Nginx 與 Tomcat 配置Https 總結

1.

前提你已經得到了CA機構頒發的證書了

2. 合并證書(這裡證書機構選擇的是comodo)

1. 假設你的被簽名證書的名字叫xxx.crt，你的密鑰檔案叫server.key，除了以上你自己的xxx.crt，還有COMODORSAAddTrustCA.crt，COMODORSADomainValidationSecureServerCA.crt, AddTrustExternalCARoot.crt
2. 合并證書使用

   cat

   指令

   cat COMODORSAAddTrustCA.crt >>

   xxx.crt

   cat AddTrustExternalCARoot.crt >>

   xxx.crt

   cat COMODORSADomainValidationSecureServerCA.crt >>

   xxx.crt

3. Nginx 配置證書

server {
    server_name YOUR_DOMAINNAME_HERE;
    listen ;
    ssl on;
    keepalive_timeout   ;
    ssl_certificate /path/to/xxx.crt;
    ssl_certificate_key /path/to/server.key;
    ssl_protocols       TLSv1 TLSv1 TLSv1;
    ssl_client_certificate  /path/to/cacert.pem;
    # ssl_verify_client       on;                         伺服器驗證用戶端，暫時不開啟，讓沒有證書的用戶端可以通路
    ssl_session_cache shared:SSL:m;
    ssl_session_timeout     m;
}
           

sudo /etc/init.d/nginx configtest

sudo /etc/init.d/nginx restart

4. 在tomcat下配置https生成keystore的步驟

1. Convert x509 Cert and Key to a pkcs12 file（将證書和私鑰轉換為p12格式的證書）

openssl pkcs12 -export -in server.crt -inkey server.key \
               -out server.p12 -name some-alias \
               -CAfile ca.crt -caname root  （這裡如果手動将證書鍊合并了那麼就不需要加這個了，我是将ca.crt domain.crt mycrt.crt 合并後為server.crt後執行的）
           

Note

: Make sure you put a password on the p12 file - otherwise you’ll get a null reference exception when you try to import it. (In case anyone else had this headache). (Thanks jocull!)

Note

: You might want to add the -chainoption to preserve the full certificate chain. (Thanks Mafuba)

2. Convert the pkcs12 file to a java keystore （将pkcs12格式的證書轉換成java keystore）

keytool -importkeystore \
        -deststorepass changeit -destkeypass changeit -destkeystore server.keystore \
        -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass changeit \
        -alias some-alias(生成p12時候的-name參數)
           

3. 配置 tomcat

vim  /usr/local/tomcat/conf/server.xml

<Connector port="443"
                protocol="org.apache.coyote.http11.Http11NioProtocol"
                SSLEnabled="true"
                maxThreads="300"
                scheme="https"
                secure="true"
                keystoreFile="server.keystore"
                keystorePass="changeit"
                sslProtocol="TLS"
                URIEncoding="utf-8" />
           

重新開機即可