keytool -import -keystore
"%JAVA_HOME%/jre/lib/security/cacerts" -storepass
changeit -keypass
changeit -alias
bocommca -file
test_root.cer
"test_root.cer"为证书名.
删除证书
keytool -delete -alias
bocommca -keystore
"%JAVA_HOME%/jre/lib/security/cacerts" -storepass
changeit
SSH into the VDI-in-a-Box Virtual Appliance
Windows users might use utilities such as PuTTY or SecureCRT to SSH into the console. Macintosh and Linux users can use the built-in Terminal application to start SSH sessions.
Open the SSH application or Terminal instance.
Connect to the VDI-in-a-Box appliance using the DNS name or IP address. Use the default credentials:
kvm / kaviza123
kvm / kaviza123
Generating the Keystore, Key Pair, and CSR
This section covers the steps required to generate the files that will be sent to the Trusted Certificate Authority (CA). These files will be created using the Java keytool. Refer to http://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html for more information about this utility.
Keystore directory
Use the mkdir utility to create a keystore directory in /home/kvm:
mkdir /home/kvm/keystore
mkdir /home/kvm/keystore
Use the cd utility to change to the keystore directory:
cd /home/kvm/keystore
cd /home/kvm/keystore
Generating Java keystore and key pair
Use the keytool utility to generate a private key on the VDI-in-a-Box virtual appliance. Replace “hostname” in the alias command with your VDI-in-a-Box server hostname:
keytool –genkey –alias hostname –keyalg RSA –keysize 2048 –keystore kmgr.keystore
keytool –genkey –alias hostname –keyalg RSA –keysize 2048 –keystore kmgr.keystore
Select a password and confirm the same (must be at least 6 characters).
Fill out the required fields and click
Enter after each line. When prompted to confirm the information, type “Yes” and then click
Enter.
Note: The first item, “What is your first and last name?” is equivalent to the Common Name (CN) field in other key generation tools. This must be in the form of a valid hostname (such as vdi.company.com); otherwise the Trusted CA rejects the Certificate Signing Request (CSR).
Note: The first item, “What is your first and last name?” is equivalent to the Common Name (CN) field in other key generation tools. This must be in the form of a valid hostname (such as vdi.company.com); otherwise the Trusted CA rejects the Certificate Signing Request (CSR).
Click
Enter to use the same password set in Step 2.
Generating the CSR
Run the keytool utility again to create a CSR. This file will be saved to the current directory
(/home/kvm/keystore) and will be sent to the Trusted CA. Replace “hostname” in the alias option with your VDI-in-a-Box server hostname:
keytool –certreq –alias hostname –file kmgr.csr –keystore kmgr.keystore
keytool –certreq –alias hostname –file kmgr.csr –keystore kmgr.keystore
Type the keystore password set in the preceding section.
Use the
ls utility to verify both kmgr.csr and kmgr.keystore files exist.
Copying the CSR to Local Computer
Download and install your favorite SFTP utility, such as WinSCP or FileZilla.
There are many free utilities available and FileZilla is used in this example.
There are many free utilities available and FileZilla is used in this example.
Connect using the SFTP protocol to the VDI-in-a-Box virtual appliance IP address or hostname.
Use the credentials:
kvm / kaviza123
Browse to the
/home/kvm/keystore directory on the VDI-in-a-Box server and transfer or copy the file to your local computer.
Requesting an SSL Certificate from a Trusted CA
A valid SSL Certificate can be obtained from most Trusted Certificate Authorities. Each CA and certificate will have a different chain; most will include intermediate certificates in order to complete the chain. The list of CAs includes, but is not limited to GoDaddy, GeoTrust, VeriSign, Thawte, and DigiCert.
The SSL Certificate instructions are different for each CA. Refer to the CA documentation on how to upload a CSR and download an SSL Certificate. Most CAs allows the customers to either upload the CSR file or paste the contents of the CSR file into an upload window.
The following screen shot is an example screen shot of what a kmgr.csr file looks like in a text editor:
Importing the SSL Certificate Files
Note: Before importing the files, ensure to refer to the following article to create the SSL certificate for VDI-in-a-Box virtual appliance:
CTX132235 - How to Create SSL Certificate for VDI-in-a-Box Virtual Appliance
CTX132235 - How to Create SSL Certificate for VDI-in-a-Box Virtual Appliance
Use the SFTP utility (such as FileZilla), copy the certificate files back to the
/home/kvm/keystore directory on the VDI-in-a-Box virtual appliance.
Use the keytool utility to import the intermediate certificate file(s) to the keystore. Replace the “chain.crt” file with the intermediate certificate file name provided by the Trusted CA (file name will vary):
keytool –import –trustcacerts –alias intermediate –file chain.crt –keystore kmgr.keystore
keytool –import –trustcacerts –alias intermediate –file chain.crt –keystore kmgr.keystore
Use the keytool utility to import the root certificate file(s) to the keystore. Replace the “chain.crt” file with the root certificate file name provided by the Trusted CA (file name will vary):
keytool –import –trustcacerts –alias root –file chain.crt –keystore kmgr.keystore
keytool –import –trustcacerts –alias root –file chain.crt –keystore kmgr.keystore
Type the keystore password when prompted.
A ‘Certificate was added to the keystore’ message appears if successful:
Use the keytool utility to import the public certificate file to the keystore. Replace the “kmgr” alias with the VDI-in-a-Box server hostname. Replace the “kmgr.crt” file with the certificate file name sent by the Trusted CA:
keytool –import –trustcacerts –alias kmgr –file kmgr.crt –keystore kmgr.keystore
keytool –import –trustcacerts –alias kmgr –file kmgr.crt –keystore kmgr.keystore
Type the keystore password when prompted.
A ‘Certificate reply was installed in keystore’ message appears if successful.
Replacing the Self-Signed SSL Certificate
Change to the conf directory:
cd /home/kvm/kvm/install/servlet_container/conf
cd /home/kvm/kvm/install/servlet_container/conf
Backup the default keystore file:
mv .keystore old.keystore
mv .keystore old.keystore
Copy the new keystore file to the conf directory:
cp /home/kvm/keystore/kmgr.keystore .keystore
cp /home/kvm/keystore/kmgr.keystore .keystore
Verify that the .keystore and old.keystore files exist:
ls –al
ls –al
Adding SSL Certificate Password to Configuration
Edit the server.xml file using the vi editor:
sudo vi server.xml
sudo vi server.xml
Find the clientAuth line by searching:
/clientAuth=
/clientAuth=
Add the keystorePass parameter with the SSL certificate password to the end of the section:
keystorePass=”password”
keystorePass=”password”
Save and exit vi.
Restarting the Tomcat Services
Restart Tomcat to use the new SSL certificate:
tc_start
tc_start
Type the kvm password when prompted:
kaviza123
kaviza123
Verifying the new SSL Certificate
Open any web browser.
Access the VDI-in-a-Box hostname.
There should not be a certificate warning. Each web browser is different but there will be either green text or a padlock icon in the address bar indicating the SSL certificate is valid and the connection is secure.
转载于:https://blog.51cto.com/huifu/1053106
扫一扫
86
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
