即可將證書匯入至IE
7、java程式碼實現
DefaultHttpClient httpclient = new DefaultHttpClient();
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
FileInputStream instream = new FileInputStream(new File("D:/server.jks"));
try {
trustStore.load(instream, "password".toCharArray());
} finally {
instream.close();
}
SSLSocketFactory socketFactory = new SSLSocketFactory(trustStore,"password",trustStore);
Scheme sch = new Scheme("https", socketFactory, 443);
httpclient.getConnectionManager().getSchemeRegistry().register(sch);
System.out.println("executing request" + httpget.getRequestLine());
HttpResponse response = httpclient.execute(httpget);
HttpEntity entity = response.getEntity();
System.out.println("----------------------------------------");
System.out.println(response.getStatusLine());
if (entity != null) {
System.out.println("Response content length: " + entity.getContentLength());
}
if (entity != null) {
entity.consumeContent();
}
httpclient.getConnectionManager().shutdown();