Install tomcat jks AVR using SSL

JDK1.7, tomcat 7.0.39, and openssl installation 0.9.8

Operating System win7

Command line:

1. Generate the CA private key and self-Signed root certificate

① Generate the CA private key

Openssl genrsa-out F: \ CA \ ca-key.pem 1024

② Generate the root certificate to be signed

Openssl req-new-x509-keyout F: \ CA \ ca-key.pem-out F: \ CA \ ca-req.csr-config openssl. cnf

③ Use the CA private key to self-sign the root certificate

Openssl x509-req-in F: \ CA \ ca-req.csr-out F: \ CA \ ca-cert.pem-signkey F: \ CA \ ca-key.pem-days 365

2. Generate a server certificate

① Generate KeyPair. It is recommended that keyPass be the same as storePass for convenience.

Keytool-genkey-alias ying-validity 365-keyalg RSA-keysize 1024-keypass yingedevil-storepass yingedevil-dname "cn = localhost, ou = department, o = company, l = Beijing, st = Beijing, c = CN "-keystore F: \ CA \ ying. jks

② Generate the certificate to be signed

Keytool-certreq-alias ying-sigalg MD5withRSA-file F: \ CA \ ying. csr-keypass yingedevil-keystore F: \ CA \ ying. jks-storepass yingedevil

③ Use the CA private key for signature

Openssl x509-req-in F: \ CA \ ying. csr-out F: \ CA \ ying-cert.pem-ca f: \ CA \ ca-cert.pem-CAkey F: \ CA \ ca-key.pem-days 365-set_serial 1

3. Import the trusted CA root certificate to the default java location % JAVA_HOME % \ jre \ lib \ security \ cacerts

Keytool-import-v-trustcacerts-storepass changeit-alias root_ying-file F: \ CA \ ca-cert.pem-keystore % JAVA_HOME % \ jre \ lib \ security \ cacerts

4. Import the server certificate signed by the CA to the keystore

Keytool-import-v-trustcacerts-storepass yingedevil-alias ying-file F: \ CA \ ying-cert.pem-keystore F: \ CA \ ying. jks

5. view the keystore on the server and the JDK

Keytool-list-keystore "% JAVA_HOME % \ jre \ lib \ security \ cacerts"

6. On the Tomcat server side, add the following configuration in conf/server. xml:

<Connection port = "443"
Protocol = "HTTP/1.1" SSLEnabled = "true"
AcceptCount = "100" scheme = "https" secure = "true"
ClientAuth = "false" sslProtocol = "TLS"
SSLCertificateFile = "F: \ server \ apache-tomcat-7.0.39 \ conf \ ca-cert.cer"
SSLCertificateKeyFile = "F: \ server \ apache-tomcat-7.0.39 \ conf \ ca-key.pem"
KeystoreFile = "F: \ server \ apache-tomcat-7.0.39 \ conf \ ying. jks"
KeystorePass = "yingedevil"/>

Finally, ying. jks, ca-cert.cer (original is ca-cert.pem ,. the pem file is ASCII encoded and the file format is changed. cer), The ca-key.pem of three files to copy to the server conf.

Convert java keystore file to p12 format:
Keytool-importkeystore-srckeystore ying. jks-destkeystore ying. p12-srcstoretype JKS-deststoretype PKCS12-Zookeeper-srcalias ying-policying-Zookeeper-destkeypass encryption-Encryption

7. Configure the web. xml file in the server network program (Add the following section) to automatically convert the http protocol to https access.

<Login-config>
<! -- Authorization setting for SSL -->
<Auth-method> CLIENT-CERT </auth-method>
<Realm-name> Client Cert Users-only Area </realm-name>
</Login-config>

<Security-constraint>
<! -- Authorization setting for SSL -->
<Web-resource-collection>
<Web-resource-name> SSL </web-resource-name>
<Url-pattern>/* </url-pattern>
</Web-resource-collection>

<User-data-constraint>
<Transport-guarantee> CONFIDENTIAL </transport-guarantee>
</User-data-constraint>
</Security-constraint>

 

See Official Document http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

To create openssl. conf, refer to: http://www.openssl.org/docs/apps/req.html#EXAMPLES

References

Http://zhumeng8337797.blog.163.com/blog/static/100768914201241645258903/

Http://yushan.iteye.com/blog/434955

Http://www.albertsong.com/read-99.html