当前位置: 首页 > 工具软件 > StartSSL > 使用案例 >

在startssl申请免费域名ssl证书

程淮晨
2023-12-01

在startssl申请免费域名ssl证书

tomcat ssl

1.生成keystore文件(jks),注意:CN必须为访问的主机IP或域名

keytool -genkey -v -alias tomcat -keyalg RSA   -validity 3650  -keystore tomcat.keystore -  dname "CN=tiancai940.cc,OU=sotos,O=cn,L=cn,ST=cn,c=CN" -storepass password -keypass password

2.生成csr文件,用于申请CA证书

keytool -certreq -alias tomcat -keyalg "RSA" -keystore tomcat.keystore >> tomcat.csr

3.在startssl申请免费域名ssl证书(参考的别人写的教程:http://blog.weiliang.org/linux/632.html

4.申请到的证书文件如下:

www.tiancai940.cc.zip
解压:
    --ApacheServer.zip
            --1_root_bundle.crt
            --2_www.tiancai940.cc.crt
    --IISServer.zip
            --1_Intermediate.crt
            --2_www.tiancai940.cc.crt
    --NginxServer.zip
            --1_www.tiancai940.cc_bundle.crt
    --OtherServer.zip   ##可用于tomcat、weblogic、websphere等服务器
            --root.crt
            --1_Intermediate.crt
            --2_www.tiancai940.cc.crt

5.将CA证书内容导入到keystore文件中,

keytool -importcert -alias startsslroot -file root.crt -keystore tomcat.keystore -storepass password
keytool -importcert -alias startsslintermediate -file 1_Intermediate.crt -keystore tomcat.keystore -storepass password
keytool -importcert -alias tomcat -file 2_www.tiancai940.cc.crt -keystore tomcat.keystore -storepass password

6.在tomcat的server.xml文件中配置ssl

 <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" 
           keystoreFile="D:\tomcat.keystore"  
           keystorePass="password"  
 />

#

如果不想申请ca证书,自己可以导出cer文件,并导入到浏览器受信任的根证书中

keytool -export -alias tomcat -keystore tomcat.keystore -file tomcat.cer -storepass password

nginx ssl

keytool生成的都是二进制数据,nginx使用的是OPENSSL标准的PEM+key文件,即ascii文本格式的密钥,如果想在nginx上使用keytool生成的秘钥(jks),则需要进行转换。

1.把keystore(jks)转换为pxf文件

jks转为pxf文件需要借助此工具类进行,

package com.z.base.util.system;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.security.Key;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.util.Enumeration;

public class ConventPFX {
    public static final String PKCS12 = "PKCS12";
    public static final String JKS = "JKS";
    public static final String PFX_KEYSTORE_FILE = "D:\\Work\\resource\\ssl\\ssl_nginx\\tomcat.pfx";
    public static final String KEYSTORE_PASSWORD = "password";
    public static final String JKS_KEYSTORE_FILE = "D:\\Work\\resource\\ssl\\ssl_nginx\\tomcat.keystore";

    //pxf文件转为jks文件
    public static void coverTokeyStore() {
        try {
            KeyStore inputKeyStore = KeyStore.getInstance("PKCS12");
            FileInputStream fis = new FileInputStream(PFX_KEYSTORE_FILE);
            char[] nPassword = null;

            if ((KEYSTORE_PASSWORD == null)
                    || KEYSTORE_PASSWORD.trim().equals("")) {
                nPassword = null;
            } else {
                nPassword = KEYSTORE_PASSWORD.toCharArray();
            }

            inputKeyStore.load(fis, nPassword);
            fis.close();

            KeyStore outputKeyStore = KeyStore.getInstance("JKS");

            outputKeyStore.load(null, KEYSTORE_PASSWORD.toCharArray());

            Enumeration enums = inputKeyStore.aliases();

            while (enums.hasMoreElements()) { //   we   are   readin   just   one   certificate.  

                String keyAlias = (String) enums.nextElement();

                System.out.println("alias=[" + keyAlias + "]");

                if (inputKeyStore.isKeyEntry(keyAlias)) {
                    Key key = inputKeyStore.getKey(keyAlias, nPassword);
                    Certificate[] certChain = inputKeyStore
                            .getCertificateChain(keyAlias);

                    outputKeyStore.setKeyEntry(keyAlias, key, KEYSTORE_PASSWORD
                            .toCharArray(), certChain);
                }
            }

            FileOutputStream out = new FileOutputStream(JKS_KEYSTORE_FILE);

            outputKeyStore.store(out, nPassword);
            out.close();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    //jks文件转为pxf文件
    public static void coverToPfx() {
        try {
            KeyStore inputKeyStore = KeyStore.getInstance("JKS");
            FileInputStream fis = new FileInputStream(JKS_KEYSTORE_FILE);
            char[] nPassword = null;

            if ((KEYSTORE_PASSWORD == null)
                    || KEYSTORE_PASSWORD.trim().equals("")) {
                nPassword = null;
            } else {
                nPassword = KEYSTORE_PASSWORD.toCharArray();
            }

            inputKeyStore.load(fis, nPassword);
            fis.close();

            KeyStore outputKeyStore = KeyStore.getInstance("PKCS12");

            outputKeyStore.load(null, KEYSTORE_PASSWORD.toCharArray());

            Enumeration enums = inputKeyStore.aliases();

            while (enums.hasMoreElements()) { //   we   are   readin   just   one   certificate.  

                String keyAlias = (String) enums.nextElement();

                System.out.println("alias=[" + keyAlias + "]");

                if (inputKeyStore.isKeyEntry(keyAlias)) {
                    Key key = inputKeyStore.getKey(keyAlias, nPassword);
                    Certificate[] certChain = inputKeyStore
                            .getCertificateChain(keyAlias);

                    outputKeyStore.setKeyEntry(keyAlias, key, KEYSTORE_PASSWORD
                            .toCharArray(), certChain);
                }
            }

            FileOutputStream out = new FileOutputStream(PFX_KEYSTORE_FILE);

            outputKeyStore.store(out, nPassword);
            out.close();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
    public static void main(String[] args) {
        coverToPfx();
    }
}

2.在pfx文件中提取私钥(.key)文件

openssl pkcs12 -in tomcat.pfx -nocerts -nodes -out tomcat.key

3.获取crt或pem文件

如果之前申请过ca证书,如之前的获取的申请文件中的NginxServer中的1_www.tiancai940.cc_bundle.crt文件 ,如果是自己生成的cer,则需要执行以下命令

openssl x509 -inform der -in server.cer -out server.pem

3.在nginx中开启ssl

在nginx.conf文件中添加内容

server {
   listen       9443;
   server_name  www.tiancai940.cc;
   root         html;

   ssl                  on;
   ssl_certificate      ../ssl/1_www.tiancai940.cc_bundle.crt;##为之前申请的NginxServer中的文件(或者自己转换的pem文件)
   ssl_certificate_key  ../ssl/tomcat.key;##由jks文件转换的文件
   ssl_session_timeout  5m;
   ssl_protocols  SSLv2 SSLv3 TLSv1;
   ssl_ciphers  HIGH:!aNULL:!MD5;
   ssl_prefer_server_ciphers   on;

  location / {
    proxy_pass http://www.tiancai940.cc:8080;     
  }
}

查看证书信息

keytool -list -rfc -keystore tomcat.keystore -storepass password
 类似资料: