全球服务器证书SSL配置手册

2017-03-27

23499

全球服务器证书SSL 配置手册Tomcat 4.1全球服务器证书SSL 配置手册Tomcat 4.1北京数字证书认证中心BEIJING CERTIFICATE AUTHORITY

全球服务器证书SSL 配置手册

Tomcat 4.1

全球服务器证书SSL 配置手册

Tomcat 4.1

北京数字证书认证中心

BEIJING CERTIFICATE AUTHORITY

全球服务器证书SSL 配置手册

Tomcat 4.1

8 开始申请之前需要注意...........................................................................................................3 如何产生私钥...........................................................................................................................3 CSR生成指南..........................................................................................................................5 证书安装指南...........................................................................................................................6 如何配置SSL.........................................................................................................................12 启动和停止Tomcat ................................................................................................................13 验证SSL 连接.........................................................................................................................13 灾难恢复.................................................................................................................................13

全球服务器证书SSL 配置手册

Tomcat 4.1

1 开始申请之前需要注意

需要安装服务器软件并配置环境，下面我们以Keytool 和Tomcat 为例进行说明： a) 首先需要准备所需的软件：

z Java(TM) 2 SDK, Standard Edition 1.4.1_01

下载j2sdk-1_4_1_01-windows-i586.exe

z Tomcat 4.1

下载tomcat-4.1.18.exe

z Windows 2000 SP 2 or Windows NT SP6a

z Tomcat做为单独的服务器

b) 环境变量设置为： Variable Value User Name

CATALINA_HOME[SYSTEM]

[SYSTEM]

Administrator

c) 测试服务器

安装完Tomcat ，并配置完环境后，启动Tomcat 并进行测试：

如果没有问题，我们可以进行下一步操作了。

2 如何产生私钥

新打开一个DOS 窗口：

1) 新建一个本地的证书密钥存储（Certificate keystore）

全球服务器证书SSL 配置手册

Tomcat 4.1

keytool -genkey -alias tomcat -keyalg RSA -keystore

请注意：

! 当keystore 建立后，需要指定keystore 的存储位置

! 如果更新证书，你必须重新创建一个新的密钥对和keystore

! 当您生成CSR 或安装自签的keystore 证书时，请使用相同的别名

例如：

C:>keytool -genkey -alias myalias -keyalg RSA -keystore c:.mykeystore

Enter keystore password: 输入keystore 口令，如password

What is your first and last name?

[Unknown]: 输入通用名，如www.bjca.org.cn

What is the name of your organizational unit?

[Unknown]: 输入部门名称，如Sales Dept

What is the name of your organization?

[Unknown]: 输入您的组织名称，如Beijing Certificate Authority

What is the name of your City or Locality?

[Unknown]: 输入您所在的市/县/区，如Beijing

What is the name of your State or Province?

[Unknown]: 输入您所在的省/自治区/直辖市，如Beijing

What is the two-letter country code for this unit?

[Unknown]: 输入您所在国家的ISO 国家代码，中国为CN

is CN=www.bjca.org.cn, OU=Sales Dept, O=Beijing Certificate Authority, L=Beijing, ST=Beijing, C=CN correct?

[no]: yes

Enter key password for (RETURN if same as keystore password): 输入密钥口令

The same password MUST be used.

非常重要: Tomcat will recognize the location of this keystore even if the specified attributes in your server.xml point to a different keystore.

C:>

2) 确认keystore 建立成功

全球服务器证书SSL 配置手册

Tomcat 4.1

例如：

C:>keytool -list -v -keystore c:.mykeystore

Enter keystore password: password

Keystore type: jks

Keystore provider: SUN

Your keystore contains 1 entry

Alias name: myalias

Creation date: Jan 8, 2003

Entry type: keyEntry

Certificate chain length: 1

Certificate[1]:

Owner: CN=www.bjca.org.cn, OU=Sales Dept, O=Beijing Certificate Authority, L=Beijing, ST=Beijing, C=CN

Issuer: CN=www.bjca.org.cn, OU=Sales Dept, O=Beijing Certificate Authority, L=Beijing, ST=Beijing, C=CN

Serial number: 3e1cd4e9

Valid from: Wed Jan 08 20:48:25 EST 2003 until: Tue Apr 08 21:48:25 EDT 2003 Certificate fingerprints:

MD5: D0:BA:7C:A4:D1:D9:CF:46:38:E5:48:22:8E:AB:E2:9B

SHA1: 4A:33:FA:11:D6:5F:F4:73:9D:7A:2B:E2:89:F8:C3:57:69:0C:DC:7E

3 CSR生成指南

1) 按照如下方法生成CSR

keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore

重要提示：

! 当您生成CSR 或安装自签的keystore 证书时，请使用相同的别名

例如：

C:>keytool -certreq -keyalg RSA -alias myalias -file certreq.txt -keystore c:.mykeystore

