TOMCAT7+JDK Keytool Build Certificate Configure HTTPS

TOMCAT7+JDK Keytool Build Certificate Configure HTTPS

This article only describes the use of JDK Keytool to generate certificates.

1Windows under:

1.1 Generating KeyStore files and exporting certificates

To open the console:

Run:

%java_home%\bin\keytool-genkey-alias Tomcat-keyalg RSA

Enter the CN when asking for your country code, as required step-by-step input information.

When you enter your password, use it here: Changeit

The last step allows you to enter the time, directly enter.

The specific records are as follows:

C:\users\administrator>%java_home%\bin\keytool-genkey-alias Tomcat-keyalg RSA

Enter KeyStore Password:
Enter the new password again:
What is your first and last name?
[Unknown]: Tuhao
What is the name of your organizational unit?
[Unknown]: Tuhaojia
What is your organization's name?
[Unknown]: Fnic
What is the name of your city or region?
[Unknown]: Didu
What is the name of your state/province?
[Unknown]: Didu
What is the two-letter country/region code for this unit?
[Unknown]: CN
Cn=tuhao, Ou=tuhaojia, O=fnic, L=didu, St=didu, C=CN right?
[No]: Y

Enter the key password for <tomcat>
(If the KeyStore password is the same, press ENTER):

Here you have to press ENTER directly.

In the current directory, a:. keystore file is created and copied to the Tomcat bin directory.

From the console into the Tomcat bin directory, the native environment is:d:\tomcat7\bin>

To export a certificate file:

D:\tomcat7\bin>keytool-selfcert-alias Tomcat-keystore. KeyStore
Enter KeyStore Password: (here is the Changeit that was entered when the certificate was generated above)

D:\tomcat7\bin>keytool-export-alias tomcat-keystore. Keystore-storepass changeit-rfc-file Tomcat.cer

Certificates that are stored in file <tomcat.cer>

The Tomcat.cer certificate file is generated under d:\tomcat7\bin>. Send the file to the consumer, have them install the certificate, and install the certificate in the Trusted Root Certification authorities area. Specific procedures can refer to the Ministry of Railways 12306.cn website Certificate installation procedures. They are the same as the same.

1.2 Configuring Tomcat

Open the one that $CATALINA_BASE/conf/server.xml found "SSL http/1.1 Connector", uncomment it and change it to:

<connector port= "443" protocol= "http/1.1" sslenabled= "true"

maxthreads= "Scheme=" "https" secure= "true"
Keystorefile= "Bin/.keystore" keystorepass= "Changeit"
Clientauth= "false" sslprotocol= "TLS"/>

Please note that I have changed the Tomcat port to 80, and the corresponding HTTPS port I have changed to 443 (that is, the default HTTPS port).

To modify the host file of the Windows machine, add a line (my machine's IP is 192.168.68.75):

192.168.68.75 Tuhao

Then reboot tomcat and use https://tuhao/to visit the website to verify it.

Next, you will demonstrate HTTPS configuration for Tomcat under Linux.

2.linux under Settings:

2.1 Generating KeyStore files and exporting certificates

This step is similar to operating under Windows, except that the environment variable is referenced differently, and this time we specify the directory where the generated file is stored:

　

[Email protected] ~]# $JAVA _home/bin/keytool-genkey-alias tomcat-keyalg rsa-keystore/usr/local/tomcat/bin/. KeyStore
Enter KeyStore Password:
Enter the new password again:
What is your first and last name?
[Unknown]: tuhao.com
What is the name of your organizational unit?
[Unknown]: Tuhaojia
What is your organization's name?
[Unknown]: Fnic
What is the name of your city or region?
[Unknown]: Didu
What is the name of your state or province?
[Unknown]: Didu
What is the two-letter country code for this unit?
[Unknown]: CN
Cn=tuhao.com, Ou=tuhaojia, O=fnic, L=didu, St=didu, C=CN right?
[No]: Y

Enter the master password for <tomcat>
(If the KeyStore password is the same, press ENTER):

Right here, just hit enter.

[Email protected] ~]# cd/usr/local/tomcat/bin/
[Email protected] bin]# Keytool-selfcert-alias tomcat-keystore. KeyStore
Enter KeyStore Password:
[Email protected] bin]# keytool-export-alias tomcat-keystore. Keystore-storepass changeit-rfc-file Tomcat.cer
Certificates saved in a file <tomcat.cer>

Copy the/usr/local/tomcat/bin/tomcat.cer to local.

2.2 Configuring Tomcat:

This step, like Windows, I copied the part of Windows directly:

Open the one that $CATALINA_BASE/conf/server.xml found "SSL http/1.1 Connector", uncomment it and change it to:

<connector port= "443" protocol= "http/1.1" sslenabled= "true"

maxthreads= "Scheme=" "https" secure= "true"
Keystorefile= "Bin/.keystore" keystorepass= "Changeit"
Clientauth= "false" sslprotocol= "TLS"/>

Please note that I have changed the Tomcat port to 80, and the corresponding HTTPS port I have changed to 443 (that is, the default HTTPS port).

Next is to set up the firewall, I tried to increase the TCP port 443, allow access, but the outside still can not access the server's HTTPS, simply I will iptables service stopped, so that it can.

Verify that the configuration is successful:

Restart Tomcat, modify the Windows machine's host file, add a line (the IP of the Linux machine is 192.168.68.74):

192.168.68.74 tuhao.com

Then install Tomcat.cer, and note that you must install it in the trusted root Certification authorities area.

Access via browser: https://tuhao.com/can see that HTTPS is considered trustworthy.

Summarize:

When the certificate is generated, "What is your name and last name" must pay attention to enter your IP, machine name, domain name, in short, you want to visit your website through https://xx in the future, here will fill in XX. Otherwise, there will be a certificate that is not trusted by the prompt.

TOMCAT7+JDK Keytool Build Certificate Configure HTTPS