Install tomcat jks AVR using SSL

Source: Internet
Author: User
Tags openssl x509

JDK1.7, tomcat 7.0.39, and openssl installation 0.9.8

Operating System win7

Command line:

1. Generate the CA private key and self-Signed root certificate

① Generate the CA private key

Openssl genrsa-out F: \ CA \ ca-key.pem 1024

② Generate the root certificate to be signed

Openssl req-new-x509-keyout F: \ CA \ ca-key.pem-out F: \ CA \ ca-req.csr-config openssl. cnf

③ Use the CA private key to self-sign the root certificate

Openssl x509-req-in F: \ CA \ ca-req.csr-out F: \ CA \ ca-cert.pem-signkey F: \ CA \ ca-key.pem-days 365

2. Generate a server certificate

① Generate KeyPair. It is recommended that keyPass be the same as storePass for convenience.

Keytool-genkey-alias ying-validity 365-keyalg RSA-keysize 1024-keypass yingedevil-storepass yingedevil-dname "cn = localhost, ou = department, o = company, l = Beijing, st = Beijing, c = CN "-keystore F: \ CA \ ying. jks

② Generate the certificate to be signed

Keytool-certreq-alias ying-sigalg MD5withRSA-file F: \ CA \ ying. csr-keypass yingedevil-keystore F: \ CA \ ying. jks-storepass yingedevil

③ Use the CA private key for signature

Openssl x509-req-in F: \ CA \ ying. csr-out F: \ CA \ ying-cert.pem-ca f: \ CA \ ca-cert.pem-CAkey F: \ CA \ ca-key.pem-days 365-set_serial 1

3. Import the trusted CA root certificate to the default java location % JAVA_HOME % \ jre \ lib \ security \ cacerts

Keytool-import-v-trustcacerts-storepass changeit-alias root_ying-file F: \ CA \ ca-cert.pem-keystore % JAVA_HOME % \ jre \ lib \ security \ cacerts

4. Import the server certificate signed by the CA to the keystore

Keytool-import-v-trustcacerts-storepass yingedevil-alias ying-file F: \ CA \ ying-cert.pem-keystore F: \ CA \ ying. jks

5. view the keystore on the server and the JDK

Keytool-list-keystore "% JAVA_HOME % \ jre \ lib \ security \ cacerts"

6. On the Tomcat server side, add the following configuration in conf/server. xml:

<Connection port = "443"
Protocol = "HTTP/1.1" SSLEnabled = "true"
AcceptCount = "100" scheme = "https" secure = "true"
ClientAuth = "false" sslProtocol = "TLS"
SSLCertificateFile = "F: \ server \ apache-tomcat-7.0.39 \ conf \ ca-cert.cer"
SSLCertificateKeyFile = "F: \ server \ apache-tomcat-7.0.39 \ conf \ ca-key.pem"
KeystoreFile = "F: \ server \ apache-tomcat-7.0.39 \ conf \ ying. jks"
KeystorePass = "yingedevil"/>

Finally, ying. jks, ca-cert.cer (original is ca-cert.pem ,. the pem file is ASCII encoded and the file format is changed. cer), The ca-key.pem of three files to copy to the server conf.

Convert java keystore file to p12 format:
Keytool-importkeystore-srckeystore ying. jks-destkeystore ying. p12-srcstoretype JKS-deststoretype PKCS12-Zookeeper-srcalias ying-policying-Zookeeper-destkeypass encryption-Encryption

7. Configure the web. xml file in the server network program (Add the following section) to automatically convert the http protocol to https access.

<Login-config>
<! -- Authorization setting for SSL -->
<Auth-method> CLIENT-CERT </auth-method>
<Realm-name> Client Cert Users-only Area </realm-name>
</Login-config>

<Security-constraint>
<! -- Authorization setting for SSL -->
<Web-resource-collection>
<Web-resource-name> SSL </web-resource-name>
<Url-pattern>/* </url-pattern>
</Web-resource-collection>

<User-data-constraint>
<Transport-guarantee> CONFIDENTIAL </transport-guarantee>
</User-data-constraint>
</Security-constraint>

 

See Official Document http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

To create openssl. conf, refer to: http://www.openssl.org/docs/apps/req.html#EXAMPLES

References

Http://zhumeng8337797.blog.163.com/blog/static/100768914201241645258903/

Http://yushan.iteye.com/blog/434955

Http://www.albertsong.com/read-99.html

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.