全球服务器证书SSL 配置手册

Tomcat 4.1

Enter keystore password: password

C:>

2) 生成的CSR 如下：

-----BEGIN NEW CERTIFICATE REQUEST-----

MIIBujCCASMCAQAwejELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xDz ANBgNVBAcTBk90

dGF3YTEQMA4GA1UEChMHRW50cnVzdDETMBEGA1UECxMKRW50cnVzdCBDUzEh MB8GA1UEAxMYd3d3

5w6T q/f wIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAF 0hqAqXumz/vGrzGVhKHlnxd7HW3ezS

GIbIUcOy1YdDc/1ZCqRpu3utYIZ6welK l QjlbL6p5RJJETkkLKXjb/WVFajNuPl7Yob9pbwA7

JBrCCKbFj kzDNbGhCR1RgFA9vQj5vob41Vj k TQchliuTLL9rFXNDHrtgTMtA= -----END NEW CERTIFICATE REQUEST-----

4 证书安装指南

按照如下方法安装BJCA 的SSL 证书

1) 安装SSL 证书和证书链

输入命令：

keytool -import -alias root -keystore your_keystore_filename -trustcacerts -file filename_of_the_combined_chain_and_webcert

例如: C:>keytool -import -alias myalias -keystore c:.mykeystore -trustcacerts -file c:webcert.txt

由于java 把“cacerts”文件看作可信任的根CA ，如果根证书已经存在，则不必再将证书链导入“cacerts”。

例如：

-----BEGIN CERTIFICATE-----

MIIC4zCCAkygAwIBAgIBAzANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJVUzE Y

全球服务器证书SSL 配置手册

Tomcat 4.1

MBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMRwwGgYDVQQDExNHVEUgQ3liZXJUc nVz

dCBSb290MB4XDTAxMDgyMTIwMDIwOVoXDTA2MDEwMTIzNTkwMFowgcMxCzAJBg NV

BAYTAlVTMRQwEgYDVQQKEwtFbnRydXN0Lm5ldDE7MDkGA1UECxMyd3d3LmVudH J1

c3QubmV0L0NQUyBpbmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNV

BAsTHChjKSAxOTk5IEVudHJ1c3QubmV0IExpbWl0ZWQxOjA4BgNVBAMTMUVudHJ1 Ct8k2pzWUHmBelrTN/fCStgpkiZk0eSYbDoAivU0m2X47eMQ//24SVjcoN6COWuB

sRYZYblUtuZDAgEDo2YwZDAPBgNVHRMECDAGAQH/AgEDMA4GA1UdDwEB/wQEAwIB

BjBBBgNVHR8EOjA4MDagNKAyhjBodHRwOi8vY2RwLmJhbHRpbW9yZS5jb20vY2dp LWJpbi9DUkwvR1RFUm9vdC5jZ2kwDQYJKoZIhvcNAQEFBQADgYEAgbZwffFU Fjj NYTSoUFyRAAysIauOknVaLteQPQJxBGLMhXGdfejVBTWLb1UTFBQXNNCiqm8Co d YikuVB 0/1habRkb k4vFe6tn5IvQMnfhZbSJNoXn5IlGVDWQYlfC0/R1wjfv U6 rzTJbJ7WXX0Ka5jKLKuckXNvu7EqOA4=

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

MIIGEjCCBXugAwIBAgIEN0w5HDANBgkqhkiG9w0BAQQFADCBwzELMAkGA1UE BhMCVVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50 cnVzdC5uZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTEl

MCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UE AxMxRW50cnVzdC5uZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1

dGhvcml0eTAeFw0wMzAxMDkxNzE4MjFaFw0wMzExMTAxNzQ2NDFaMHoxCzAJ

全球服务器证书SSL 配置手册

Tomcat 4.1

cnVzdC5uZXQvY3BzMIIBHAYIKwYBBQUHAgIwggEOGoIBClRoZSBFbnRydXN0 IFNTTCBXZWIgU2VydmVyIENlcnRpZmljYXRpb24gUHJhY3RpY2UgU3RhdGVt ZW50IChDUFMpIGF2YWlsYWJsZSBhdCB3d3cuZW50cnVzdC5uZXQvY3BzICBp IGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5IEVu

dHJ1c3QubmV0IExpbWl0ZWQxOjA4BgNVBAMTMUVudHJ1c3QubmV0IFNlY3Vy ZSBTZXJ2ZXIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxDjAMBgNVBAMTBUNS TDU2MCygKqAohiZodHRwOi8vd3d3LmVudHJ1c3QubmV0L0NSTC9zZXJ2ZXIx LmNybDAfBgNVHSMEGDAWgBTwF2ITVT2z/woAa/tQhJfz7WLQGjAdBgNVHQ4E FgQU8PAQJvkXpS82OTYbatZ36ZPmzM4wCQYDVR0TBAIwADAZBgkqhkiG9n0H

QQAEDDAKGwRWNS4wAwIDKDANBgkqhkiG9w0BAQQFAAOBgQCviVPHpMdBNRc J88 VVW8k3bQQlyIsbtBr3XYDkqS5o9tSXXmpwJU6G40StrObPdKLHI2C ho

