荣耀彩票代理

  • 热门专题

基于ejbca community 6.3.1.1构建独立ca系统管理数字证书

作者:凌承一  发布日期:2016-12-05 20:46:51
  •   “SHUZIZHENGSHU”ZHEIGEMINGCIXIANGXINHENDUORENTINGGUO,DANBINGBULEJIE,“ejbca”KENENGHENDUORENDOUMEIYOUTINGGUO

      数字证书(Certificate),就是互联网通信过程中标志通信各方身份的一个文件,可以理解为“网络身份证”,主要目的是验证身份

      ejbca,SHIYIGECA(Certificate Authority)XITONGRUANJIAN,CASHISHUZIZHENGSHURENZHENGZHONGXINDEJIANCHENG,ZHUYAOGONGNENGSHIGUANLISHUZIZHENGSHU,BAOKUOZHENGSHUDEBANFA、XIAOHUI、GENGXINDENG,ejbcaSHIXIANLECAGUIFAN,YINCIKEYIYONGLAIGUANLISHUZIZHENGSHU

    荣耀彩票代理  JIEXIALAI,BIZHEJIANGANZHAOejbcaANZHUANG、SHIYONG、SHUZIZHENGSHUSHIYONG、web serviceJIEKOU、nginxDAILISHUNXUZHUBUJIESHAOYIGEDULIcaXITONGWANZHENGDEJIANLIYUSHIYONGGUOCHENG

    centos安装ejbca-community-6.3.1.1

      ejbcaANZHUANGGUOCHENGSUANBIJIAOFUZALE,BENWENYIcentos 6.5XITONGWEILIJIESHAOANZHUANGGUOCHENG,QITAlinuxKEYICANKAO,windowsXIADEANZHUANGGUOCHENGJIHUXIANGTONG,ANZHUANGGUOCHENGSHIYONGSHIejbca community 6.3.1.1(SHEQUBAN),ANZHUANGGUOCHENGQINGYANGEANZHAOYIXIABUZHOU,BURANHENRONGYICHUCUO!

    1、安装基础环境

    荣耀彩票代理  ANZHUANGejbcaXUYAOjdk-1.7YISHANG、antGOUJIANGONGJU、KEYONGDEmysqlSHUJUKU、jboss-7.1.1,QIZHONGjdk、ant、mysqlANZHUANGPEIZHIGUOCHENGCANKAOhttp://www.cnblogs.com/ywlaker/p/6129872.html,RUGUOYIJINGANZHUANGGUOZHEIXIE,KEYIHULVE,ZHIJIEJINRUYIXIABUZHOU

    2、安装启动jboss

      CONGjbossGUANFANGWANGZHANXIAZAIjbossANZHUANGBAO:jboss-as-7.1.1.Final.tar.gz,JIEYABINGPEIZHIHUANJINGBIANLIANG

    tar xvf jboss-as-7.1.1.Final.tar.gz -C /usr/java
    vi /etc/profile
    

      ZHUIJIANEIRONG

    #jboss conf
    export JBOSS_HOME=/usr/java/jboss-as-7.1.1.Final
    

      SHIPEIZHILIJISHENGXIAO

    source /etc/profile
    

      QIDONGjboss,ZHUYIZUIHOUDE&FUHAO,DAIQIDONGWANCHENGZAIYUNXING“exit”

    sh /usr/java/jboss-as-7.1.1.Final/bin/standalone.sh &
    exit
    

      ZHEIYANGjbossJIUYUNXINGZAIHOUTAILE,YIXIAMINGLINGCHAKANjbossJINCHENGBINGGUANBI

    ps -ef|grep jboss
    kill -9 进程号
    

    3、配置jboss的mysql数据源

      CHUANGJIANMULU,RANHOUZAIGAIMULUXIACHUANGJIANmodule.xml

    mkdir -p /usr/java/jboss-as-7.1.1.Final/modules/com/mysql/main
    cd /usr/java/jboss-as-7.1.1.Final/modules/com/mysql/main
    vi module.xml
    

    荣耀彩票代理  module.xmlNEIRONGRUXIA

    <?xml version='1.0' encoding='UTF-8'?>
    <module xmlns='urn:jboss:module:1.0' name='com.mysql'>
    	<resources>
    		<resource-root path='mysql-connector-java-5.1.27.jar'/>
    	</resources>
    	<dependencies>
    		<module name='javax.api'/>
    		<module name='javax.transaction.api'/>
    	</dependencies>
    </module>
    

