2.3. 为双向 SSL/TLS 配置服务器证书

流程

1. 生成用于测试和开发目的的自签名服务器证书。如果您已从证书颁发机构(CA)获取证书，请跳过这一步。

   重要

   不要在生产环境中使用自签名证书。仅使用证书颁发机构(CA)签名的证书。

   1. 创建用于存储服务器证书的密钥存储。

      语法

      /subsystem=elytron/key-store=<key_store_name>:add(path=<path>,credential-reference={<password>},type=<key_store_type>)

      Copy to Clipboard Toggle word wrap

      Example

      /subsystem=elytron/key-store=exampleServerKeyStore:add(path=server.keystore.pkcs12,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=PKCS12)
      {"outcome" => "success"}

      Copy to Clipboard Toggle word wrap

   2. 在密钥存储中生成服务器证书。

      语法

      /subsystem=elytron/key-store=<key_store_name>:generate-key-pair(alias=<alias>,algorithm=<algorithm>,key-size=<key_size>,validity=<validaity_in_days>,credential-reference={<password>},distinguished-name="<distinguished_name_in_certificate>")

      Copy to Clipboard Toggle word wrap

      Example

      /subsystem=elytron/key-store=exampleServerKeyStore:generate-key-pair(alias=localhost,algorithm=RSA,key-size=2048,validity=365,credential-reference={clear-text=secret},distinguished-name="CN=localhost")
      {"outcome" => "success"}

      Copy to Clipboard Toggle word wrap

   3. 将密钥存储存储到文件中。

      语法

      /subsystem=elytron/key-store=<key_store_name>:store()

      Copy to Clipboard Toggle word wrap

      Example

      /subsystem=elytron/key-store=exampleServerKeyStore:store()
      {
          "outcome" => "success",
          "result" => undefined
      }

      Copy to Clipboard Toggle word wrap

   4. 导出服务器证书。

      语法

      /subsystem=elytron/key-store=<key_store_name>:export-certificate(alias=<alias>,path=<path_to_certificate>,pem=true)

      Copy to Clipboard Toggle word wrap

      Example

      /subsystem=elytron/key-store=exampleServerKeyStore:export-certificate(alias=localhost,path=server.cer,pem=true,relative-to=jboss.server.config.dir)
      {"outcome" => "success"}

      Copy to Clipboard Toggle word wrap

2. 创建引用服务器密钥存储的密钥管理器。

   语法

   /subsystem=elytron/key-manager=<key_manager_name>:add(credential-reference={<password>},key-store=<key_store_name>)

   Copy to Clipboard Toggle word wrap

   Example

   /subsystem=elytron/key-manager=exampleServerKeyManager:add(credential-reference={clear-text=secret},key-store=exampleServerKeyStore)
   {"outcome" => "success"}

   Copy to Clipboard Toggle word wrap

   当启用 SSL/TLS 时，服务器会向客户端显示此证书。

3. 将服务器证书导入到客户端的信任存储中，以便客户端可以在 SSL 握手期间验证服务器证书。

   语法

   $ keytool -import -file <server_certificate_file> -alias <alias> -keystore <client_trust_store_file> -storepass <password>

   Copy to Clipboard Toggle word wrap

   Example

   $ keytool -import -file EAP_HOME/standalone/configuration/server.cer -alias server -keystore client.truststore.p12 -storepass secret
   
   Owner: CN=localhost
   Issuer: CN=localhost
   Serial number: 52679016fbb54f46
   Valid from: Fri Sep 30 18:25:29 IST 2022 until: Sat Sep 30 18:25:29 IST 2023
   Certificate fingerprints:
   	 SHA1: 4B:68:24:9E:2A:2D:01:4E:23:69:94:C8:9A:1C:8F:A5:D4:27:CB:98
   	 SHA256: C0:AF:74:12:90:66:25:B2:65:4E:6B:4B:89:81:2D:6B:D5:2A:F4:04:BC:85:DA:1C:AB:26:6D:57:9F:9F:EE:15
   Signature algorithm name: SHA256withRSA
   Subject Public Key Algorithm: 1024-bit RSA key (disabled)
   Version: 3
   
   Extensions:
   
   #1: ObjectId: 2.5.29.14 Criticality=false
   SubjectKeyIdentifier [
   KeyIdentifier [
   0000: 59 13 DC 6A 81 B9 27 18   6E 72 17 0E 67 FC 9F 8F  Y..j..'.nr..g...
   0010: 04 01 74 8F                                        ..t.
   ]
   ]
   
   
   Warning:
   The input uses a 1024-bit RSA key which is considered a security risk and is disabled.
   
   Trust this certificate? [no]:

   Copy to Clipboard Toggle word wrap

   输入 yes。您将获得以下输出：

   Certificate was added to keystore

   Copy to Clipboard Toggle word wrap