我這裡用的是startssl提供的免費認證,startssl認證的申請可以參考下面連結:http://www.setsea.net/wordpress/post/2011/04/21/881.html
申請完後你會有一下三個檔案,ssl.crt(公開金鑰),ssl.key(密鑰),ssl.p12(PKCS12格式的認證)
運行以下命令查看認證資訊:
$ keytool -list -rfc -keystore ssl.p12 -storetype pkcs12
查看認證資訊,主要是查看alias屬性,下面產生keystore要用到,一般是這樣一串字串"xxx@163.com 的 startcom ltd. id",xxx@163.com是你註冊startssl時的郵箱。
運行下面命令產生keystore
$ keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -destkeystore keystore -srcalias "xxx@163.com 的 startcom ltd. id" -destkeypass changeit
srcalias是上面查到的別名。destkeypass密碼預設是changeit
接下來合并認證(主要是因為Firefox需要我們提供憑證簽發者的根憑證)
從StartSSL下載StartSSL CA認證:
$ wget http://cert.startssl.com/certs/ca.pem
從StartSSL下載StartSSL Class1 Sub CA認證:
$ wget http://cert.startssl.com/certs/sub.class1.server.ca.pem
合并ssl、sub.class1.server.ca.pem、ca.pem
$ cat sub.class1.server.ca.pem >> ssl.crt$ cat ca.pem >> ssl.crt
設定tomcat啟動時不輸入私密金鑰密碼
$ cp ssl.key ssl.key.tmp $ openssl rsa -in ssl.key.tmp -out ssl.key
把上面產生的keystore、ssl.crt、ssl.key放到tomcat的conf目錄下,修改conf/server.xml配置。
添加如下配置:
<Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"maxThreads="150" scheme="https" secure="true"keystoreFile="${catalina.base}/conf/keystore" keystorePass="changeit " keystoreType="PKCS12" SSLCertificateFile="${catalina.base}/conf/ssl.crt" SSLCertificateKeyFile="${catalina.base}/conf/ssl.key" SSLCACertificateFile="${catalina.base}/conf/ssl.crt"clientAuth="false" sslProtocol="TLS" />
其中主要是這三個參數
SSLCertificateFile sub class1認證
SSLCertificateKeyFile sub class1認證密碼
SSLCACertificateFile 根憑證(不設定這個參數的話Firefox會不信任,因為它需要把startssl的根憑證附上,因為是它頒發給你的)。
啟動tomcat,完成。
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