    荣耀彩票代理  XIAZAImysqlDEQUDONGBAOmysql-connector-java-5.1.27.jar,FANGZAI/usr/fileMULU,RANHOUKAOBEIDAODANGQIANMULU

    cp /usr/file/mysql-connector-java-5.1.27.jar ./
    

      DAKAIXINDEshellCHUANGKOU,YUNXING

    sh /usr/java/jboss-as-7.1.1.Final/bin/jboss-cli.sh -c
    

    荣耀彩票代理  RUGUOSHI“disconnect”ZHUANGTAI,XIANSHURU“connect”,DUOHUICHEJICIHOU,YUNXINGXIAMIANMINGLING

    /subsystem=datasources/jdbc-driver=com.mysql.jdbc.Driver:add(driver-name=com.mysql.jdbc.Driver,driver-class-name=com.mysql.jdbc.Driver,driver-module-name=com.mysql,driver-xa-datasource-class-name=com.mysql.jdbc.jdbc.jdbc2.optional.MysqlXADataSource)
    :reload
    

    4、安装配置ejbca

      CONGejbcaGUANFANGWANGZHANXIAZAIejbcaANZHUANGBAO:ejbca_ce_6_3_1_1.zip,FANGZAI/usr/fileMULU,JIEYA,ZHUNBEIXIUGAIPEIZHI

    unzip /usr/file/ejbca_ce_6_3_1_1.zip -d /usr/java
    cd /usr/java
    mv ejbca_ce_6_3_1_1 ejbca-ce-6.3.1.1
    cd /usr/java/ejbca-ce-6.3.1.1/conf/
    

    荣耀彩票代理  1、XIUGAIejbca.properties

    mv ejbca.properties.sample ejbca.properties
    vi ejbca.properties
    

      XIUGAIRUXIANEIRONG

    appserver.home=/usr/java/jboss-as-7.1.1.Final
    appserver.type=jboss
    

      2、XIUGAIdatabase.properties

    mv database.properties.sample database.properties
    vi database.properties
    

      XIUGAIRUXIANEIRONG

    # dataSource
    datasource.jndi-name=jboss/datasources/MySqlDS
    # mysql info
    database.name=mysql
    database.url=jdbc:mysql://127.0.0.1:3306/ejbca?characterEncoding=UTF-8
    database.driver=com.mysql.jdbc.Driver
    database.username=root
    database.password=root
    

      3、XIUGAIinstall.properties

    mv install.properties.sample install.properties
    vi install.properties
    

      XIUGAIRUXIANEIRONG

    #设置ca名称
    ca.name=test
    #设置ca信息
    ca.dn=CN=test,O=test,C=cn
    

    荣耀彩票代理  4、XIUGAIcesecore.properties、jaxws.properties,BUXUYAOXIUGAINEIRONG

    mv cesecore.properties.sample cesecore.properties
    mv jaxws.properties.sample jaxws.properties
    

      5、XIUGAIweb.properties

    mv web.properties.sample web.properties
    vi web.properties
    

      XIUGAIRUXIANEIRONG

    #密码最好6位
    superadmin.password=123456
    superadmin.cn=superadmin
    httpsserver.hostname=ca.test.com
    httpsserver.dn=CN=${httpsserver.hostname},O=test,C=cn
    

    5、部署ejbca到jboss

    荣耀彩票代理  SHOUXIAN,ZAIPEIZHIDEmysqlZHONGCHUANGJIAN“ejbca”SHUJUKU,BIANMA“utf-8”,RANHOUZHENGSHIYONGantGOUJIANejbcaBINGANZHUANGDAOjboss

    cd /usr/java/ejbca-ce-6.3.1.1
    
    ant clean deploy
    ant install
    ant deploy-keystore
    

      deployYONGantBUSHU,installSHENGCHENGZHENGSHU,deploy-keystoreJIANGZHENGSHUBUSHUDAOjboss,QIANLIANGBUSUOXUSHIJIANJIAOZHANG,GUOCHENGZHONGRUXUSHURU,QINGZHIJIEHUICHE

    6、配置jboss开启https

      DAKAIXINDEshellCHUANGKOU,YUNXING

    sh /usr/java/jboss-as-7.1.1.Final/bin/jboss-cli.sh -c
    

      RUGUOSHI“disconnect”ZHUANGTAI,YUNXING“connect”,DUOHUICHEJICI,ZHUNBEIYUNXINGXIAMIAN4BUFENPEIZHI

    荣耀彩票代理  DIYIBUFEN(PEIZHIRENYIZHUJIKEFANGWEN)

