D:\EclipseAndroid\Web>openssl genrsa -out cakey.pem 2048
查看公鑰
D:\EclipseAndroid\Web>openssl rsa -in cakey.pem -pubout -text
生成自簽證書
D:\EclipseAndroid\Web>set OPENSSL_CONF=c:\Program Files (x86)\GnuWin32\share\openssl.cnf
D:\EclipseAndroid\Web>openssl req -new -x509 -key cakey.pem -out cacert.pem -days 3650
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:Taiwan
Locality Name (eg, city) []:Taichung
Organization Name (eg, company) [Internet Widgits Pty Ltd]:R&D
Organizational Unit Name (eg, section) []:Mark Chen
Common Name (eg, YOUR name) []:Mark Chen
Email Address []:ingrenn@yahoo.com.tw
D:\EclipseAndroid\Web>mkdir demoCA
D:\EclipseAndroid\Web>mkdir demoCA\private
D:\EclipseAndroid\Web>mkdir demoCA\newcerts
在 demoCA 目錄下建立文字檔 index.txt
在 demoCA 目錄下建立文字檔 serial,內容 "00"
D:\EclipseAndroid\Web>copy cakey.pem demoCA\private
D:\EclipseAndroid\Web>copy cacert.pem demoCA
建立給 tomcat 使用的私鑰
D:\EclipseAndroid\Web>openssl genrsa -out tomcat.key 1024
tomcat 客戶端生成證書簽屬請求
D:\EclipseAndroid\Web>openssl req -new -key tomcat.key -out tomcat.csr
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:Taiwan
Locality Name (eg, city) []:Taichung
Organization Name (eg, company) [Internet Widgits Pty Ltd]:R&D
Organizational Unit Name (eg, section) []:Mark Chen
Common Name (eg, YOUR name) []:localhost因為在本機使用,正式須如:www.domain.com
Email Address []:ingrenn@localhost
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:不要打密碼,不然會失敗
An optional company name []:
D:\EclipseAndroid\Web>openssl ca -in tomcat.csr -out tomcat.crt -days 3655
D:\EclipseAndroid\Web>openssl pkcs12 -export -in tomcat.crt -inkey tomcat.key -out tomcat.p12
Loading 'screen' into random state - done
Enter Export Password:在 tomcat 的 server.xml 設定中要用
Verifying - Enter Export Password:
在 tomcat 的 server.xml 設定中
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="D:\EclipseAndroid\Web\tomcat.p12"
keystoreType="pkcs12" keystorePass="changit"
/>
開啟 IE /網際網路選項/內容/憑證/受信任的跟憑證授信單位/匯入 cacert.pem
如果要將 http 自動轉成 https,在 web.xml 的 <web-app> 中加入下列設定
<!-- Require HTTPS for everything except /img (favicon) and /css. -->
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPSOnly</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPSOrHTTP</web-resource-name>
<url-pattern>*.ico</url-pattern>
<url-pattern>/img/*</url-pattern>
<url-pattern>/css/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
android 安裝證書
1. copy cakey.pem cakey.cer
2. 將 cakey.cer 證書放到 /storage/sdcard0/Download
3. 設定/安全性/從手機儲存空間安裝
如果要將 http 自動轉成 https,在 web.xml 的 <web-app> 中加入下列設定
<!-- Require HTTPS for everything except /img (favicon) and /css. -->
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPSOnly</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPSOrHTTP</web-resource-name>
<url-pattern>*.ico</url-pattern>
<url-pattern>/img/*</url-pattern>
<url-pattern>/css/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
android 安裝證書
1. copy cakey.pem cakey.cer
2. 將 cakey.cer 證書放到 /storage/sdcard0/Download
3. 設定/安全性/從手機儲存空間安裝
沒有留言:
張貼留言