Nginx 与 Tomcat 配置Https 总结

1. 前提你已经得到了CA机构颁发的证书了

2. 合并证书(这里证书机构选择的是comodo)

  1. 假设你的被签名证书的名字叫xxx.crt,你的密钥文件叫server.key,除了以上你自己的xxx.crt,还有COMODORSAAddTrustCA.crt,COMODORSADomainValidationSecureServerCA.crt, AddTrustExternalCARoot.crt

  2. 合并证书使用cat命令

    cat COMODORSAAddTrustCA.crt >> xxx.crt
    cat AddTrustExternalCARoot.crt >> xxx.crt
    cat COMODORSADomainValidationSecureServerCA.crt >> xxx.crt

3. Nginx 配置证书

server {
    server_name YOUR_DOMAINNAME_HERE;
    listen 443;
    ssl on;
    keepalive_timeout   70;
    ssl_certificate /path/to/xxx.crt;
    ssl_certificate_key /path/to/server.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_client_certificate  /path/to/cacert.pem;
    # ssl_verify_client       on;                         服务器验证客户端,暂时不开启,让没有证书的客户端可以访问
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout     5m;
}

sudo /etc/init.d/nginx configtest
sudo /etc/init.d/nginx restart

4. 在tomcat下配置https生成keystore的步骤

1. Convert x509 Cert and Key to a pkcs12 file(将证书和私钥转换为p12格式的证书)

openssl pkcs12 -export -in server.crt -inkey server.key \
               -out server.p12 -name some-alias \
               -CAfile ca.crt -caname root  (这里如果手动将证书链合并了那么就不需要加这个了,我是将ca.crt domain.crt mycrt.crt 合并后为server.crt后执行的)

Note: Make sure you put a password on the p12 file - otherwise you’ll get a null reference exception when you try to import it. (In case anyone else had this headache). (Thanks jocull!)

Note: You might want to add the -chainoption to preserve the full certificate chain. (Thanks Mafuba)

2. Convert the pkcs12 file to a java keystore (将pkcs12格式的证书转换成java keystore)

keytool -importkeystore \
        -deststorepass changeit -destkeypass changeit -destkeystore server.keystore \
        -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass changeit \
        -alias some-alias(生成p12时候的-name参数)

3. 配置 tomcat

vim  /usr/local/tomcat/conf/server.xml

<Connector port="443"
                protocol="org.apache.coyote.http11.Http11NioProtocol"
                SSLEnabled="true"
                maxThreads="300"
                scheme="https"
                secure="true"
                keystoreFile="server.keystore"
                keystorePass="changeit"
                sslProtocol="TLS"
                URIEncoding="utf-8" />

重启即可

你可能感兴趣的:(tls,https,证书)