    /interface=http:add(inet-address='0.0.0.0')
    /interface=httpspub:add(inet-address='0.0.0.0')
    /interface=httpspriv:add(inet-address='0.0.0.0')
    /socket-binding-group=standard-sockets/socket-binding=http:add(port='8080',interface='http')
    /subsystem=undertow/server=default-server/http-listener=http:add(socket-binding=http)
    /subsystem=undertow/server=default-server/http-listener=http:write-attribute(name=redirect-socket, value='httpspriv')
    :reload
    

      DIERBUFEN(PEIZHIZHENGSHU)

    /core-service=management/security-realm=SSLRealm:add()
    /core-service=management/security-realm=SSLRealm/server-identity=ssl:add(keystore-path='${jboss.server.config.dir}/keystore/keystore.jks', keystore-password='serverpwd', alias='prod-ica1')
    /core-service=management/security-realm=SSLRealm/authentication=truststore:add(keystore-path='${jboss.server.config.dir}/keystore/truststore.jks', keystore-password='changeit')
    /socket-binding-group=standard-sockets/socket-binding=httpspriv:add(port='8443',interface='httpspriv')
    /socket-binding-group=standard-sockets/socket-binding=httpspub:add(port='8442', interface='httpspub')
    :reload
    

    荣耀彩票代理  DISANBUFEN(PEIZHIssl)

    /subsystem=undertow/server=default-server/https-listener=httpspriv:add(socket-binding=httpspriv, security-realm='SSLRealm', verify-client=REQUIRED)
    /subsystem=undertow/server=default-server/https-listener=httpspub:add(socket-binding=httpspub, security-realm='SSLRealm')
    :reload
    

      DISIBUFEN(PEIZHIweb service)

    /system-property=org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH:add(value=true)
    /system-property=org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH:add(value=true)
    /system-property=org.apache.catalina.connector.URI_ENCODING:add(value='UTF-8')
    /system-property=org.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING:add(value=true)
    /subsystem=webservices:write-attribute(name=wsdl-host, value=jbossws.undefined.host)
    /subsystem=webservices:write-attribute(name=modify-wsdl-address, value=true)
    :reload
    

    使用ejbca管理数字证书

      ejbcaANZHUANGWANCHENGHOU,WOMENJIUKEYISHIYONGTAGUANLISHUZIZHENGSHULE,JIASHEANZHUANGejbcaDEFUWUQIDIZHIWEI:172.17.210.124,WOMENZAIwindowsXITONGXIAXIANPEIZHIYIGEhosts,BIANJI“C:WindowsSystem32driversetc”MULUXIADEhostsWENJIAN,JIARUYIXING

    172.17.210.124 ca.test.com
    

    荣耀彩票代理  RANHOUKAOBEIejbcaFUWUQI“/usr/java/ejbca-ce-6.3.1.1/p12/”MULUXIADEsuperadmin.p12WENJIANDAOwindowsXITONG,SHUANGJIGAIWENJIANKAISHIANZHUANG,MORENMIMASHI“ejbca”,RUGUOPEIZHIGUOCHENGZHONGXIUGAIGUO,QINGSHIYONGXIUGAIGUODEMIMARU“123456”

    荣耀彩票代理  ejbcaXITONGTIGONGLELIANGGEJIEMIAN

    荣耀彩票代理  GUANLIYUANJIEMIAN(XUYAOZHENGSHU,SHIYONGGANGCAIANZHUANGDEsuperadminZHENGSHU)

    http://ca.test.com:8443/ejbca/adminweb/
    

      YONGHUJIEMIAN

    http://ca.test.com:8080/ejbca/
    

    荣耀彩票代理  NONGHAOLECHAOJIGUANLIYUANZHENGSHUZHIHOU,WOMENKAISHIGUANLISHUZIZHENGSHUBA!

