1. 下载安装OpenSSL
可以从OpenSSL官网下载源码编译,也可以直接下载安装文件,地址:http://download.youkuaiyun.com/download/nicholas_lin/10169024
//20180125修改
注意:使用这个安装包后我经常出现蓝屏错误,昨天卸载后暂时正常。
srv.sys
PAGE_FAULT_IN_NONPAGED_AREA
2. 配置OpenSSL
打开bin/openssl.cfg文件,修改以下内容:# 使用安装包的需要修改dir
[ CA_default ]
dir = ./PEM/demoCA # Where everything is kept
# 确保req下存在以下2行(默认第一行是有的,第2行被注释了)
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
# 确保req_distinguished_name下没有 0.xxx 的标签,有的话把0.xxx的0. 去掉
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Fujian
localityName = Locality Name (eg, city)
localityName_default = FuZhou
organizationName = Organization Name (eg, company)
organizationName_default = Some Company Co., Ltd
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Some department
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
# 新增最后一行内容 subjectAltName = @alt_names(前2行默认存在)
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
# 新增 alt_names,注意括号前后的空格,DNS.x 的数量可以自己加
[ alt_names ]
DNS.1 = abc.example.com
DNS.2 = dfe.example.org
IP.1 = 127.0.0.1
IP.2 = 188.188.188.188
//20180118修改
注意: 客户端是Win7时,如果SAN中既配置了DNS又配置了IP,则只有DNS生效。客户端是Win10没有问题。
3. 生成自签名CA证书
命令行定位到bin目录,输入openssl
生成CA密钥对
OpenSSL> genrsa -out ./demoCA/cakey.pem 2048
自签名CA生成根证书
OpenSSL> req -new -x509 -key ./demoCA/cakey.pem -out ./demoCA/cacert.pem -config openssl.cfg -days 730
导出CA根证书为DER格式
OpenSSL> x509 -outform der -in ./demoCA/cacert.pem -out ./demoCA/cacert.der
4. 生成服务器端证书
生成服务器端密钥对
OpenSSL> genrsa -out ./demoCA/server.key 2048
生成PKCS证书签名请求(请求中会包含alt_names的内容)
OpenSSL> req -new -key ./demoCA/server.key -out ./demoCA/server.csr -config openssl.cfg
签发服务器端证书
OpenSSL> ca -in ./demoCA/server.csr -out ./demoCA/server.crt -cert ./demoCA/cacert.pem -keyfile ./demoCA/cakey.pem -extensions v3_req -days 730 -config openssl.cfg
导出服务器端证书和密钥
OpenSSL> pkcs12 -export -in ./demoCA/server.crt -inkey ./demoCA/server.key -out ./demoCA/server.pfx
5. 导出服务器端证书库供Tomcat使用
打开命令行
导入根证书
CMD> keytool -importcert -v -file ./demoCA/cacert.pem -keystore ./demoCA/server.keystore
导入服务器端证书和密钥
CMD> keytool -importkeystore -v -srckeystore ./demoCA/server.pfx -srcstoretype PKCS12 -destkeystore ./demoCA/server.keystore
6. 配置Tomcat
/conf/server.xml
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="/conf/server.keystore" keystorePass="12345678"
truststoreFile="/conf/server.keystore" truststorePass="12345678" />