详解Tomcat7 SSL配置

Tomcat 服务器是一个免费的开放源代码的Web 应用服务器，属于轻量级应用服务器，在中小型系统和并发访问用户不是很多的场合下被普遍使用，是开发和调试JSP 程序的首选。随着Tomcat 不断上升，部署SSL证书的步骤也有所更改，下面一起了解Tomcat 7服务端部署SSL证书的流程

配置流程:

一.Tomcat 服务端SSL认证配置.

1.配置一个CA证书(如果直接使用授权认证机构本步骤可以跳过)

1.)生成CA私有密钥  (红色标记为CA 私有密钥的验证密码下面很多地方会用到)

Java代码  

1. openssl genrsa -des3 -out private/ca.key 1024

 

Generating RSA private key, 1024bit long modulus

………………………….++++++ ……++++++ e is 65537 (0x10001)

Enter pass phrase for private/ca.key:123456

Verifying – Enter pass phrase for private/ca.key:123456

2.)生成CA证书 (ca.key 的密码为上一步骤输入的密码)

生成的ca.crt 就是 CA的认证证书,可以导入到浏览器的受信任机构中区.而那些由这个CA证书签名的

的客户端证书就可以被浏览器认证通过.

Java代码  

1. openssl req –new -x509 -key private/ca.key -out public/ca.crt -days 3650

Enter pass phrase for private/ca.key:123456

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:ZJ

Locality Name (eg, city) []:HZ

Organization Name (eg, company) [Internet Widgits Pty Ltd]:orgnation

Organizational Unit Name (eg, section) []:orgnation

Common Name (e.g. server FQDN or YOUR name) []:orgnation

Email Address []:xxx@mail.com

1.  使用CA证书签名服务端证书

1.)生成服务端私钥

Java代码  

1. openssl genrsa -des3 -out private/server.key

 

1024 Generating RSA private key, 1024 bit long modulus

………………………………………………++++++ …..++++++ e is 65537 (0x10001)

Enter pass phrase for private/server.key:s123456

Verifying – Enter pass phrase for private/server.key:s123456

 

2.)创建服务端证书签名请求

Common Name 配置很重要,可以配置tomcat 所在服务器的IP地址或域名.

如果是本地测试的话可以配置trustauth.cn.

Java代码  

1. openssl req –new-key private/server.key -out server.csr

Enter pass phrase for private/server.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:ZJ

Locality Name (eg, city) []:HZ

Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXX

Organizational Unit Name (eg, section) []:Development

Common Name (e.g. server FQDN or YOUR name) []:trustauth.cn.xxx (这里很重要重要)

Email Address []:xxxx@mail.com

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:csr123456

An optional company name []:xxx

3.) 使用 CA证书和CA私钥给服务端证书请求签名

生成的server.crt 为服务端证书.

Java代码  

1. openssl x509 -req -days 360-in server.csr -CA public/ca.crt -CAkey private/ca.key -CAcreateserial -out public/server.crt

 

Signature ok

subject=/C=CN/ST=ZJ/L=HZ/O= XXX/OU=Development/CN=trustauth.cn.xxx /emailAddress=xxxx@mail.com

Getting CA Private Key

Enter pass phrase for 123456

private/ca.key:123456

4.)把服务端代码转换浏览器可以识别的PCS12 格式

服务端证书密码暂时无用.

Java代码  

1. $ openssl pkcs12 -export -in public/server.crt -inkey private/server.key -out server.p12

Enter pass phrase for private/server.key:s123456

Enter Export Password: e123456

Verifying – Enter Export Password:e123456

5.)生成信任库中

使用jetty 中的PKCS12Import 工具类完成转换.(jetty-5.1.10.jar 可在附件中下载)

Java代码  

1. java -cp jetty-1.10.jar org.mortbay.util.PKCS12Import server.p12  server.jks

Enter input keystore passphrase: e123456

Enter output keystore passphrase: e123456

Alias 0: 1

Adding key for alias

6.)使用下面命令查看jks文件中包含的证书信息.

Java代码  

1. keytool -v -list -keystore server.jks

7.)配置Tomcat SSL Connector.

在server.xml文件中配置下面内容

Xml代码  

1. <Connectorport=”8443″ protocol=”HTTP/1.1″  SSLEnabled=”true”
2. maxThreads=”150″ scheme=”https” secure=”true”
3. clientAuth=”false”
4. keystoreFile=”F:/temps/ca3/server.jks”
5. keystorePass=”e123456″
6. sslProtocol=”TLS” />

8.)导入CA 证书(ca.crt)到客户端浏览器的受信任认证机构的证书列表中

9.)使用客户端浏览器访问: https://trustauth.cn.xxx:8443 .访问成功的话表示服务端SSL配置成功.

相关搜索

合法ssl证书配置

域名 ssl配置

ssl证书 tomcat

tomcat 配cer

阿里云服务器配置https

下载ssl证书

tomcatplugin ssl

ssl证书使用方式