    1、用户注册

    荣耀彩票代理  SHUZIZHENGSHUSHISHENFENRENZHENGDEZAITI,SHENFENRENZHENGDEDUIXIANGJIUSHI“YONGHU”,SHUZIZHENGSHUBAOHAN“YONGHU”DEJIBENXINXI,JIUXIANGSHENFENZHENGBAOHANLENIDEXINGMINGDENGJIBENXINXIYIYANG,ZHUCEGUOCHENGJISHINIXIANGejbcaTIJIAOGERENJIBENXINXI

    荣耀彩票代理  ejbcaGUANLIYUANJIEMIANZHONG,DAKAI“RA Functions”—“Add End Entity”CAIDAN,TIANXIEYIXIA“Required”LIEDAGOUDEXIANG。

      YONGHUMOBANXUANZE“EMPTY”

      SHURUYONGHUMINGYUMIMA

      Common name,RUGUOSHIFUWUQIYONGZHENGSHU,ZHEILIQINGTIANXIEYUMING

      TIANXIEZHENGSHUXINXI,ZHENGSHUMOBANXUANZE“ENDUSER”,CAXUANZE“dev”,TokenXUANZE“P12 file”

      ZUIHOUDIANJI“Add”ANNIUZHUCE

    2、下载证书

    荣耀彩票代理  ZHUCEWANYONGHU,ZIRANPOBUJIDAIYAONONGDAOYIGEZHENGSHULE,ZAIejbcaYONGHUJIEMIANZHONG,DAKAI“Enroll”—“Create Browser Certificate”CAIDAN

      SHURUYONGHUMINGHEMIMA,DIANJI“OK”ANNIU,JINRUXIAMIANDEYEMIAN

    “Key length”XUANZE“2048 bits”;“Certificate profile”XUANZE“ENDUSER”,DIANJI“Enroll”ANNIUXIAZAIZHENGSHU

    3、吊销证书

    荣耀彩票代理  GUANLIYUANFAXIANYONGHUZHENGSHUBEIRENDAOYONGLE,HAOBAN,DIAOXIAOTA

    荣耀彩票代理  ejbcaGUANLIYUANJIEMIANZHONG,DAKAI“RA Functions”—“Search End Entities”CAIDAN。“Search end entities with status”CHUXIALAKUANGXUANZE“All”,DIANJIYOUBIANDE“Search”ANNIUCHAKANYONGHUXINXI(XIATUSHENGLVEQITALIE)

      GOUXUANXUYAODIAOXIAODEYONGHU,DIANJIBIAOGEXIAFANGDE“Revoke Selected”ANNIU,DIAOXIAOYONGHU

    4、更新证书

      YONGHUSHANGCISHENQINGDEZHENGSHUDAOQILE,YAOGENGHUANXINDEZHENGSHU

      ejbcaGUANLIYUANJIEMIANZHONG,DAKAI“RA Functions”—“Search End Entities”CAIDAN。“Search end entities with status”CHUXIALAKUANGXUANZE“All”,DIANJIYOUBIANDE“Search”ANNIUCHAKANYONGHUXINXI(XIATUSHENGLVEQITALIE)

      DIANJIXUYAOGENGXINZHENGSHUYONGHUDEZUIYOUBIANLIEZHONGDE“Edit End Entity”CHAOLIANJIE,BIANJIYONGHU

    荣耀彩票代理  SHEZHI“Status”WEI“New”,DIANJIYOUBIANDE“Save”ANNIU。RANHOUSHURUXINMIMA,QITAXIANGBAOCHIBUBIAN,DIANJIYEMIANZUIXIAFANGDE“Save”ANNIUBAOCUNSHEZHI

    5、根证书

    荣耀彩票代理  ejbcaZUOWEIYIGECA,YOUTAZIJIDEGENZHENGSHU

      ejbcaYONGHUJIEMIANZHONG,DAKAI“Retrieve”—“Fetch CA Certificates”CAIDAN,KEYIXIAZAIBUTONGGESHIDEGENZHENGSHU

    6、申请tomcat服务器证书

      YISHANGFANGSHIKEYIGUANLIPUTONGYONGHUYONGDELIULANQIZHENGSHU,GESHIWEIp12,tomcatFUWUQIYONGDEZHENGSHUGESHIWEIjks,ZENMESHENQINGNI?

    荣耀彩票代理  YONGHUZHUCESHI,ZHENGSHUMOBANXUANZE“SERVER”,CAXUANZE“dev”,TokenXUANZE“JKS file”,QITAXIANGDEZHIBUBIAN

      XIAZAIZHENGSHUSHI,ZAIejbcaYONGHUJIEMIANZHONG,DAKAI“Enroll”—“Create Keystore”CAIDAN,SHURUYONGHUMINGYUMIMA,JINRUXIAMIANDEYEMIAN

      “Key length”XUANZE“2048 bits”;“Certificate profile”XUANZE“SERVER”,DIANJI“Enroll”ANNIUXIAZAIZHENGSHU

    荣耀彩票代理  QITAFUWUQIZHENGSHUGESHIDATONGXIAOYI,XIANGXINNIKEYIMOSUOCHULAI!

    使用web service构建自己的CA系统

      ejbcaXITONGSUIRANANZHUANGHAOLE,YEKEYIGUANLISHUZIZHENGSHU,DANSHI,WOMENSUOYOUDECAOZUODOUZAIejbcaTIGONGDEJIEMIANZHONGZHIXING,XIANBUSHUOQUANBUSHIYINGWEN,DANDANTALIMIANHENDUOPEIZHIXIANGJIURANGRENYANHUALIAOLUAN,HENDUOPEIZHIXIANGYAOMESHIGUDINGDE,YAOMESHIBUXUYAODE,YINCI,ZUIHELIDEZUOFASHIZAIejbcaZHISHANGGOUJIANYIGEZHONGJIANCENG,YONGHUFANGWENZHONGJIANCENGTIGONGDEZHENGSHUGUANLIFUWU,ZHONGJIANCENGDEFUWUZESHIYONGejbcaSHIXIAN,ZHENGHAOejbcaTIGONGLEWANZHENGDEweb serviceJIEKOU

      ZHONGJIANCENGZHIXUYAOTIGONGSHUZIZHENGSHUDEZHUCE、XIAZAI、DIAOXIAO、GENGXINJIKE,GENGDUODEGONGNENGDANGRANYEKEYISHIXIAN,KANJUTIXUQIULE,XIAMIANJIESHAOZHEIGEZHONGJIANCENGDEJIBENSHIXIANGUOCHENG

    1、superadmin.jks证书

      ejbcaTIGONGDEweb serviceJIEKOUXUYAOZHENGSHURENZHENG,GUANFANGYUANMAJICHUDELIZIZHONGSHIYONGDEJIUSHIsuperadminCHAOJIGUANLIYUANDEZHENGSHU,DANGESHISHIjks,YINCIWOMENXUYAONONGDAOsuperadmin.jksZHENGSHU,TONGGUOGONGJUZHUANHUANSHIKEYIDE,DANejbcaKEYIZHIJIESHENGCHENG

    荣耀彩票代理  DUIsuperadminYONGHUZHIXINGGENGXINCAOZUO,BAOCUNZHIQIAN,XIUGAIXIAMIANXIANGDEZHIWEI“JKS file”

    荣耀彩票代理  ANZHAOXIAZAIPUTONGYONGHUZHENGSHUDEBUZHOUXIAZAIsuperadminDEjksGESHIZHENGSHU

    2、初始化web service连接

    荣耀彩票代理  YOULEsuperadmin.jksZHENGSHU,WOMENJIUKEYIYONGTALAILIANJIEweb serviceFUWULE,DANSHI,BIXUJIANGweb serviceSUOXUDEjarBAOTIANJIADAOGONGCHENGZHONG,ZHEIXIEjarBAOSHIXIAMIANLIANGGEMULUXIADESUOYOUjar

    /usr/java/ejbca-ce-6.3.1.1/dist/ejbca-ws-cli/lib
    /usr/java/ejbca-ce-6.3.1.1/dist/ejbca-ws-cli
    

    荣耀彩票代理  RANHOUZAIDAIMAZHONGCHUSHIHUAweb serviceLIANJIE

    public void init() {
    	if (!new File(certPath).exists()) return;
    	
    	CryptoProviderTools.installBCProvider();
    
    	System.setProperty('javax.net.ssl.trustStore', 'd:/superadmin.jks');
    	System.setProperty('javax.net.ssl.trustStorePassword', '123456');
    	System.setProperty('javax.net.ssl.keyStore', 'd:/superadmin.jks');
    	System.setProperty('javax.net.ssl.keyStorePassword', '123456');
    
    	QName qname = new QName('http://ws.protocol.core.ejbca.org/', 'EjbcaWSService');
    
    	try {
    		EjbcaWSService service = new EjbcaWSService(new URL('http://ca.test.com:8443/ejbca/ejbcaws/ejbcaws?wsdl'), qname);
    		EjbcaWS ejbcaWS = service.getEjbcaWSPort();
    	} catch (Exception e) {
    	}
    }
    

