1、创建根证书
mkdir zhutao/ca -p
cd zhutao/ca/
openssl genrsa -des3 -out root.key 2048
openssl req -new -key root.key -out root.csr
openssl x509 -req -days 3650 -sha256 -extensions v3_ca -signkey root.key -in root.csr -out root.crt
keytool -keystore root.truststore -keypass 123456 -storepass 123456 -alias ca -import -trustcacerts -file root.crt
2、创建server证书
mkdir server
openssl genrsa -des3 -out server/server.key 2048
openssl req -new -key server/server.key -out server/server.csr
openssl x509 -req -days 3650 -sha256 -extensions v3_req -CA root.crt -CAkey root.key -CAcreateserial -in server/server.csr -out server/server.crt
openssl pkcs12 -export -in server/server.crt -inkey server/server.key -out server/server.p12 -name "server"
keytool -importkeystore -v -srckeystore server/server.p12 -srcstoretype pkcs12 -srcstorepass 123456 -destkeystore server/server.keystore -deststoretype jks -deststorepass 123456
3、client
mkdir client
openssl genrsa -des3 -out client/client.key 2048
openssl req -new -key client/client.key -out client/client.csr
openssl x509 -req -days 3650 -sha256 -extensions v3_req -CA root.crt -CAkey root.key -CAcreateserial -in client/client.csr -out client/client.crt
openssl pkcs12 -export -in client/client.crt -inkey client/client.key -out client/client.p12 -name "client"
4、修改tomcat
vim server.xml
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="/root/zhutao/ca/server/server.keystore" keystorePass="123456"
truststoreFile="/root/zhutao/ca/root.truststore" truststorePass="123456"
/>
5、chrom导入
root.crt--->信任根
client.p12--->个人
6、curl测试
openssl pkcs12 -in client/client.p12 -out client/all.pem -nodes
curl --cacert root.key -k --cert client/all.pem https://10.10.10.245:8443/