tomcat 证书配置

查看变量 export

设置变量 export LC_ALL="en_US.UTF-8"

 

 

生成server key
/home/jdk15/jre/bin/keytool -genkey -alias server -keyalg RSA -keypass 123456 -storepass 123456 -keystore server.keystore  -validity 7200

 

 

查看是否成功
/home/jdk15/jre/bin/keytool -list -keystore server.keystore -v
删除

/home/jdk15/jre/bin/keytool -delete -keystore server.keystore -alias 别名

 备份好server key

 

生成证书请求
/home/jdk15/jre/bin/keytool -certreq -alias server -keystore server.keystore -file server.req -storepass 123456

 

 

导入根服务器证书
/home/jdk15/jre/bin/keytool -import -alias RootCA -trustcacerts -file rootca.cer -keystore server.keystore -storepass 123456

 

导入上一级服务器证书
/home/jdk15/jre/bin/keytool -import -alias GDCA -trustcacerts -file gdca.cer -keystore server.keystore -storepass 123456 

 

导入签发服务器证书

 

将server.cer安装到计算机里面,在IE里导出的文件test.cer ,再导入server.keystore里面,这里要注意别名

/home/jdk15/jre/bin/keytool -import -alias server -trustcacerts -file test.cer -keystore server.keystore -storepass 123456

 

客户端认证

Keytool –genkey –keystore “cacerts” –storepass 123456–keyalg RSA

 提示信息后直接按回车

 

 

添加根证书到cacerts中的命令

 /home/jdk15/jre/bin/keytool -import -alias RootCA -trustcacerts -file rootca.cer -keystore cacerts

-storepass 123456

 

将cacerts  copy 到

 

  /home/jdk15/jre/lib/security/目录下面

 

如果是配置 cas 执行下面两个操作
导出
/home/jdk15/jre/bin/keytool -export  -trustcacerts -alias server -file servertest.cer -keystore server.keystore -storepass 123456
导入
/home/jdk15/jre/bin/keytool -import -trustcacerts -alias server -file servertest.cer -keystore /home/jdk15/jre/lib/security/cacerts -storepass 123456

 

 

配置 tomcat server.xml

 修改<-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<!--
 
<Connector port="8443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
修改为<Connector port="8443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               keystoreFile="/home/server.keystore"
               keystorePass="123456"
     
               truststoreFile=" /home/jdk15/jre/lib/security/cacerts"
               truststorePass="123456"
     
               clientAuth="true" sslProtocol="TLS" />
 不需要客户端验证的时候，不需要truststoreFile="/home/jdk15/jre/lib/security/cacerts"
               truststorePass="123456"

 且clientAuth=”false”
 需要强制验证的时候clientAuth=”true”
 需要验证客户端，但不需要强制的时候clientAuth=”want”
 
修改好后，重起服务器，运行https://本地IP/8443
其它服务器设置要以参考http://www.szca.gov.cn/web/jsp/service/operate_guide.jsp