      ZHUYI:LIANJIEDIZHIZHINENGSHIYUMING,ZHEIGEYUMINGSHIANZHUANGejbcaSHIWEIejbcaFUWUQIZHIDINGDE,SUOYILIANJIEejbcaTIGONGDEweb serviceJIEKOUFUWUDEJIQIYAOPEIZHIhosts

    172.17.210.124 ca.test.com
    

      CHUSHIHUADEMUDESHINADAOEjbcaWSDUIXIANGDESHILI,JIEXIALAIDESHUZIZHENGSHUDEZHUCE、XIAZAIDENGFUWUJUNJIYUTA

    3、实现数字证书管理服务

    荣耀彩票代理  CHAKANYONGHUSHIFOUYIJINGZHUCE

    private boolean isExist(String username) throws Exception {
    	UserMatch usermatch = new UserMatch();
    	usermatch.setMatchwith(UserMatch.MATCH_WITH_USERNAME);
    	usermatch.setMatchtype(UserMatch.MATCH_TYPE_EQUALS);
    	usermatch.setMatchvalue(username);
    	try {
    		List<UserDataVOWS> users = ejbcaWS.findUser(usermatch);
    		if (users != null && users.size() > 0) {
    			return true;
    		} else {
    			return false;
    		}
    	} catch (Exception e) {
    		throw new Exception('检查用户 ' + username() + ' 是否存在时出错:' + e.getMessage());
    	}
    }
    

    荣耀彩票代理  YONGHUZHUCEYUGENGXIN,YONGDEDOUSHIeditUser()FANGFA,YINCIYAOXIANPANDUANSHIFOUCUNZAI

    public void editUser() throws Exception {
    	UserDataVOWS userData = new UserDataVOWS();
    	userData.setUsername('testname');//用户名
    	userData.setPassword('123456');//密码
    	userData.setClearPwd(false);//默认
    	userData.setSubjectDN('CN=' + 'testname'
    			+ ',OU=' + 'testou'
    			+ ',O=' + 'testo'
    			+ ',C=cn'
    			+ ',telephoneNumber=' + '1234567890'
    			);//设置唯一甄别名
    
    	String pattern = 'yyyy-MM-dd HH:mm:ssZZ'; // ISO 8601标准时间格式
    	userData.setStartTime(DateFormatUtils.format(new Date(),pattern));//证书有效起始日期
    	userData.setEndTime(DateFormatUtils.format(DateUtils.addDays(new Date(), 100), pattern));//结束日期
    
    	userData.setCaName('test');//ca名称,ejbca的名称
    	userData.setSubjectAltName(null);
    	userData.setEmail('test@test.com');//邮件地址
    	userData.setStatus(UserDataVOWS.STATUS_NEW);//状态为new
    	userData.setTokenType(UserDataVOWS.TOKEN_TYPE_P12);//设置p12格式证书
    	userData.setEndEntityProfileName('user');//终端实体模板
    	userData.setCertificateProfileName('user');//证书模板
    	try {
    		ejbcaWS.editUser(userData);
    	} catch (Exception e) {
    		throw new Exception(e.getMessage());
    	}
    }
    

    荣耀彩票代理  DAIMAZHONGYOUJICHUZHIDEZHUYIDE,ZHONGDUANSHITIMOBAN“user”HEZHENGSHUMOBAN“user”XUYAOZAIejbcaGUANLIYUANJIEMIANZHONGPEIZHI,BINGQIEZHONGDUANSHITIMOBAN“user”ZHONGYAOPEIZHIKAIQI“SubjectDN”DESHUXINGRUCN、OU、O、C、telephoneNumberDENG,HAIYAOYUNXUXIUGAIstartTimeHEendTime

      DIAOXIAOZHENGSHU

    public void revoke(String username) throws ServiceException {
    	try {
    		ejbcaWS.revokeUser(username, RevokedCertInfo.REVOCATION_REASON_UNSPECIFIED, false);
    	} catch (Exception e) {
    	}
    }
    

      CHUANGJIANZHENGSHU

    private void createCert(String username, String password, String path) throws Exception {
    	FileOutputStream fileOutputStream = null;
    	try {
    		// 创建证书文件
    		KeyStore ksenv = ejbcaWS.pkcs12Req(username, password, null, '2048', AlgorithmConstants.KEYALGORITHM_RSA);
    		java.security.KeyStore ks = KeyStoreHelper.getKeyStore(ksenv.getKeystoreData(), 'PKCS12', password);
    		fileOutputStream = new FileOutputStream(path + File.separator + username + '.p12');
    		ks.store(fileOutputStream, password.toCharArray());
    
