在startssl申请免费域名ssl证书
程淮晨
在startssl申请免费域名ssl证书
tomcat ssl
1.生成keystore文件(jks),注意:CN必须为访问的主机IP或域名
keytool -genkey -v -alias tomcat -keyalg RSA -validity 3650 -keystore tomcat.keystore - dname "CN=tiancai940.cc,OU=sotos,O=cn,L=cn,ST=cn,c=CN" -storepass password -keypass password
2.生成csr文件,用于申请CA证书
keytool -certreq -alias tomcat -keyalg "RSA" -keystore tomcat.keystore >> tomcat.csr
3.在startssl申请免费域名ssl证书(参考的别人写的教程:http://blog.weiliang.org/linux/632.html)
4.申请到的证书文件如下:
www.tiancai940.cc.zip
解压:
--ApacheServer.zip
--1_root_bundle.crt
--2_www.tiancai940.cc.crt
--IISServer.zip
--1_Intermediate.crt
--2_www.tiancai940.cc.crt
--NginxServer.zip
--1_www.tiancai940.cc_bundle.crt
--OtherServer.zip ##可用于tomcat、weblogic、websphere等服务器
--root.crt
--1_Intermediate.crt
--2_www.tiancai940.cc.crt
5.将CA证书内容导入到keystore文件中,
keytool -importcert -alias startsslroot -file root.crt -keystore tomcat.keystore -storepass password
keytool -importcert -alias startsslintermediate -file 1_Intermediate.crt -keystore tomcat.keystore -storepass password
keytool -importcert -alias tomcat -file 2_www.tiancai940.cc.crt -keystore tomcat.keystore -storepass password
6.在tomcat的server.xml文件中配置ssl
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="D:\tomcat.keystore"
keystorePass="password"
/>
#
如果不想申请ca证书,自己可以导出cer文件,并导入到浏览器受信任的根证书中
keytool -export -alias tomcat -keystore tomcat.keystore -file tomcat.cer -storepass password
nginx ssl
keytool生成的都是二进制数据,nginx使用的是OPENSSL标准的PEM+key文件,即ascii文本格式的密钥,如果想在nginx上使用keytool生成的秘钥(jks),则需要进行转换。
1.把keystore(jks)转换为pxf文件
jks转为pxf文件需要借助此工具类进行,
package com.z.base.util.system;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.security.Key;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.util.Enumeration;
public class ConventPFX {
public static final String PKCS12 = "PKCS12";
public static final String JKS = "JKS";
public static final String PFX_KEYSTORE_FILE = "D:\\Work\\resource\\ssl\\ssl_nginx\\tomcat.pfx";
public static final String KEYSTORE_PASSWORD = "password";
public static final String JKS_KEYSTORE_FILE = "D:\\Work\\resource\\ssl\\ssl_nginx\\tomcat.keystore";
//pxf文件转为jks文件
public static void coverTokeyStore() {
try {
KeyStore inputKeyStore = KeyStore.getInstance("PKCS12");
FileInputStream fis = new FileInputStream(PFX_KEYSTORE_FILE);
char[] nPassword = null;
if ((KEYSTORE_PASSWORD == null)
|| KEYSTORE_PASSWORD.trim().equals("")) {
nPassword = null;
} else {
nPassword = KEYSTORE_PASSWORD.toCharArray();
}
inputKeyStore.load(fis, nPassword);
fis.close();
KeyStore outputKeyStore = KeyStore.getInstance("JKS");
outputKeyStore.load(null, KEYSTORE_PASSWORD.toCharArray());
Enumeration enums = inputKeyStore.aliases();
while (enums.hasMoreElements()) { // we are readin just one certificate.
String keyAlias = (String) enums.nextElement();
System.out.println("alias=[" + keyAlias + "]");
if (inputKeyStore.isKeyEntry(keyAlias)) {
Key key = inputKeyStore.getKey(keyAlias, nPassword);
Certificate[] certChain = inputKeyStore
.getCertificateChain(keyAlias);
outputKeyStore.setKeyEntry(keyAlias, key, KEYSTORE_PASSWORD
.toCharArray(), certChain);
}
}
FileOutputStream out = new FileOutputStream(JKS_KEYSTORE_FILE);
outputKeyStore.store(out, nPassword);
out.close();
} catch (Exception e) {
e.printStackTrace();
}
}
//jks文件转为pxf文件
public static void coverToPfx() {
try {
KeyStore inputKeyStore = KeyStore.getInstance("JKS");
FileInputStream fis = new FileInputStream(JKS_KEYSTORE_FILE);
char[] nPassword = null;
if ((KEYSTORE_PASSWORD == null)
|| KEYSTORE_PASSWORD.trim().equals("")) {
nPassword = null;
} else {
nPassword = KEYSTORE_PASSWORD.toCharArray();
}
inputKeyStore.load(fis, nPassword);
fis.close();
KeyStore outputKeyStore = KeyStore.getInstance("PKCS12");
outputKeyStore.load(null, KEYSTORE_PASSWORD.toCharArray());
Enumeration enums = inputKeyStore.aliases();
while (enums.hasMoreElements()) { // we are readin just one certificate.
String keyAlias = (String) enums.nextElement();
System.out.println("alias=[" + keyAlias + "]");
if (inputKeyStore.isKeyEntry(keyAlias)) {
Key key = inputKeyStore.getKey(keyAlias, nPassword);
Certificate[] certChain = inputKeyStore
.getCertificateChain(keyAlias);
outputKeyStore.setKeyEntry(keyAlias, key, KEYSTORE_PASSWORD
.toCharArray(), certChain);
}
}
FileOutputStream out = new FileOutputStream(PFX_KEYSTORE_FILE);
outputKeyStore.store(out, nPassword);
out.close();
} catch (Exception e) {
e.printStackTrace();
}
}
public static void main(String[] args) {
coverToPfx();
}
}
2.在pfx文件中提取私钥(.key)文件
openssl pkcs12 -in tomcat.pfx -nocerts -nodes -out tomcat.key
3.获取crt或pem文件
如果之前申请过ca证书,如之前的获取的申请文件中的NginxServer中的1_www.tiancai940.cc_bundle.crt文件 ,如果是自己生成的cer,则需要执行以下命令
openssl x509 -inform der -in server.cer -out server.pem
3.在nginx中开启ssl
在nginx.conf文件中添加内容
server {
listen 9443;
server_name www.tiancai940.cc;
root html;
ssl on;
ssl_certificate ../ssl/1_www.tiancai940.cc_bundle.crt;##为之前申请的NginxServer中的文件(或者自己转换的pem文件)
ssl_certificate_key ../ssl/tomcat.key;##由jks文件转换的文件
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://www.tiancai940.cc:8080;
}
}
查看证书信息
keytool -list -rfc -keystore tomcat.keystore -storepass password
类似资料: