STARTSSL Free Certificate Application step
1. Client Authentication Application
STARTSSL user authentication uses HTTPS client certificate authentication rather than username/password authentication. So the first step is to request a STARTSSL client certificate.
(The entire application process can refer to the link: http://blog.csdn.net/ruixue0117/article/details/22201303)
2, Tomcat under the installation.
Applying STARTSSL-generated certificates to Tomcat is complex, refer to this article (https://adaptivekanban.com/blog/2012/07/ how-to-use-startssl-certificates-with-apache-tomcat/), or I can follow the instructions below.
1) decryption secret key
You will also need to decrypt the generated secret key before using the certificate certificate, either by using the command OpenSSL rsa-in ssl.key-out Ssl_decrypted.key, or by the tool provided by Startssl: Tool box-decrypt Private Key , the generated content is saved as a file, such as Ssl_decrypted.key.
2 Create pkcs12 file.
Use the Startssl Toolbox--create pkcs#12 (PFX) File.
Where private key: A key file for decryption. Gets the filename saved as OUT.P12.
3) using a PKCS file to generate KeyStore files
Use the Java Keytool tool in the bin directory in the Java installation directory.
Keytool.exe-importkeystore-deststorepass Changeit-destkeystore Mykeystore.jks-srckeystore Out.p12-srcstoretype Pkcs12-srcstorepass Changeit
4 Import Startssl CA certificate and Level 1 Intermediate server CA
The CA certificate for STARTSSL has been downloaded in the 7th step of steps three. Or download this certificate to the Startssl toolbox--startcom CA certificates--starcom Root CA (PEM encoded).
The Level 1 intermediate server has been downloaded in the 7th step of the third stage. Or download this certificate to Startssl's toolbox--startcom CA certificates--Class 1 Intermediate Server CA
Keytool.exe-import-alias startsslca-file Ca.pem-keystore Mykeystore.jks;
Keytool.exe-import-alias startsslca2-file Sub.class1.server.ca.pem-keystore Mykeystore.jks; 5) Configure Tomcat
Modify the Server.xml file in the CONFG directory under the Tomcat directory. Let go of the content.
<connector port= "8443" protocol= "http/1.1" sslenabled= "true"
maxthreads= "Scheme=" "https" secure= "true"
Clientauth= "false" sslprotocol= "TLS"
Keystorefile= "D:\\apache-tomcat-7.0.16-account\\mykeystore.jks" keystorepass= "Changeit"/>
This startup is generally reported as an APR error.
The general processing method is to modify the Server.xml file, shielding off
<!--<listener classname= "Org.apache.catalina.core.AprLifecycleListener" sslengine= "on"/>-->
For more solutions You can refer to this article (http://lixor.iteye.com/blog/1532655)
It is normal to start SSL.
3, under the Apache installation
Refer to this article (http://blog.mowd.tw/index.php?pl=950)
If you are using an encrypted ssl.key, enter the password each time you start Apache. (not tested)
Add content to the httpd.conf: note that the Ssl.key is decrypted.
Sslcertificatefile/etc/pki/tls/certs/ssl.crt
Sslcertificatekeyfile/etc/pki/tls/private/ssl.key
Sslcertificatechainfile/etc/pki/tls/sub.class1.server.ca.pem
Sslcacertificatefile/etc/pki/tls/ca.pem