这几天被和证书搞得头昏脑胀的。不过还好终于把这个搞定了。用进行双向身份验证意思就是在客户机连接服务器时，链接双方都要对彼此的数字证书进行验证，保证这是经过授权的才能够连接（我们链接一般的时采用的是单向验证，客户机只验证服务器的证书，服务器不验证客户机的证书。而连接网上银行时使用的盾就是用来存储进行双向验证所需要的客户端证书的）。里面内置了一个数字证书生产工具：t但是这个工具只能生成自签名的数字证书。所谓自签名就是指证书只能保证自己是完整的，没有经过非法修改的。但是无法保证这个证书是属于谁的。其实用这种自签名的证书也是可以进行双向验证的用生成的自签名证书进行双向验证请看这里，向这位仁兄致意：），但是这种验证有一个缺点：对于每一个要链接的服务器，都要保存一个证书的验证副本。而且一旦服务器更换证书，所有客户端就需要重新部署这些副本。对于比较大型的应用来说，这一点是不可接受的。所以就需要证书链进行双向认证。证书链是指对证书的签名又一个预先部署的，众所周知的签名方签名完成，这样每次需要验证证书时只要用这个公用的签名方的公钥进行验证就可以了。比如我们使用的浏览器就保存了几个常用的R每次连接到网站时只要这个网站的证书是经过这些签名过的。就可以通过验证了。但是这些共用的的服务不是免费的。而且价格不菲。所以我们有必要自己生成一个的密钥对，然后部署应用时，只要把这个的私钥部署在所有节点就可以完成验证了。要进行的生成，需要（）。你也可以在找到下的版本安装好以后就可以生成证书链了，我写了一个解决这些东西：echooffsetCsetPWD_SERVER_KS=serverkssetPWD_SERVER_KEY=serverkeysetPWD_CLIENT_KS=clientkssetPWD_CLIENT_KEY=clientkeyifnotexistca.key（echoGeneratingacarootkeyfile.opensslreq-new-x509-keyoutca.key-outca.crt-config%CONFIG%）else（echoca.keyalreadyexists.ifnotexistserver.keystore(echoGeneratingserversprivatekey.keytool-genkey-aliaslogon_server_private_key-validity365-keyalgRSA-keysize1024SERVER_KS%-keystoreserver.keystore-keypass%PWD_SERVER_KEY%-storepass%PWD)else(echoserver.keystorealreadyexits.)ifnotexistclient.keystore(echoGeneratingclientsprivatekey.keytool-genkey-aliasipclient_private_key-validity365-keyalgRSA-keysize1024-keystoreclient.keystore-keypass%PWD_CLIENT_KEY%-storepass%PWD_CLIENT_KS%)else(echoclient.keystorealreadyexits.)echo=Finishedkeygeneration=ifnotexistlogon_server_private_key.csr(echoGeneratingserverssingaturerequestfile.keytool-certreq-aliaslogon_server_private_key-sigalgMD5withRSA-filelogon_server_private_key.csr-keypass%PWD_SERVER_KEY%-storepass%PWD_SERVER_KS%-keystoreserver.keystore)else(echologon_server_private_key.csralreadyexits.)ifnotexistipclient_private_key.csr(echoGeneratingclientssingaturerequestfile.keytool-certreq-aliasipclient_private_key-sigalgMD5withRSA-fileipclient_private_key.csr-keypass%PWD_CLIENT_KEY%-storepass%PWD_CLIENT_KS%-keystoreclient.keystore)else(echoipclient_private_key.csralreadyexits.)ifnotexistlogon_server_private_key.crt(opensslca-inlogon_server_private_key.csr-outlogon_server_private_key.crt-certca.crt-keyfileca.key-notext-config%CONFIG%)else(echologon_server_private_key.crtalreadyexits.)ifnotexistipclient_private_key.crt(opensslca-inipclient_private_key.csr-outipclient_private_key.crt-certca.crt-keyfileca.key-notext-config%CONFIG%)else(echoipclient_private_key.crtalreadyexits.)echo=Finishedcarootsignaturing=echoImportingcarootcertsintokeystore.keytool-import-v-trustcacerts-aliasca_root-fileca.crt-storepass%PWD_SERVER_KS%-keystoreserver.keystorekeytool-import-v-trustcacerts-aliasca_root-fileca.crt-storepass%PWD_CLIENT_KS%-keystoreclient.keystoreechoImportingsignaturedkeys.keytool-import-v-aliaslogon_server_private_key-filelogon_server_private_key.crt-keypass%PWD_SERVER_KEY%-storepass%PWD_SERVER_KS%-keystoreserver.keystorekeytool-import-v-aliasipclient_private_key-fileipclient_private_key.crt-keypass%PWD_CLIENT_KEY%-storepass%PWD_CLIENT_KS%-keystoreclient.keystoreechoAlldone!运行这个批处理，期间需要回答一些问题，然后就可以得到一些文件其中的密钥文件。是需要在客户端部署的，是在服务器部署的。是然后可以用下面的代码测试：/*Copyrights(C)2008Bearice(BeariceGmail.com)*ReleaseunderGNU/GPLVersion2.*/packagecn.bearice.ipcontroller.ccserver;importjava.io.BufferedReader;importjava.io.FileInputStream;importjava.io.InputStreamReader;importjava.io.PrintWriter;importjava.security.KeyStore;importjava.security.cert.X509Certificate;importjava.util.logging.Level;importjava.util.logging.Logger;importjavax.net.ssl.KeyManagerFactory;importjavax.net.ssl.SSLContext;importjavax.net.ssl.SSLPeerUnverifiedException;importjavax.net.ssl.SSLServerSocket;importjavax.net.ssl.SSLServerSocketFactory;importjavax.net.ssl.SSLSession;importjavax.net.ssl.SSLSocket;importjavax.net.ssl.SSLSocketFactory;importjavax.net.ssl.TrustManagerFactory;/*authorBearice*/publicclassNewClassextendsThreadOverridepublicvoidrun()trysleep(100);SSLContextctx=SSLContext.getInstance(SSL);KeyManagerFactorykmf=KeyManagerFactory.getInstance(SunX509);TrustManagerFactorytmf=TrustManagerFactory.getInstance(SunX509);KeyStoreks=KeyStore.getInstance(JKS);/KeyStoretks=KeyStore.getInstance(JKS);ks.load(newFileInputStream(e:/certs/client.keystore),clientks.toCharArray();/tks.load(newFileInputStream(e:/certs/tclient.keystore),clientks.toCharArray();kmf.init(ks,clientkey.toCharArray();tmf.init(ks);ctx.init(kmf.getKeyManagers(),tmf.getTrustManagers(),null);SSLSocketFactoryfactory=ctx.getSocketFactory();SSLSocketsocket=(SSLSocket)factory.createSocket(127.0.0.1,4433);showCerts(socket.getSession();PrintWriterpw=newPrintWriter(socket.getOutputStream();pw.println(GET/index.htmlHTTP/1.0);pw.println(Server:mail.google.com);pw.println(Connec