

从阿里云可以申请免费版本的单域名ssl证书,有效期一年。申请时选择 产品与服务 -> SSL证书 -> 购买证书,并勾选如下:



Ubuntu 18.04 Nginx配置PEM格式

解压Nginx版本的证书后,会包含.pem 与 .key两个文件,对服务器文件 /etc/nginx/sites-enabled/default 增加配置如下,配置完成后重启Nginx服务器即可。

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        listen 443 ssl;
        ssl_certificate /root/ssl2020/xxx.pem;
        ssl_certificate_key /root/ssl2020/xxx.key;

Ubuntu 18.04 Openfire配置JKS格式

1. 使用过程中如果需要输入password的地方,建议统一使用同一password, Openfire4.4版本的默认密码为 changeit。
2. 需要输入证书信息的地方,随便写。

~/ssl2020# openssl pkcs12 -export -out certificate.p12 -inkey xxx.key -in xxx.pem 
Enter Export Password:
Verifying - Enter Export Password:
~/ssl2020# keytool -genkey -keyalg RSA -alias domain.com -keystore truststore.ks
Enter keystore password:  
Re-enter new password: 
What is your first and last name?
What is the name of your organizational unit?
What is the name of your organization?
What is the name of your City or Locality?
What is the name of your State or Province?
What is the two-letter country code for this unit?
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
  [no]:  yes

Enter key password for 
	(RETURN if same as keystore password):  

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore truststore.ks -destkeystore truststore.ks -deststoretype pkcs12".
~/ssl2020# keytool -delete -alias domain.com -keystore truststore.ks
Enter keystore password: 
~/ssl2020# keytool -import -v -trustcacerts -alias domain.com -file xxx.pem -keystore truststore.ks
Enter keystore password:  
Trust this certificate? [no]:  yes
Certificate was added to keystore
~/ssl2020# keytool -genkey -keyalg RSA -alias domain.com -keystore keystore.ks
Enter keystore password:  
Re-enter new password: 
What is your first and last name?
What is the name of your organizational unit?
What is the name of your organization?
What is the name of your City or Locality?
What is the name of your State or Province?
What is the two-letter country code for this unit?
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
  [no]:  yes

Enter key password for 
	(RETURN if same as keystore password):  

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.ks -destkeystore keystore.ks -deststoretype pkcs12".
~/ssl2020# keytool -delete -alias domain.com -keystore keystore.ks
Enter keystore password: 
~/ssl2020# keytool -v -importkeystore -srckeystore certificate.p12 -srcstoretype PKCS12 -destkeystore keystore.ks -deststoretype JKS
Importing keystore certificate.p12 to keystore.ks...
Enter destination keystore password:  
Enter source keystore password:  
Entry for alias 1 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
[Storing keystore.ks]

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.ks -destkeystore keystore.ks -deststoretype pkcs12".

生成 keystore.ks和truststore.ks后,将其拷贝到openfire配置目录重启服务即可:

~/ssl2020# cp ./keystore.ks /root/bak/root/openfire/openfire/resources/security/keystore
~/ssl2020# cp ./truststore.ks /root/bak/root/openfire/openfire/resources/security/truststore
