Linux系統下生成tomcat SSL協議的證書
阿新 • • 發佈:2020-08-13
生成證書
keytool -genkeypair -alias [user] -keyalg [認證型別] -keystore [file]
常用引數介紹:
-
keytool -genkey:自動使用預設的演算法生成公鑰和私鑰
-
-alias[名稱]:給證書取個別名
-
-keyalg:制定金鑰的演算法,如果需要制定金鑰的長度,可以再加上keysize引數,金鑰長度預設為1024位,使用DSA演算法時,金鑰長度必須在512到1024之間,並且是64的整數倍
-
-keystore:引數可以指定金鑰庫的名稱。金鑰庫其實是存放迷藥和證書檔案,金鑰庫對應的檔案如果不存在會自動建立。
-
-validity:證書的有效日期,預設是90天
-
-keypass changeit:不新增證書密碼
-
-storepass changeit:不新增儲存證書的密碼
進入到tomcat的conf路徑下
cd /usr/local/conet/tomcat/conf
輸入命令:
keytool -genkey -alias tomcat -keyalg RSA -validity 3600 -keystore .keystore Enter keystore password: #123456 Re-enter new password: What is your first and last name? [Unknown]: yue Whatis the name of your organizational unit? [Unknown]: yue What is the name of your organization? [Unknown]: CNCF What is the name of your City or Locality? [Unknown]: ShangHai What is the name of your State or Province? [Unknown]: SH What is the two-letter country code for this unit? [Unknown]: cn Is CN=yue, OU=yue, O=CNCF, L=ShangHai, ST=SH, C=cn correct? [no]: yes Enter key password for <tomcat> #123456 (RETURN if same as keystore password): Re-enter new password: Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /usr/local/conet/tomcat/conf/.keystore -destkeystore /usr/local/conet/tomcat/conf/.keystore -deststoretype pkcs12".
配置tomcat
定位到tomcat的安裝目錄,找到 /usr/local/conet/tomcat/conf下的server.xml
檔案
修改 server.xml
檔案,配置https聯結器;
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateKeystoreFile="conf/.keystore" type="RSA" certificateKeystorePassword="123456" /> </SSLHostConfig> </Connector>瀏覽器訪問8443埠的聯結器時,會以加密的方式來訪問web伺服器,聯結器收到瀏覽器的請求後,會向瀏覽器出示一份數字證書,瀏覽器再用數字證書裡面的公鑰來加密資料, certificateKeystoreFile="conf/.keystore"用來指明金鑰庫檔案的所在路徑,伺服器從金鑰庫中提取證書時需要密碼,certificateKeystorePassword="123456"指明金鑰庫的訪問密碼。(tomcat8及8以下的版本配置的是keystoreFile="conf/.keystore"和keystorePass="123456")