I use the free certificate provided by startssl here, startssl certificate application can refer to the following link: http://www.setsea.net/wordpress/post/2011/04/21/881.html
After the application is completed, you will have three files: SSL. CRT (Public Key), SSL. Key (key), SSL. p12 (Certificate in PKCS12 format)
Run the following command to view the certificate information:
$ keytool -list -rfc -keystore ssl.p12 -storetype pkcs12
View the certificate information, mainly to view the alias attributes, the keystore is generated below to use, generally such a string "xxx@163.com startcom Ltd. ID", xxx@163.com is the mailbox when you register startssl.
Run the following command to generate the keystore
$ Keytool-importkeystore-srckeystore keystore. p12-srcstoretype PKCS12-destkeystore keystore-srcalias "startcom Ltd. ID of the xxx@163.com"-destkeypass changeit
Srcalias is the alias found above. The default destkeypass password is changeit.
Next, merge the certificate (mainly because Firefox requires us to provide the root certificate of the Certificate Issuer)
Download the startssl CA certificate from startssl:
$ wget http://cert.startssl.com/certs/ca.pem
Download the startssl class1 sub CA certificate from startssl:
$ wget http://cert.startssl.com/certs/sub.class1.server.ca.pem
Merge SSL, sub. class1.server. Ca. Pem, Ca. pem
$ cat sub.class1.server.ca.pem >> ssl.crt$ cat ca.pem >> ssl.crt
Set tomcat to start without entering the private key password
$ cp ssl.key ssl.key.tmp $ openssl rsa -in ssl.key.tmp -out ssl.key
Put the generated keystore, SSL. CRT, and SSL. Key in the conf directory of Tomcat, and modify the conf/server. xml configuration.
Add the following Configuration:
<Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"maxThreads="150" scheme="https" secure="true"keystoreFile="${catalina.base}/conf/keystore" keystorePass="changeit " keystoreType="PKCS12" SSLCertificateFile="${catalina.base}/conf/ssl.crt" SSLCertificateKeyFile="${catalina.base}/conf/ssl.key" SSLCACertificateFile="${catalina.base}/conf/ssl.crt"clientAuth="false" sslProtocol="TLS" />
The three parameters are used.
Sslcertificatefile sub class1 Certificate
Sslcertificatekeyfile sub class1 certificate Password
Sslcacertificatefile root certificate (Firefox does not trust this parameter because it needs to attach the startssl root certificate because it is issued to you ).
Start Tomcat.