"Tomcat"-Small program development TOMCAT application Aliyun HTTPS configuration __ Applet

Small program now Fire Ah, the company also need to engage. To request a free certificate from Aliyun, you may have to support HTTPS and now configure your notes as follows:

The contents of the certificate downloaded from Ali include: Pfx,pem and key three files.

The SSL configuration for Tomcat is divided into two scenarios: using APR and not APR, the SSL configurations vary between the two cases.
We can find the configuration methods in these two cases in Tomcat's how-to documentation link: http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

In the case of not using APR, the Tomcat documentation is more clearly stated. Configuration parameters are also fixed, and the general configuration is as follows:
Java code <--Define a SSL Coyote http/1.1 Connector on port 8443--> <connector Port= "8443" maxthreads= "scheme=" https "secure=" true "sslenabled=" true "keystorefile=" ${use R.home}/.keystore "keystorepass=" Changeit "clientauth= false" sslprotocol= "TLS"/>

If it is TOMCAT7 above is directly support PFX, I use TOMCAT8, create cert directory under installation and directory, and upload certificate file.

Java code <--Define a SSL Coyote http/1.1 Connector on port 8443--> <connector Port= "8443" maxthreads= "scheme=" https "secure=" true "sslenabled=" true "keystorefile=" ${cat Alina.base}/cert/xxxxx.pfx "keystorepass=" Changeit "clientauth= false" sslprotocol= "TLS"/>

For the use of APR, it is a little more complicated.
How to install APR for Tomcat, refer to My History blog list for more information.

After using APR, the configuration of SSL is as follows (i):
Java code <--Define a SSL http/1.1 Connector on port 8443--> <connector protocol= "org.apache.coyote.h Ttp11.              Http11aprprotocol "port=" 8443 "maxthreads=" scheme= "https" secure= "true" sslenabled= "true"              Sslcertificatefile= "/USR/LOCAL/SSL/SERVER.CRT" sslcertificatekeyfile= "/usr/local/ssl/server.pem" Sslpassword= "123456" clientauth= "optional" sslprotocol= "TLSv1"/>
Which: Sslcertificatefile, indicating the path of the certificate;
Sslcertificatekeyfile, indicating the path of the private key, the private key can also be included in the certificate file, and if the private key is contained in the certificate file, the Sslcertificatekeyfile parameter does not need to be matched;
Sslpassword, indicating the cryptographic key of the private key, or configuring the Sslpassword if the private key in the sslcertificatekeyfile is encrypted;
Tomcat requires that the content format of the files pointed to by Sslcertificatefile and sslcertificatekeyfile be in PEM format

Configuration (ii):

<connector port= "8999" protocol= org.apache.coyote.http11.Http11AprProtocol "sslcertificatefile=" ${
                Catalina.base}/cert/xxxx.crt "
                sslcertificatekeyfile=" ${catalina.base}/cert/xxxx.key "
                maxThreads=" 500 " Sslenabled= "true" scheme= "https" secure= "true"
                clientauth= "optional" sslprotocol= "TLSv1"/>

There are no CRT files in the downloaded file, they need to be converted and extracted from the PFX file:

OpenSSL pkcs12-in my.pfx-nodes-out Server.pem
OpenSSL rsa-in server.pem-out Server.key
OpenSSL x509-in server.pem-out server.crt

Cer Crt Pem-PFX certificate format conversion

1. Extract keys and certificates from a certificate in the PFX format
Set OPENSSL_CONF=OPENSSL.CNF
OpenSSL pkcs12-in my.pfx-nodes-out Server.pem
OpenSSL rsa-in server.pem-out Server.key
OpenSSL x509-in server.pem-out server.crt
Conversion of a certificate in PEM format to a certificate in der Format
OpenSSL x509-in cert.pem-inform pem-out Cert.der-outform der
OpenSSL x509-in ca.cer-inform der-out ca.pem-outform PEM
Several typical password interchange information file formats:
der-encoded certificate:. CER,. crt
Pem-encoded message:. PEM
pkcs#12 Personal Information Exchange:. PFX,. P12
PKCS#10 certification Request:. P10
PKCS#7 cert Request response:. p7r
PKCS#7 binary message:. p7b
. CER/.CRT is used for storing certificates, which are stored in the form of 2 and do not contain private keys.
The difference between PEM and Crt/cer is that it is represented in ASCII.
PFX/P12 is used to store personal certificates/private keys, he usually contains protection password, 2
P10 is a certificate request
P7R is the CA's reply to a certificate request, which is used only for import
P7B Displays the certificate chain (certificate chain) in a tree and also supports a single certificate, excluding the private key

Algorithm
Base64 is not a cryptographic algorithm, but it is also a common use of SSL algorithm, it is encoded, used to move the ASC code and binary code around.

OpenSSL x509 Partial command
Print out the contents of the certificate:
OpenSSL x509-in Cert.pem-noout-text
Print out the serial number of the certificate
OpenSSL x509-in cert.pem-noout-serial
Print out the owner name of the certificate
OpenSSL x509-in Cert.pem-noout-subject
Print out the owner name of the certificate in the format specified in RFC2253
OpenSSL x509-in cert.pem-noout-subject-nameopt RFC2253
Print out the owner name of the certificate in the terminal line that supports UTF8
OpenSSL x509-in cert.pem-noout-subject-nameopt ONELINE-NAMEOPT-ESCMSB
Print out the MD5 feature parameters of a certificate
OpenSSL x509-in Cert.pem-noout-fingerprint
Print the SHA feature parameter for the certificate
OpenSSL x509-sha1-in Cert.pem-noout-fingerprint
Convert a certificate in PEM format into der Format
OpenSSL x509-in cert.pem-inform pem-out Cert.der-outform der
Convert a certificate into a CSR
OpenSSL x509-x509toreq-in cert.pem-out Req.pem-signkey Key.pem
Process a CSR, issue a word signing certificate, and increase the CA extension
OpenSSL x509-req-in careq.pem-extfile openssl.cnf-extensions v3_ca-signkey key.pem-out
Sign a CSR to increase the user certificate extension
OpenSSL x509-req-in req.pem-extfile openssl.cnf-extensions v3_usr-ca Cacert.pem-cakey