    		// 创建密码文件
    		File pwdFile = new File(path + File.separator + username + '.pwd');
    		pwdFile.createNewFile();
    		BufferedWriter out = new BufferedWriter(new FileWriter(pwdFile));
    		out.write(password);
    		out.flush();
    		out.close();
    	} catch (Exception e) {
    		throw new Exception('用户  ' + username + ' 证书创建失败:' + e.getMessage());
    	} finally {
    		if (fileOutputStream != null) {
    			try {
    				fileOutputStream.close();
    			} catch (IOException e) {
    			}
    		}
    	}
    }
    

    荣耀彩票代理  ZHENGSHUCHUANGJIANZAIFUWUQISHANG,YONGHUDIAOYONGXIAZAIZHENGSHUDEJIEKOUFUWU,YINGGAIFANHUIYIGEXIAZAIDIZHI,ZHEILIJIESHAOYONGnginxZUOWEIWENJIANXIAZAIFUWUQI,CANKAOhttp://www.cnblogs.com/ywlaker/p/6129872.htmlYIWENJIESHAODEGUANYUnginxDEBUFEN

      DAOCIWEIZHI,ejbcaGOUJIANDEcaXITONGYIJINGWANCHENG,DANGRAN,SHANGSHUZHISHIHEXINDAIMA,ZENMEYUNXING、BUSHUJIUBUJIESHAOLE,XIAMIANJIANDANJIESHAOhttpsJIBENYUANLIYUSHUZIZHENGSHUDESHIYONG

    https基本原理与数字证书的使用

    荣耀彩票代理  SHOUXIAN,JIESHAOXIAMIMAXUEDEJIBENZHISHI,WOMENCONGXIAMIANDEJIAMITONGXINMOXINGKAISHI

    荣耀彩票代理  WOXIANGPENGYOUFASONGYITIAOXIAOXI“YOUSHIJIANYIQICHIFANMA”,SHIJIZAIWANGLUOZHONGCHUANSHUDESHIJIAMIHOUDESHUJU,ERBUSHIYUANWEN,ZHISHIJIAMIHEJIEMIGUOCHENGDUIWOHEPENGYOUSHITOUMINGDE

    1、对称与非对称加密

      SHANGSHUTONGXINGUOCHENGZHONG,RUGUOJIAMIYUJIEMISHIYONGXIANGTONGDEMIYAO,CHENGWEIDUICHENGJIAMI,RUGUOSHIYONGBUTONGDEMIYAO,CHENGWEIFEIDUICHENGJIAMI

      DUICHENGJIAMIDETEDIANSHISUDUKUAI,KEJIAMIDESHUJULIANGDA;FEIDUICHENGJIAMIDETEDIANSHISUDUMAN,YINCIZHIYONGLAIJIAMISHAOLIANGSHUJU,DANJINANPOJIE

    荣耀彩票代理  FEIDUICHENGJIAMIGUOCHENGZHONGSHIYONGDELIANGGEBUTONGDEMIYAO,YIGECHENGWEI“SIYAO”,YIGECHENGWEI“GONGYAO”,TAMENYIYIDUIYING,CHENGWEI“MIYAODUI”,“GONGYAO”KEYIJIRENHERENSHIYONG,DAN“SIYAO”BIXUZIJIBAOCHI,YIDAN“SIYAO”XIELU,ZHEIGEMIYAODUIJIUYINGGAIBEIPAOQI

      MIYAODUIYOULIANGGEFEICHANGZHONGYAODETEDIAN:1、“SIYAO”KEYIDAOCHU“GONGYAO”,DAN“GONGYAO”WUFADAOCHU“SIYAO”;2、JING“SIYAO”JIAMIDENEIRONGZHINENGYOU“GONGYAO”JIEMI,JING“GONGYAO”JIAMIDENEIRONGYEZHINENGYOU“SIYAO”JIEMI。

