Nginx + Tomcat HTTPS/SSL Configuration

This article involves many technical terms, such as key pairs, private keys, public keys, and certificates. For more information about encryption theories and concepts, see SSL and digital certificates. I will not repeat these concepts in this article.

1. Apply for an SSL Certificate
You can purchase SSL certificates from many websites. I often use GeoTrust. Certificates are charged (it is said that there are free certificates, but they have not been tried), and the prices are expensive and cheap. The difference between them is that certificates are issued by different organizations, your certificate organizations are more authoritative, and certificates are more likely to be rejected by browsers. It is recommended that you purchase a better certificate for a website in regular operation, which is free of trouble and expensive.
 
1.1 generate a CSR File
When you apply for a Certificate, the Certificate issuer will ask you to provide a CSR (Certificate Signing Request) file that contains all the information required by the issuer. Before generating a CSR, we must first create a key pair:
1
$ JAVA_HOME/bin/keytool-genkey-alias <your_alias_name>-keyalg RSA-keystore <your_keystore_filename>-keysize 2048
Here we use the RSA asymmetric algorithm, a 2048-bit key (a good certificate authority enforces 2048 bits ). <Your_alias_name> can be the website name, such as "oschina". Similarly, <your_keystore_filename> can be oschina. keystore.
 
This command will allow you to enter the information of the private key owner, that is, the information of your website. Here there is only one field that is the key "Common Name (CN )", this field should be your website domain name, for example, "www.oschina.net". You just need to fill in other fields, such as countries and regions. When keytool is used, it prompts that "first and last name" is used for entering "Common Name ". After you fill in the information, it will allow you to set the access password for the keystore and key. You can just enter the password. We recommend that you use the same password. If you do not enter the password, the default password is "changeit ".
 
The CSR file is generated as follows:
1
$ JAVA_HOME/bin/keytool-certreq-keyalg RSA-alias <your_alias_name>-file certreq. csr-keystore <your_keystore_filename>
Here <your_alias_name> is consistent with the previous step. Here I enter oschina, <your_keystore_filename> and oschina. keystore. In this step, you will be asked for the keystore password, which is the password you set in the previous step. The generated "certreq. csr" is a text file. You should see the following content when opening it:
----- Begin new certificate request -----
Bytes
Bytes
Bytes
8SXC6FmggtMtGBMCW/L88qd2DXjeryQExyUfy30VU4ROYcPnLNZXtwtE + poOf7AdqrQvrYBNJsls
Export/zcZ9ltT9Pk67
Bytes
KtZ6KlZQp8i + A4hevcRuo9ebNLIhfERDghgos + zbaq1d2whgWegdv/mLnudLHjyyqcEBwk87rp7n
Bytes
+ Response
XmVW4nl3SLd9bdY3I7/wdQkriCd6sBgn6Voh8mJOGKKtNZADQ3AfqUD1ge39bL + v7H0EdwtOfmCr
TAn35 + qIIXH3SWS2R + G5sqa76GgjSRwkN8awzrbZJbA/hRPi5wwL + RV3/NFWfFmr4hpsuWHos7ly
5iFJpQqWVodpq9mxaaugzKvv0HG + A8ip0DG + vb8snugbmnamm8up1p2ozgn1_twncq + uIAyz0Uw9
IzQHiWhtGpFAN9RO0xPl4EnYW6A + TM4 =
----- End new certificate request -----
You just need to provide the CSR content to the certificate issuer.
 
