jjs_love 发表于 2013-2-6 09:52:41

tomcat 证书配置

查看变量 export
设置变量 export LC_ALL="en_US.UTF-8"
 
 
生成server key
/home/jdk15/jre/bin/keytool -genkey -alias server -keyalg RSA -keypass 123456 -storepass 123456 -keystore server.keystore  -validity 7200
 
 
查看是否成功
/home/jdk15/jre/bin/keytool -list -keystore server.keystore -v
删除
/home/jdk15/jre/bin/keytool -delete -keystore server.keystore -alias 别名
 备份好server key
 
生成证书请求
/home/jdk15/jre/bin/keytool -certreq -alias server -keystore server.keystore -file server.req -storepass 123456
 
 
导入根服务器证书
/home/jdk15/jre/bin/keytool -import -alias RootCA -trustcacerts -file rootca.cer -keystore server.keystore -storepass 123456
 
导入上一级服务器证书
/home/jdk15/jre/bin/keytool -import -alias GDCA -trustcacerts -file gdca.cer -keystore server.keystore -storepass 123456 
 
导入签发服务器证书
 
将server.cer安装到计算机里面,在IE里导出的文件test.cer ,再导入server.keystore里面,这里要注意别名
/home/jdk15/jre/bin/keytool -import -alias server -trustcacerts -file test.cer -keystore server.keystore -storepass 123456
 
客户端认证
Keytool –genkey –keystore “cacerts” –storepass 123456–keyalg RSA
 提示信息后直接按回车
 
 
<span style="">添加根证书到cacerts中的命令
 /home/jdk15/jre/bin/keytool -import -alias RootCA -trustcacerts -file rootca.cer -keystore cacerts
-storepass 123456
<span style="" /> 

将cacerts  copy 到

 
<span style="" />  /home/jdk15/jre/lib/security/目录下面
<span style="" /> 
如果是配置 cas 执行下面两个操作
导出
/home/jdk15/jre/bin/keytool -export  -trustcacerts -alias server -file servertest.cer -keystore server.keystore -storepass 123456
导入
/home/jdk15/jre/bin/keytool -import -trustcacerts -alias server -file servertest.cer -keystore /home/jdk15/jre/lib/security/cacerts -storepass 123456
 
 
配置 tomcat server.xml
 修改<-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<!--
 
<Connector port="8443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
修改为<Connector port="8443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               keystoreFile="/home/server.keystore"
               keystorePass="123456"
     
               truststoreFile=" /home/jdk15/jre/lib/security/cacerts"
               truststorePass="123456"
     
               clientAuth="true" sslProtocol="TLS" />
 不需要客户端验证的时候,不需要truststoreFile="/home/jdk15/jre/lib/security/cacerts"
               truststorePass="123456"

 且clientAuth=”false”
 需要强制验证的时候clientAuth=”true”
 需要验证客户端,但不需要强制的时候clientAuth=”want”
 
修改好后,重起服务器,运行https://本地IP/8443
其它服务器设置要以参考http://www.szca.gov.cn/web/jsp/service/operate_guide.jsp
页: [1]
查看完整版本: tomcat 证书配置