Springboot证书配置指南
创建证书
生成CA证书
- 生成CA证书
openssl req -new -x509 -keyout ca.key -out ca.crt -sha256 -days 365 -passout pass:${PASSWD} -subj "/C=cn/ST=beijing/L=beijing/O=aspire/OU=aspire/CN=ca.it"
- 将CA证书加到客户端信任库,用来客户端认证服务器身份时,通过CA证书校验服务器证书的有效性
keytool -keystore client.truststore -alias caroot -import -file ca.crt -storepass ${PASSWD}
- 将CA证书加到服务器端信任库,用来服务器端认证客户端身份时,通过CA证书校验客户端证书的有效性
keytool -keystore server.truststore -alias caroot -import -file ca.crt -storepass ${PASSWD}
生成服务器证书
- 生成公私钥keypair
openssl genrsa -passout pass:${PASSWD} -out server.key 2048
- 生成待签名文件
openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=SHANXI/L=XI'AN/O=TW/OU=IT/CN=${HOSTNAME}"
- 使用CA证书签名CSR文件,生成server证书
Create X509 V3 certificate extension config file
cat>server.ext<<EOF
[v3_req]
keyUsage = critical, digitalSignature, keyAgreement
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = test.it
IP.1 = 127.0.0.1
EOF
签名生成server证书
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -passin pass:${PASSWD} -CAcreateserial -out server.crt -sha256 -extensions v3_req -extfile server.ext
- 将openssl生成的证书转换为pkcs12格式
# 转换为pkcs12密钥库
openssl pkcs12 -export -passout pass:${PASSWD} -in server.crt -inkey server.key -out server.p12 -name server -chain -CAfile ca.crt -caname rootca
将pkcs12证书导入到jks类型的server.keystore中,如果在application.yml中指定的类型为pkcs12,则无需此步骤,直接指定pkcs12类型的证书即可
keytool -importkeystore \
-deststorepass ${PASSWD} -destkeypass ${PASSWD} -destkeystore server.keystore \
-srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass ${PASSWD} \
-alias server
生成客户端证书
- 生成公私钥keypair
openssl genrsa -des3 -passout pass:${PASSWD} -out client.key 4096
- 生成待签名文件
openssl req -new -key client.key -passin pass:${PASSWD} -out client.csr -subj "/C=CN/ST=SHANXI/L=XI'AN/O=TW/OU=IT/CN=client"
- 使用CA证书签名CSR文件,生成server证书
openssl x509 -req -days 365 -in client.csr -passin pass:${PASSWD} -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt -sha256
- 将openssl生成的证书转换为pkcs12格式
openssl pkcs12 -export -passout pass:${PASSWD} -in client.crt -inkey client.key -passin pass:${PASSWD} -out client.p12 -name client -chain -CAfile ca.crt -caname caroot
- 将pkcs12证书导入到jks类型的client.keystore中,根据客户端需要的keystore类型,选择是否需要此步骤,一般postman是需要此步骤的
keytool -importkeystore \
-deststorepass ${PASSWD} -destkeypass ${PASSWD} -destkeystore client.keystore \
-srckeystore client.p12 -srcstoretype PKCS12 -srcstorepass ${PASSWD} \
-alias client
脚本
#!/bin/bash
#define
PASSWD=localhost
HOSTNAME=test.it
#precondition
rm -f ca*
rm -f client.*
rm -f server.*
echo "create "
echo "######### ca"
openssl req -new -x509 -keyout ca.key -out ca.crt -sha256 -days 365 -passout pass:${PASSWD} -subj "/C=cn/ST=beijing/L=beijing/O=aspire/OU=aspire/CN=ca.it"
openssl x509 -in ca.crt -out ca.pem -outform PEM
keytool -keystore client.truststore -alias caroot -import -file ca.crt -storepass ${PASSWD}
keytool -keystore server.truststore -alias caroot -import -file ca.crt -storepass ${PASSWD}
echo "######### server"
openssl genrsa -passout pass:${PASSWD} -out server.key 2048
openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=SHANXI/L=XI'AN/O=TW/OU=IT/CN=${HOSTNAME}"
cat>server.ext<<EOF
[v3_req]
keyUsage = critical, digitalSignature, keyAgreement
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = test.it
IP.1 = 127.0.0.1
EOF
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -passin pass:${PASSWD} -CAcreateserial -out server.crt -sha256 -extensions v3_req -extfile server.ext
openssl x509 -in server.crt -out server.pem -outform PEM
# 转换为pkcs12密钥库
openssl pkcs12 -export -passout pass:${PASSWD} -in server.crt -inkey server.key -out server.p12 -name server -chain -CAfile ca.crt -caname rootca
# 导入到server.keystore中
keytool -importkeystore \
-deststorepass ${PASSWD} -destkeypass ${PASSWD} -destkeystore server.keystore \
-srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass ${PASSWD} \
-alias server
echo "######### client"
openssl genrsa -des3 -passout pass:${PASSWD} -out client.key 4096
openssl req -new -key client.key -passin pass:${PASSWD} -out client.csr -subj "/C=CN/ST=SHANXI/L=XI'AN/O=TW/OU=IT/CN=client"
openssl x509 -req -days 365 -in client.csr -passin pass:${PASSWD} -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt -sha256
openssl x509 -in client.crt -out client.pem -outform PEM
openssl pkcs12 -export -passout pass:${PASSWD} -in client.crt -inkey client.key -passin pass:${PASSWD} -out client.p12 -name client -chain -CAfile ca.crt -caname caroot
# 导入到client.keystore中
keytool -importkeystore \
-deststorepass ${PASSWD} -destkeypass ${PASSWD} -destkeystore client.keystore \
-srckeystore client.p12 -srcstoretype PKCS12 -srcstorepass ${PASSWD} \
-alias client
单向认证配置(客户端校验服务器端证书)
服务器端
application.yml配置
server:
port: 443
ssl:
enabled: true
key-alias: alias-test.it
key-store: classpath:server.keystore.jks
key-store-type: jks # pkcs12 jks
key-store-password: localhost
key-password: localhost
配置ssl debug启动参数方便调试
-Djavax.net.debug=all
客户端配置
使用浏览器或者postman做为客户端访问server
-
客户端需要安装CA证书并且信任证书
双向认证配置
服务器端
application.yml配置
server:
port: 443
ssl:
enabled: true
key-alias: server
key-store: classpath:server.keystore
key-store-type: jks # pkcs12 jks
key-store-password: localhost
key-password: localhost
trust-store: classpath:server.truststore
trust-store-password: localhost
client-auth: need
由于服务端需要校验客户端身份,所以服务端需要信任server证书,用来校验客户端证书
client-auth: need 用来开启校验客户端身份
在启动参数添加启动参数:-Djavax.net.debug=all方便调试
客户端配置
使用浏览器做为客户端访问server
-
客户端需要安装CA证书并且信任
-
安装client.pfx证书,安装格式一定要是包含私钥格式的证书:pkcs12/pfx,安装时会提示输入证书密码
在浏览器中访问 test.it,会自动提示选择证书,浏览器之所以能找到client证书,是因为服务器端通过信任的ca证书找到颁发的子证书
使用postman做为客户端访问server
打开postman偏好设置,打开Certificates标签页,导入相应的证书
- hosts文件中配置域名映射
# 外网ip对应的域名
127.0.0.1 test.it
