转自:https://blog.csdn.net/weixin_30544657/article/details/97775898
1.环境:
- OpenSSL 1.0.2k
- FireFox 60.0 64位
- Chrome 66.0.3359.181 (正式版本)(32位)
- Internet Explorer 11.2248.14393.0
- Websocketd 0.3.0
- Nginx 1.12.2
2. 生成CA根证书
-
准备ca配置文件,得到ca.conf:(vim ca.conf,内容如下:)
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = CN
countryName_default = CN
stateOrProvinceName = Jiangsu
stateOrProvinceName_default = JiangSu
localityName = Sz
localityName_default = Suzhou
organizationName = kk
organizationName_default = kk
commonName = json
commonName_max = 64
commonName_default = json
-
生成ca秘钥,得到ca.key(内容如下:)
openssl genrsa -out ca.key 4096
-
生成ca证书签发请求,得到ca.csr(内容如下:)输入内容后一路回车
openssl req -new -sha256 -out ca.csr -key ca.key -config ca.conf
-
生成ca根证书,得到ca.crt
openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt
3.生成终端用户证书
-
准备配置文件,得到server.conf ( vim server.conf,内容如下)
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = CN
countryName_default = CN
stateOrProvinceName = JiangSu
stateOrProvinceName_default = JiangSu
localityName = Sz
localityName_default = Suzhou
organizationName = kk
organizationName_default = kk
commonName = json
commonName_max = 64
commonName_default = 192.168.1.1
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
IP = 192.168.1.1
-
生成秘钥,得到server.key (内容如下)
openssl genrsa -out server.key 2048
-
生成证书签发请求,得到server.csr (内容如下:)输入内容后一路回车
openssl req -new -sha256 -out server.csr -key server.key -config server.conf
-
用CA证书生成终端用户证书,得到server.crt
openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial \
-in server.csr \
-out server.crt \
-extensions req_ext \
-extfile server.conf
4.使用证书
-
nginx 配置nginx.config (内容如下:)
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/nginx/conf.d/server.crt;
ssl_certificate_key /etc/nginx/conf.d/server.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
-
贴出nginx的compose文件
version: '2'
services:
nginx:
image: nginx:latest
volumes:
- /docker/nginx/html:/usr/share/nginx/html:ro
- /etc/localtime:/etc/localtime:ro
- /docker/nginx/conf.d/default.conf:/etc/nginx/conf.d/default.conf:ro
- /docker/crt/nginx.conf:/etc/nginx/conf.d/nginx.conf:ro
- /docker/crt/server.crt:/etc/nginx/conf.d/server.crt:ro
- /docker/crt/server.key:/etc/nginx/conf.d/server.key:ro
restart: always
environment:
- TZ=Asia/Shanghai
ports:
- 80:80
- 8443:443
container_name: nginx
-
tomcat使用需要生成server.keystore文件(生成命令如下:)
2条命令分开执行:
这一步遇到输入框输入密码:123456,密码跟第二步的“deststorepass”密码一样就行
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name "server"
执行结束后在执行下面命令:注意这个“deststorepass”的密码跟第一步输入的一样
keytool -importkeystore -v -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass 123456 -destkeystore server.keystore -deststoretype jks -deststorepass 123456
-
server.keystore的使用
修改server.xml内容,添加下面节点,这里的“server.keystore”就是上面生成的文件
<Connector port="8443" protocol="HTTP/1.1" maxThreads="150"
SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="conf/server.keystore"
keystorePass="123456" />
-
贴出tomcat的compose文件
version: '2'
services:
tomcat:
image: tomcat:latest
restart: always
container_name: tomcat
ports:
- 8080:8080
- 8443:8443
volumes:
- /docker/tomcat/app/webapps:/usr/local/tomcat/webapps
- /docker/crt/server.xml:/usr/local/tomcat/conf/server.xml:ro
- /docker/crt/server.keystore:/usr/local/tomcat/conf/server.keystore:ro
environment:
- TZ=Asia/Shanghai
最后启动容器即可。