Server certificate installation and Configuration Guide (Tomcat 5)
I,Generate certificate request
1. Install JDK
JDK support is required to install Tomcat. If you have not installed JDK, you can refer
Download Java SE Development Kit (JDK. :
Http://java.sun.com/javase/downloads/index.jsp
2. Generate a keystore File
To generate the keystore file keystore. jks, you must use the JDK keytool. Run the command line to enter the bin directory under JDK and run the keytool command. (The bold part in the example can be customized. Please adjust it according to the actual configuration)
Keytool-genkey-alias server-keyalg RSA-keysize 2048-keystore. jks-storepass Password
In the preceding command, the server is the private key alias (-alias), and the generated keystore. jks file is stored in the current path of the command line by default.
3. Generate the certificate request file (CSR)
Keytool-certreq-alias server-sigalg md5withrsa-file certreq. CSR-keystore. jks-keypass password-storepass Password
Back up the keystore file keystore. jks and submit the certificate request file certreq. CSR later. Wait for the certificate to be issued.
II,Import server certificate
1. Obtain the intermediate CA certificate of the server certificate
To ensure the compatibility of server certificates on the client, two intermediate CA certificates must be installed on the server certificate (different brands of certificates may have only one intermediate certificate ).
Obtain the intermediate CA certificate from the email:
Set
Two intermediate CA certificates (including "----- begin
Certificate ----- "and" ----- end
Certificate ----- "), paste it to notepad and other text editors, modify the file extension, and save it as intermediate1.cer and
Intermediate2.cer file.
2. Obtain the server certificate
Your keystore Password
Set
Contents of the server certificate from begin to end (including "----- begin certificate -----" and "----- end
Certificate ----- ") paste it to notepad and other text editors, modify the file extension, and save it as a server. Cer file.
3. view the content of the keystore File
Go to the bin directory under the JDK installation directory and run the keytool command.
Keytool-list-keystore c: \ keystore. jks-storepass Password
The private key alias (alias) of the privatekeyentry attribute is server. Remember the alias and use it later when importing the server certificate. (The bold part in this example can be customized. Please adjust it according to the actual configuration .)
Note: When importing a certificate, you must use the keystore. jks file generated when the certificate request file is generated. If the keystore. jks file is lost or a new keystore. jks file is generated, your server certificate cannot be correctly imported.
4. Import the certificate (if there is only one intermediate certificate, you only need to import one intermediate Certificate)
Import the First Intermediate CA certificate
Keytool-import-alias intermediate1-keystore c: \ keystore. jks-trustcacerts-storepass password-file c: \ intermediate1.cer
Import the second intermediate CA certificate
Keytool-import-alias intermediate2-keystore c: \ keystore. jks-trustcacerts-storepass password-file c: \ intermediate2.cer
Import server certificate
Keytool-import-alias server-keystore c: \ keystore. jks-trustcacerts-storepass password-file c: \ Server. Cer
When importing a server certificate, the server certificate alias must be the same as the Private Key alias. Please note the prompts when importing intermediate CA certificates and server certificates. If the alias you use when importing the server certificate is different from the private key alias, the system prompts "authentication has been added to the keystore" instead of "authentication reply has been installed in the keystore ".
After the certificate is imported, run the keystool command to view the content of the keystore file again.
Keytool-list-keystore c: \ keystore. jks-storepass Password
III,Install server certificate
1. One-way authentication Configuration
Copy the correctly imported keystore. jks file to the conf directory under the tomcat installation directory. Open the server. xml file in the conf directory, find and modify the following content:
<! --
<Connector Port = "8443" maxhttpheadersize = "8192"
Maxthreads = "150" minsparethreads = "25" maxsparethreads = "75"
Enablelookups = "false" disableuploadtimeout = "true"
Acceptcount = "100" Scheme = "HTTPS" secure = "true"
Clientauth = "false" sslprotocol = "TLS"/>
SSL Access Port
-->
Change
<Connector protocol = "org. Apache. Coyote. http11.http11protocol" Port = "443" maxhttpheadersize = "8192"
Maxthreads = "150" minsparethreads = "25" maxsparethreads = "75"
Enablelookups = "false" disableuploadtimeout = "true"
Acceptcount = "100" Scheme = "HTTPS" secure = "true"
Keystorefile = "conf \ keystore. jks" keystorepass = "password"
Clientauth = "false" sslprotocol = "TLS"/>
The default SSL access port number is 443. If you use another port number, you must use https: // yourdomain: port to access your site.
2. Two-way authentication Configuration
When configuring two-way authentication, you also need to specify the trusted library file for client authentication. The client-side truststorefile can be the same as the server certificate keystore file or configured independently.
The same keystore file is used in the example. You must first import the client-authenticated root certificate and intermediate CA certificate to the client-authenticated trust database.
<Connector protocol = "org. Apache. Coyote. http11.http11protocol" Port = "443" maxhttpheadersize = "8192"
Maxthreads = "150" minsparethreads = "25" maxsparethreads = "75"
Enablelookups = "false" disableuploadtimeout = "true"
Acceptcount = "100" Scheme = "HTTPS" secure = "true"
Keystorefile = "conf \ keystore. jks" keystorepass = "password"
Truststorefile = "conf \ keystore. jks" truststorepass = "password"
Clientauth = "true" sslprotocol = "TLS"/>
3. Access Test
Restart tomcat, access https: // youdomain: Port, and test the certificate installation.
IV,Backup and recovery of server certificates
After you have successfully installed and configured the server certificate, you must back up your server certificate according to the following procedure to prevent inconvenience caused by the loss of the certificate.
1. Backup of server certificates
Back up the keystore. jks file of the server certificate keystore to back up the server certificate.
2. server certificate Restoration
Refer to the server certificate installation section to restore the keystore. jks file of the server certificate keystore to your server, modify the configuration file, and restore the application of the server certificate.
Http://verisign.itrus.com.cn/html/fuwuyuzhichi/fuwuqizhengshuanzhuangpeizhizhinan/426.html