web工程配置Https访问
来源:互联网 发布:尼康软件人像后期 编辑:程序博客网 时间:2024/06/01 03:57
1. 生成服务器端私钥及密钥库:
keytool -genkey -alias testServer -validity 365 -keyalg RSA -keystore server.jks
其中testServer为服务器端私钥别名,server.jks为密钥库文件名
(生成密钥时的名字与姓氏一项需要与web域名保持一致)
keytool -genkey -alias testServer -validity 365 -keyalg RSA -keystore server.jks
输入密钥库口令:
您的名字与姓氏是什么?
[Unknown]: localhost
您的组织单位名称是什么?
[Unknown]: wh
您的组织名称是什么?
[Unknown]: wh
您所在的城市或区域名称是什么?
[Unknown]: wh
您所在的省/市/自治区名称是什么?
[Unknown]: hb
该单位的双字母国家/地区代码是什么?
[Unknown]: cn
CN=test.com, OU=wh, O=wh, L=wh, ST=hb, C=cn是否正确?
[否]: y
输入 <testServer> 的密钥口令
(如果和密钥库口令相同, 按回车):
输入密钥库口令:
您的名字与姓氏是什么?
[Unknown]: localhost
您的组织单位名称是什么?
[Unknown]: wh
您的组织名称是什么?
[Unknown]: wh
您所在的城市或区域名称是什么?
[Unknown]: wh
您所在的省/市/自治区名称是什么?
[Unknown]: hb
该单位的双字母国家/地区代码是什么?
[Unknown]: cn
CN=test.com, OU=wh, O=wh, L=wh, ST=hb, C=cn是否正确?
[否]: y
输入 <testServer> 的密钥口令
(如果和密钥库口令相同, 按回车):
2. 导出服务器证书请求文件
keytool -certreq -alias testServer -keyalg RSA -keysize 2048 -file server.csr -keystore server.jks
(其中server.csr为证书请求文件名)
3. 将证书请求文件交由第三方CA或者自制CA签名
使用自建CA签发证书(root.crt和root.key见:“附:使用openssl创建自制CA”):
openssl x509 -req -days 730 -sha1 -extensions v3_req -CA root.crt -CAkey root.key -CAcreateserial -in server.csr -out server.crt
OpenSSL> x509 -req -days 730 -sha1 -extensions v3_req -CA root.crt -CAkey root.key -CAcreateserial -in server.csr -out server.crt
Signature ok
subject=/C=cn/ST=hb/L=wh/O=wh/OU=wh/CN=test.com
Getting CA Private Key
Enter pass phrase for root.key:
openssl x509 -req -days 730 -sha1 -extensions v3_req -CA root.crt -CAkey root.key -CAcreateserial -in server.csr -out server.crt
OpenSSL> x509 -req -days 730 -sha1 -extensions v3_req -CA root.crt -CAkey root.key -CAcreateserial -in server.csr -out server.crt
Signature ok
subject=/C=cn/ST=hb/L=wh/O=wh/OU=wh/CN=test.com
Getting CA Private Key
Enter pass phrase for root.key:
生成文件名为server.crt
4. 将服务器证书导入密钥库
keytool -import -alias testserver -file server.crt -keystore server.jks
(其中testServer为证书别名,需要与之前生成密钥库时使用的别名一致)
5. 修改tomcat下server.xml配置文件
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="conf/server.jks" keystorePass="123456" />
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="conf/server.jks" keystorePass="123456" />
(其中server.jks为密钥库文件名)
附:使用openssl创建自制CA
1) 创建根证书密钥文件root.key:
openssl genrsa -des3 -out root.key 1024OpenSSL> genrsa -des3 -out root.key 1024
Generating RSA private key, 1024 bit long modulus
.....++++++
.....++++++
e is 65537 (0x10001)
Enter pass phrase for root.key:
Verifying - Enter pass phrase for root.key:
2)创建根证书的申请文件root.csr:
openssl req -new -key root.key -out root.csr
OpenSSL> req -new -key root.key -out root.csr
Enter pass phrase for root.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:hb
Locality Name (eg, city) []:wh
Organization Name (eg, company) [Internet Widgits Pty Ltd]:wh
Organizational Unit Name (eg, section) []:wh
Common Name (eg, YOUR name) []:testCA
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Enter pass phrase for root.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:hb
Locality Name (eg, city) []:wh
Organization Name (eg, company) [Internet Widgits Pty Ltd]:wh
Organizational Unit Name (eg, section) []:wh
Common Name (eg, YOUR name) []:testCA
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3)创建一个自当前日期起为期十年的根证书root.crt:
openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey root.key -in root.csr -out root.crt 0 0
- web工程配置Https访问
- web.xml中配置http访问转向https
- Tomcat配置HTTPS访问,强制HTTPS访问
- Tomcat配置Https访问
- Tomcat配置HTTPS访问
- Nginx配置https访问
- tomcat配置https访问
- tomcat https访问配置
- tomcat 配置https访问
- 配置tomcat https访问
- Tomcat配置https访问
- Springboot配置https访问
- camel 配置 https访问配置
- web项目配置https
- HTTPS的WEB Service访问
- Eclipse下通过Maven的Jetty插件运行Web工程的配置,包括启动https
- Eclipse下通过Maven的Tomcat插件运行Web工程的配置,包括启用https
- Eclipse下通过Maven的Jetty插件运行Web工程的配置,包括启动https
- DI,DIP,IOC的演变历史
- 获取天气
- HDOJ1789--Doing Homework again
- IOS开发>>UIViewController各个方法的加载顺序
- Git远程操作详解
- web工程配置Https访问
- 7个示例科普CPU Cache line
- CentOS6.5上搭建Docker服务
- java7新特性——使用ThreadLocalRandom产生并发随机数
- toString和new String()
- zookeeper源码分析之leader选举
- Foundation框架中各种牛瓣数据类型
- append构建动态函数
- 正则表达式的用法