1. 前提你已經得到了CA機構頒發的證書了
前提你已經得到了CA機構頒發的證書了
2. 合并證書(這裡證書機構選擇的是comodo)
- 假設你的被簽名證書的名字叫xxx.crt,你的密鑰檔案叫server.key,除了以上你自己的xxx.crt,還有COMODORSAAddTrustCA.crt,COMODORSADomainValidationSecureServerCA.crt, AddTrustExternalCARoot.crt
- 合并證書使用
指令
cat
cat COMODORSAAddTrustCA.crt >>cat AddTrustExternalCARoot.crt >>
xxx.crt
cat COMODORSADomainValidationSecureServerCA.crt >>
xxx.crt
xxx.crt
3. Nginx 配置證書
server {
server_name YOUR_DOMAINNAME_HERE;
listen ;
ssl on;
keepalive_timeout ;
ssl_certificate /path/to/xxx.crt;
ssl_certificate_key /path/to/server.key;
ssl_protocols TLSv1 TLSv1 TLSv1;
ssl_client_certificate /path/to/cacert.pem;
# ssl_verify_client on; 伺服器驗證用戶端,暫時不開啟,讓沒有證書的用戶端可以通路
ssl_session_cache shared:SSL:m;
ssl_session_timeout m;
}
sudo /etc/init.d/nginx configtest
sudo /etc/init.d/nginx restart
4. 在tomcat下配置https生成keystore的步驟
1. Convert x509 Cert and Key to a pkcs12 file(将證書和私鑰轉換為p12格式的證書)
openssl pkcs12 -export -in server.crt -inkey server.key \
-out server.p12 -name some-alias \
-CAfile ca.crt -caname root (這裡如果手動将證書鍊合并了那麼就不需要加這個了,我是将ca.crt domain.crt mycrt.crt 合并後為server.crt後執行的)
Note
: Make sure you put a password on the p12 file - otherwise you’ll get a null reference exception when you try to import it. (In case anyone else had this headache). (Thanks jocull!)
Note
: You might want to add the -chainoption to preserve the full certificate chain. (Thanks Mafuba)
2. Convert the pkcs12 file to a java keystore (将pkcs12格式的證書轉換成java keystore)
keytool -importkeystore \
-deststorepass changeit -destkeypass changeit -destkeystore server.keystore \
-srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass changeit \
-alias some-alias(生成p12時候的-name參數)
3. 配置 tomcat
vim /usr/local/tomcat/conf/server.xml
<Connector port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxThreads="300"
scheme="https"
secure="true"
keystoreFile="server.keystore"
keystorePass="changeit"
sslProtocol="TLS"
URIEncoding="utf-8" />
重新開機即可