1. 前提你已经得到了CA机构颁发的证书了
2. 合并证书(这里证书机构选择的是comodo)
假设你的被签名证书的名字叫xxx.crt,你的密钥文件叫server.key,除了以上你自己的xxx.crt,还有COMODORSAAddTrustCA.crt,COMODORSADomainValidationSecureServerCA.crt, AddTrustExternalCARoot.crt
合并证书使用
cat命令cat COMODORSAAddTrustCA.crt >>
xxx.crt
cat AddTrustExternalCARoot.crt >>xxx.crt
cat COMODORSADomainValidationSecureServerCA.crt >>xxx.crt
3. Nginx 配置证书
server {
server_name YOUR_DOMAINNAME_HERE;
listen 443;
ssl on;
keepalive_timeout 70;
ssl_certificate /path/to/xxx.crt;
ssl_certificate_key /path/to/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_client_certificate /path/to/cacert.pem;
# ssl_verify_client on; 服务器验证客户端,暂时不开启,让没有证书的客户端可以访问
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
}sudo /etc/init.d/nginx configtest
sudo /etc/init.d/nginx restart
4. 在tomcat下配置https生成keystore的步骤
1. Convert x509 Cert and Key to a pkcs12 file(将证书和私钥转换为p12格式的证书)
openssl pkcs12 -export -in server.crt -inkey server.key \
-out server.p12 -name some-alias \
-CAfile ca.crt -caname root (这里如果手动将证书链合并了那么就不需要加这个了,我是将ca.crt domain.crt mycrt.crt 合并后为server.crt后执行的)Note: Make sure you put a password on the p12 file - otherwise you’ll get a null reference exception when you try to import it. (In case anyone else had this headache). (Thanks jocull!)
Note: You might want to add the -chainoption to preserve the full certificate chain. (Thanks Mafuba)
2. Convert the pkcs12 file to a java keystore (将pkcs12格式的证书转换成java keystore)
keytool -importkeystore \
-deststorepass changeit -destkeypass changeit -destkeystore server.keystore \
-srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass changeit \
-alias some-alias(生成p12时候的-name参数)3. 配置 tomcat
vim /usr/local/tomcat/conf/server.xml
<Connector port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxThreads="300"
scheme="https"
secure="true"
keystoreFile="server.keystore"
keystorePass="changeit"
sslProtocol="TLS"
URIEncoding="utf-8" />重启即可
扫一扫
2394
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
