#1.到Godaddy下载SSL证书 for Tomcat 格式.
1 2 3 4 5 | 以test.com.hk为例,我下载的文件名为 _.test.com.hk(TOMCAT).zip ZIP包含三个文件,分别为 e6124edacfe745e6.crt #这个名字随机 gd_bundle-g2-g1.crt gdig2.crt.pem |
#2.将当时生成CSR的时候的私钥test.com.hk.key 和上述三个文件放到同一个tomcat目录中。
1 2 3 4 | e6124edacfe745e6.crt gd_bundle-g2-g1.crt gdig2.crt.pem test.com.hk.key |
#3.将CA根证书、中间证书合并到颁发的证书中
1 | cat gd_bundle-g2-g1.crt >> e6124edacfe745e6.crt |
#4.生成PK12格式证书,文件名为tomcat.pkcs12 密码为changeit
1 2 3 | openssl pkcs12 -export -in e6124edacfe745e6.crt -inkey test.com.hk.key -out tomcat.pkcs12 -name tomcat -CAfile gd_bundle-g2-g1.crt -caname root Enter Export Password: Verifying - Enter Export Password: |
注意:这里的key文件可能不同:将godaddy发的两个文件合并,①generated-csr.txt和②generated-private-key.txt,将②内容 合并到①之后(大坑:private-key 格式 -----BEGIN RSA PRIVATE KEY-----,添加RSA)
key 文件合并后格式
-----BEGIN CERTIFICATE REQUEST-----
MIICizCCAXUCAQAwGjEYMBYGA1UEAwwPd3d3LmFsZ29ibHUuY29tMIIBIjANBgkq
。。。。。。
-----END CERTIFICATE REQUEST-----
-----BEGIN RSA PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCtlWJxWCkyzytB
。。。。。。
-----END RSA PRIVATE KEY-----
#5.转换为Tomcat jks 格式,文件名为 tomcat.jks,忽略警告
1 2 3 4 5 | keytool -importkeystore -alias tomcat -srckeystore tomcat.pkcs12 -srcstoretype PKCS12 -srcstorepass changeit -deststorepass changeit -destkeypass changeit -destkeystore tomcat.jks 正在将密钥库 tomcat.pkcs12 导入到 tomcat.jks...
Warning: JKS 密钥库使用专用格式。建议使用 "keytool -importkeystore -srckeystore tomcat.jks -destkeystore tomcat.jks -deststoretype pkcs12" 迁移到行业标准格式 PKCS12 |
# 6.Tomcat 7.0 配置文件增加SSL配置
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 | <Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="d://tomcat7/conf/tomcat.jks" keystorePass="changeit" clientAuth="false" sslProtocol="TLS" ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" /> |
#使用Portecle查看证书
1 | http://portecle.sourceforge.net/ |
#重启TOMCAT 在线检查证书
1 2 3 | https://www.sslshopper.com/ssl-checker.html
https://www.ssllabs.com/ssltest/ |