如何在tomcat中配置ssl

 

Customer Support > SSL Certificates > Certificate Signing Request Generation - Tomcat - KB1008

To generate a Certificate Signing Request (CSR), perform the following steps:

Please use JDK 1.4 or higher

1. Create a certificate keystore and private key with the following command:

$JAVA_HOME\bin>keytool -genkey -alias your_alaias_name -keyalg RSA -keystore your_keystore_filename

Note: Replace $JAVA_HOME with the directory of your Java Install - If you are a on Windows Server, change directory to \Program Files\Java\javaversionhere\bin

2. Specify the password - must be at least 6 characters long, and MUST be remembered.

3. You must input the following:

What is your first and last name? *This is the Common Name Field - The Fully Qualified Domain Name MUST be entered here*
[Unknown]: www.globalsign.net
What is the name of your organizational unit?
[Global Sign]: Global Sign
What is the name of your organization?
[Global Sign]: Global Sign
What is the name of your City or Locality?
[London]: London
What is the name of your State or Province?
[London]: London
What is the two-letter country code for this unit?
[GB]: GB
Is CN=www.globalsign.net, OU=Global Sign, O=Global Sign, L=London, ST=London, C=
GB correct?
[no]: yes

Enter key password for <your_alias_name>
(RETURN if same as keystore password):

4. Create the Certificate Signing Request file with the following command:

$JAVA_HOME\bin>keytool -certreq -keyalg RSA -alias your_alias_name -file certreq.csr -keystore your_keystore_filename

Enter keystore password: your_password_here

5. The certreq.txt file will now be generated - this file can be entered into the website. Insure to include:

-----BEGIN NEW CERTIFICATE REQUEST-----

-----END NEW CERTIFICATE REQUEST-----

 

Customer Support > SSL Certificates > Install SSL Certificate in Tomcat

One GlobalSign has sent you your certificate, copy it into a text editor such as notepad and save as " yourdomain.cer"

Note: You must carry out the following tasks in this order:

Download the GlobalSign Root certificates - these can be found here: 

(root.cer是可信赖的根证书可以用浏览器将其导出,也可以用openssl生成自签名的根证书)
1. Import the appropriate root certificates using:

$ keytool -import -trustcacerts -keystore mystore.kdb -alias root - file root.cer

"mystore.kdb" being your keystore.

2. Import the "yourdomain.cer" file using:

keytool -import -trustcacerts -keystore mystore.kdb -alias tomcat -file yourdomain.cer

With "mystore.kdb" being your keystore.

Update server.xml configuration file:

1. Open "$JAKARTA_HOME/conf/server.xml" in a text editor.

2. Find the following section:

- <!--
Define a SSL Coyote HTTP/1.1 Connector on port 8443
-->

<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port=" 443" minProcessors="5" maxProcessors="75"
enableLookups="true"
acceptCount="100" debug="0" scheme="https" secure="true"
useURIValidationHack="false" disableUploadTimeout="true">

<Factory
className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="false"
protocol="TLS"
keystoreFile="mystore.kdb"
keystorePass="YOUR_KEYSTORE_PASSWORD" />

</Connector>

3. If you want Tomcat to use the default SSL port, change all instances of the port number "8443" to 443.

4. Start or restart Tomcat