1.2 submit authentication request
After you submit a Certificate Signing Request, the Certificate Authority will ask you to provide an administrator email to verify your request. For example, if I sign an oschina.net request, it requires me to provide a admin@oschina.net or webmaster@oschina.net to verify that the request was initiated by someone who owns the oschina.net domain name. After receiving a verification email from the certificate authority, you can confirm the email and then pay for it. The signed certificate will be received (real-time, no need to wait ):
----- Begin certificate -----
MIIFBDCCA + ygAwIBAgIDA7WjMA0GCSqGSIb3DQEBBQUAMGExCzAJBgNVBAYTAlVT
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
AoIBAQCfJnfxJcLoWaCC0y0YEwJb8vzyp3YNeN6vJATHJR/LfRVThE5hw + cs1le3
C0T6mg5/sB2qtC + tgE0myWzECaUoQo3u3UBOre9hJrKDHvgjGHiWxhCEkDTexmVw
Export w3ushjjc9yhfusxb + FcL/Nxn2W1P0 + Trt1lNWg0/Aj3ZvEfVWkLCek2nKBPW/x
Hijazqyisgrzjwaiwfhcyjga4z2bxyf3trmf3qy0ez3egs1noqvlcnyl4dif69
XG6j15s0siF8REOCGCiz7NtqrV3bCGBZ6B2/+ Yue50sePLKpwQHCTzuunufMWHYL
Bbqmymxcawazprb4drtclel%3ztagmbaagjgge2miibmjafbgnvhsmegdawgbsm
9NmTCke8AKBKzkt1bqC2sLJ +/DAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI
Kwybbquhawegccsgaqufbwmccga1udeqqgmb6cd3d3dy5vc2noaw5hlm5ldiil
Bytes
Bytes
4rpwjGM0R5TdD/OU3zAMBgNVHRMBAf8EAjAAMEcGCCsGAQUFBwEBBDswOTA3Bggr
Bytes
LmNydDANBgkqhkiG9w0BAQUFAAOCAQEAYtzSVIU/O43qyL4mBFv8DSwoLfi5kHIz
35sBVHM1Z3LW8tnIyscPewYZdy6pszBsm4AtJ0C + fdCM6Ai4GnMdIacao18OIcXS
N2ZiYVrZAs/GCzHRpCpu3VfFTogBiuTS +/Sm87KD8o1kHCxGxNDftfPorq4K5B + 0
Siwhxu2gerog1vkgqzuo5ciupmiip6swqgr0run1_xh + WkfjamnU9I8Yqz // QENT
CIaUI/2E2btqCvK4vgtsvhzYHLhmcGljiu0PEeCtIBa4CZSiiMk6E9P7tb/+ l3o
CS9dHYutNG1LqN3FNx34EYBYykGOz2N79L3BIUwIXa7v7QoO + T + c6w =
----- End certificate -----
This is your website's certificate signed by an authority. When a user accesses your website through HTTPS, the browser will verify the certificate.
 
1.3 Download Certificate
Certificates are classified into many formats, such as X.509 (. crt file) and PKCS #7 (. p7s file. Different website servers may require certificates in different formats. Most of the time, the certificate is signed by a secondary certificate authority, which also has a root certificate authority. Therefore, after you purchase a signed certificate, it will also give you a certificate named "Intermediate CA (Intermediate Certificate)" in the same format as your own certificate. When deploying a Certificate, you need to deploy your own Certificate and intermediate Certificate at the same time. This is called Certificate Chain. A good Certificate Issuer provides multiple certificates for you to download. We recommend that you download both X.509 and PKCS #7 formats. Do not forget to download intermediate certificates in X.509 format. PKCS #7 format is not used because it comes with a variety of intermediate certificates.
 
2. Deploy the certificate to Tomcat
Tomcat requires the keystore file containing the signed certificate and the keystore password. Therefore, we need to import the certificate to the keystore first.
2.1 import certificates to KeyStore
1
$ JAVA_HOME/bin/keytool-import-alias oschina-trustcacerts-file oschina. p7s-keystore oschina. keystore
In the preceding command, alias "oschina" must be consistent with the alias entered when applying for a certificate.
 
2.2 modify Tomcat configuration
1
<Connector SSLEnabled = "true" acceptCount = "100" clientAuth = "false"
2
DisableUploadTimeout = "true" enableLookups = "false" maxThreads = "25"
3
Port = "8443" keystoreFile = "/oschina/webapp/oschina. keystore" keystorePass = "xxxxxxx"
4
Protocol = "org. apache. coyote. http11.Http11NioProtocol" scheme = "https"
5
Secure = "true" sslProtocol = "TLS"/>



3. Deploy the certificate to Nginx
Nginx is different from Tomcat. It requires the Certificate file. crt and private key. key. Unfortunately, our private key is in the keystore, And the built-in keytool of JDK does not provide the export function of the private key, so we have to use a third-party tool to export the private key.

3.1 export the Private key)
There is an open-source private key export tool called java-exportpriv. It is a simple java program. After downloading it, you can refer to its instructions, compile it, and run it. It is very simple and I will not be too long.



.
 
3.2 Create a certificate chain
Unlike Apache, Nginx does not have the Certificat Chain parameter, so you need to merge your certificate and intermediate certificate. It's easy to merge certificates by creating a first file oschina-chain.crt with the following content:
----- Begin certificate -----
Here is the content of your certificate
----- End certificate -----
----- Begin certificate -----
Here is the content of the intermediate Certificate
----- End certificate -----
 
3.3 modify the Nginx configuration file
 
 
01
Server {
02
Listen 443 ssl;
03
Server_name localhost;
04
Ssl on;
05
Ssl_certificate/oschina/webapp/oschina-chain.crt;
06
Ssl_certificate_key/oschina/webapp/oschina. key;
07
 
08
Location /{
09
Include proxy. conf;
10
Proxy_pass https: // 61.145.122.155: 443;
11
}
12
 
13
}
 
 
 
4. Verify that the certificate is correctly installed
First of all, you must access your website through HTTPS to see if the browser reports an error or reports an alarm. Remember to try all the browsers again. Then, use an online tool to test whether the HTTPS configuration of your website is correct. If all the tests are successful, you can work on it!