    荣耀彩票代理  ZHEILIANGGETEDIANYOULIANGGEZHONGYAOYONGTU:1、“SIYAO”CHIYOUZHEYONG“SIYAO”JIAMINEIRONG,FASONGJI“GONGYAO”CHIYOUZHEJIEMI,YANZHENG“SIYAO”CHIYOUZHEDESHENFEN。YINWEI“GONGYAO”NENGJIEMIDENEIRONG,ZHINENGSHIYOU“SIYAO”JIAMIDE;2、“GONGYAO”CHIYOUZHEYONG“GONGYAO”JIAMINEIRONG,FASONGJI“SIYAO”CHIYOUZHEJIEMI,BAOZHENGNEIRONGANQUAN。YINWEIZHIYOU“SIYAO”NENGJIEMI,JISHINEIRONGBEIJIEHUO,JIEHUOZHEYEWUFAZHIDAONEIRONGSHISHENME

    2、数字证书

      数字证书是一个文件,包含了使用者的身份信息、以及权威机构(CA)的数字签名,就向我们的居民身份证一样,数字证书是“网络身份证”,用于验证互联网上证书持有者的身份

      BANFASHUZIZHENGSHUDEJIGOUJIAOCA,QUANSHIJIEZHIYOUSHAOSHUQUANWEIDECA,YINWEIBANFACHUQUDEZHENGSHUTAMENSHIYAOFUFALVZERENDE,SUOYIXIANGTAMENSHENQINGZHENGSHUYEYAOJIAOFEI,WOMENZIJIDAJIANDEejbcaBANFADEZHENGSHUZHISHIHEZAIQIYENEIBUSHIYONG,ZHEIGECASHIMEIYOUQUANLIXIANGHULIANWANGSHANGQITASHANGYEGONGSIBANFAZHENGSHUDE

      YOULESHUZIZHENGSHU,ZHIYAOPEIZHIFUWUKAIQIhttpsJIUKEYISHIYONGSHUZIZHENGSHULE

      httpsDUIYUSHUZIZHENGSHUDERENZHENGBAOKUO“DANXIANGRENZHENG”YU“SHUANGXIANGRENZHENG”,“DANXIANGRENZHENG”ZHIYOUKEHUDUANYANZHENGFUWUQI,“SHUANGXIANGRENZHENG”ZELIANGZHEXIANGHUYANZHENG,ZHIYAOYANZHENGBUTONGGUO,TONGXINJIUZIDONGZHONGDUAN,XIAMIANJIESHAOTONGXINDELIUCHENGYIJIRUHEZAItomcatZHONGPEIZHI

    3、https单向认证

      “DANXIANGRENZHENG”DELIANGGESHITI

      “DANXIANGRENZHENG”DELIUCHENGRUXIATU

      JIANYAOSHUOMINGRUXIA

    客户端访问服务器
    服务器响应客户端,发送服务器证书给客户端
    客户端查询“受信任根证书颁发机构”,验证服务器证书
    客户端验证完服务器证书,生成“密钥对”及会话密钥,与服务器协商会话密钥
    会话密钥协商完成,开始安全加密通信
    

      tomcatKAIQIhttpsDANXIANGRENZHENGDEPEIZHI

    <Connector port='8443' protocol='org.apache.coyote.http11.Http11Protocol'
        maxThreads='150' SSLEnabled='true' scheme='https' secure='true'
        clientAuth='false' sslProtocol='TLS'
        keystoreFile='D:	omcat.jks' keystorePass='123456' />

    4、https双向认证

      “SHUANGXIANGRENZHENG”DELIANGGESHITI

      “SHUANGXIANGRENZHENG”DELIUCHENGRUXIATU

      JIANYAOSHUOMINGRUXIA

    客户端访问服务器
    服务器响应客户端,发送服务器证书给客户端
    客户端查询“受信任根证书颁发机构”,验证服务器证书
    验证完服务器证书,客户端发送客户端证书给服务器
    服务器查询“信任库”或通过证书链,验证客户端证书
    客户端与服务器协商会话密钥加密方案
    客户端与服务器协商会话密钥
    会话密钥协商完成,开始安全加密通信
    

    荣耀彩票代理  tomcatKAIQIhttpsSHUANGXIANGRENZHENGDEPEIZHI

    <Connector port='8443' protocol='org.apache.coyote.http11.Http11Protocol'
        maxThreads='150' SSLEnabled='true' scheme='https' secure='true'
        clientAuth='true' sslProtocol='TLS'
        keystoreFile='D:	omcat.jks' keystorePass='123456'
        truststoreFile='D:	omcat.jks' truststorePass='123456'/>
About IT165 - 广告服务 - 隐私声明 - 版权申明 - 免责条款 - 网站地图 - 网友投稿 - 联系方式
本站内容来自于互联网,仅供用于网络技术学习,学习中请遵循相关法律法规