GiXnmXjFlKXPe/pOjHnU3azNBPJR7edrp523EB0muGTadk9rhnoRNEpUAw9u

hgdRmxjwjO0XhBLVPcsCiiyFoDZpaU9o3MHVXQ==

-----END CERTIFICATE-----

您必须接受这个可信的CA 。

您应该收到这样的信息："Certificate Reply Was Installed Into Keystore"

如果在UNIX 环境下，以上的例子是颠倒的。

2) 在SUN JAVA 1.4.1或更低版本上安装SSL 证书

输入命令：

keytool -import -alias root -keystore -trustcacerts –file

! 注意：当您生成CSR 或安装自签的keystore 证书时，请使用相同的别名

例如：

C:>keytool -import -alias myalias -keystore c:.mykeystore -trustcacerts -file c:webcert.txt 由于java 把“cacerts”文件看作可信任的根CA ，Entrust 的根证书没有预埋到java 1.4.x或更低版本中，不必将证书链导入“cacerts”。

例如：

-----BEGIN CERTIFICATE-----

全球服务器证书SSL 配置手册

Tomcat 4.1

MIIE2DCCBEGgAwIBAgIEN0rSQzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhM C

VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC 5u

ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05OTA1

MjUxNjA5NDBaFw0xOTA1MjUxNjM5NDBaMIHDMQswCQYDVQQGEwJVUzEUMBIGA 1UE

ChMLRW50cnVzdC5uZXQxOzA5BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5j b3JwLiBieSByZWYuIChsaW1pdHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBF bnRydXN0Lm5ldCBMaW1pdGVkMTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cm Ug

U2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGdMA0GCSqGSIb3DQEBAQUA A4GLADCBhwKBgQDNKIM0VBuJ8w vN5Ex/68xYMmo6LIQaO2f55M28Qpku0f1BBc/ I0dNxScZgSYMVHINiC3ZH5oSn7yzcdOAGT9HZnuMNSjSuQrfJNqc1lB5gXpa0zf3 wkrYKZImZNHkmGw6AIr1NJtl O3jEP/9uElY3KDegjlrgbEWGWG5VLbmQwIBA6OC AdcwggHTMBEGCWCGSAGG EIBAQQEAwIABzCCARkGA1UdHwSCARAwggEMMIHeoIHb

oIHYpIHVMIHSMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLRW50cnVzdC5uZXQxO zA5

BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5jb3JwLiBieSByZWYuIChsaW1p dHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBFbnRydXN0Lm5ldCBMaW1pdGV k

MTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUgU2VydmVyIENlcnRpZmljYXR p

b24gQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMCmgJ6AlhiNodHRwOi8vd3d3Lm Vu

dHJ1c3QubmV0L0NSTC9uZXQxLmNybDArBgNVHRAEJDAigA8xOTk5MDUyNTE2MDk 0

全球服务器证书SSL 配置手册

Tomcat 4.1

MFqBDzIwMTkwNTI1MTYwOTQwWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAU 8Bdi

E1U9s/8KAGv7UISX8 1i0BowHQYDVR0OBBYEFPAXYhNVPbP/CgBr 1CEl/PtYtAa MAwGA1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EABAwwChsEVjQuMAMCBJAwDQYJK oZI

hvcNAQEFBQADgYEAkNwwAvpkdMKnCqV8IY00F6j7Rw7/JXyNEwr75Ji174z4xRAN 95K 8cPV1ZVqBLssziY2ZcgxxufuP NXdYR6Ee9GTxj005i7qIcyunL2POI9n9cd 2cNgQ4xYDiKWL2KjLB 6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G bI=

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

MIIGEjCCBXugAwIBAgIEN0w5HDANBgkqhkiG9w0BAQQFADCBwzELMAkGA1UE BhMCVVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50 cnVzdC5uZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTEl

MCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UE AxMxRW50cnVzdC5uZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1

dGhvcml0eTAeFw0wMzAxMDkxNzE4MjFaFw0wMzExMTAxNzQ2NDFaMHoxCzAJ

BgNVBAYTAkNBMRAwDgYDVQQIEwdPbnRhcmlvMQ8wDQYDVQQHEwZPdHRhd2Ex EDAOBgNVBAoTB0VudHJ1c3QxEzARBgNVBAsTCkVudHJ1c3QgQ1MxITAfBgNV BAMTGHd3dy50ZXN0Y2VydGlmaWNhdGVzLmNvbTCBnzANBgkqhkiG9w0BAQEF MCfPxacCAwEAAaOCA1kwggNVMAsGA1UdDwQEAwIFoDArBgNVHRAEJDAigA8y BAMCBkAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwggFoBgNVHSAEggFfMIIBWzCC AVcGCSqGSIb2fQdLAjCCAUgwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuZW50 cnVzdC5uZXQvY3BzMIIBHAYIKwYBBQUHAgIwggEOGoIBClRoZSBFbnRydXN0 IFNTTCBXZWIgU2VydmVyIENlcnRpZmljYXRpb24gUHJhY3RpY2UgU3RhdGVt ZW50IChDUFMpIGF2YWlsYWJsZSBhdCB3d3cuZW50cnVzdC5uZXQvY3BzICBp IGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5IEVu

相关推荐