#1.到Godaddy下載下傳SSL證書 for Tomcat 格式.
1 2 3 4 5 | 以test.com.hk為例,我下載下傳的檔案名為 _.test.com.hk(TOMCAT).zip ZIP包含三個檔案,分别為 e6124edacfe745e6.crt #這個名字随機 gd_bundle-g2-g1.crt gdig2.crt.pem |
#2.将當時生成CSR的時候的私鑰test.com.hk.key 和上述三個檔案放到同一個tomcat目錄中。
1 2 3 4 | e6124edacfe745e6.crt gd_bundle-g2-g1.crt gdig2.crt.pem test.com.hk.key |
#3.将CA根證書、中間證書合并到頒發的證書中
1 | cat gd_bundle-g2-g1.crt >> e6124edacfe745e6.crt |
#4.生成PK12格式證書,檔案名為tomcat.pkcs12 密碼為changeit
1 2 3 | openssl pkcs12 -export -in e6124edacfe745e6.crt -inkey test.com.hk.key -out tomcat.pkcs12 -name tomcat -CAfile gd_bundle-g2-g1.crt -caname root Enter Export Password: Verifying - Enter Export Password: |
注意:這裡的key檔案可能不同:将godaddy發的兩個檔案合并,①generated-csr.txt和②generated-private-key.txt,将②内容 合并到①之後(大坑:private-key 格式 -----BEGIN RSA PRIVATE KEY-----,添加RSA)
key 檔案合并後格式
-----BEGIN CERTIFICATE REQUEST-----
MIICizCCAXUCAQAwGjEYMBYGA1UEAwwPd3d3LmFsZ29ibHUuY29tMIIBIjANBgkq
。。。。。。
-----END CERTIFICATE REQUEST-----
-----BEGIN RSA PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCtlWJxWCkyzytB
。。。。。。
-----END RSA PRIVATE KEY-----
#5.轉換為Tomcat jks 格式,檔案名為 tomcat.jks,忽略警告
1 2 3 4 5 | keytool -importkeystore -alias tomcat -srckeystore tomcat.pkcs12 -srcstoretype PKCS12 -srcstorepass changeit -deststorepass changeit -destkeypass changeit -destkeystore tomcat.jks 正在将密鑰庫 tomcat.pkcs12 導入到 tomcat.jks... Warning: JKS 密鑰庫使用專用格式。建議使用 "keytool -importkeystore -srckeystore tomcat.jks -destkeystore tomcat.jks -deststoretype pkcs12" 遷移到行業标準格式 PKCS12 |
# 6.Tomcat 7.0 配置檔案增加SSL配置
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 | <Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="d://tomcat7/conf/tomcat.jks" keystorePass="changeit" clientAuth="false" sslProtocol="TLS" ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" /> |
#使用Portecle檢視證書
1 | http://portecle.sourceforge.net/ |
#重新開機TOMCAT 線上檢查證書
1 2 3 | https://www.sslshopper.com/ssl-checker.html https://www.ssllabs.com/ssltest/ |