#1.到Godaddy下載SSL證書 for Tomcat 格式.
|
1 2 3 4 5 |
以test.com.hk爲例,我下載的文件名爲 _.test.com.hk(TOMCAT).zip ZIP包含三個文件,分別爲 e6124edacfe745e6.crt #這個名字隨機 gd_bundle-g2-g1.crt gdig2.crt.pem |
#2.將當時生成CSR的時候的私鑰test.com.hk.key 和上述三個文件放到同一個tomcat目錄中。
|
1 2 3 4 |
e6124edacfe745e6.crt gd_bundle-g2-g1.crt gdig2.crt.pem test.com.hk.key |
#3.將CA根證書、中間證書合併到頒發的證書中
|
1 |
cat gd_bundle-g2-g1.crt >> e6124edacfe745e6.crt |
#4.生成PK12格式證書,文件名爲tomcat.pkcs12 密碼爲changeit
|
1 2 3 |
openssl pkcs12 -export -in e6124edacfe745e6.crt -inkey test.com.hk.key -out tomcat.pkcs12 -name tomcat -CAfile gd_bundle-g2-g1.crt -caname root Enter Export Password: Verifying - Enter Export Password: |
注意:這裏的key文件可能不同:將godaddy發的兩個文件合併,①generated-csr.txt和②generated-private-key.txt,將②內容 合併到①之後(大坑:private-key 格式 -----BEGIN RSA PRIVATE KEY-----,添加RSA)
key 文件合併後格式
-----BEGIN CERTIFICATE REQUEST-----
MIICizCCAXUCAQAwGjEYMBYGA1UEAwwPd3d3LmFsZ29ibHUuY29tMIIBIjANBgkq
。。。。。。
-----END CERTIFICATE REQUEST-----
-----BEGIN RSA PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCtlWJxWCkyzytB
。。。。。。
-----END RSA PRIVATE KEY-----
#5.轉換爲Tomcat jks 格式,文件名爲 tomcat.jks,忽略警告
|
1 2 3 4 5 |
keytool -importkeystore -alias tomcat -srckeystore tomcat.pkcs12 -srcstoretype PKCS12 -srcstorepass changeit -deststorepass changeit -destkeypass changeit -destkeystore tomcat.jks 正在將密鑰庫 tomcat.pkcs12 導入到 tomcat.jks...
Warning: JKS 密鑰庫使用專用格式。建議使用 "keytool -importkeystore -srckeystore tomcat.jks -destkeystore tomcat.jks -deststoretype pkcs12" 遷移到行業標準格式 PKCS12 |
# 6.Tomcat 7.0 配置文件增加SSL配置
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="d://tomcat7/conf/tomcat.jks" keystorePass="changeit" clientAuth="false" sslProtocol="TLS" ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" /> |
#使用Portecle查看證書
|
1 |
http://portecle.sourceforge.net/ |
#重啓TOMCAT 在線檢查證書
|
1 2 3 |
https://www.sslshopper.com/ssl-checker.html
https://www.ssllabs.com/ssltest/ |