SSL证书安装指南 - Tomcat 和 J2EE Application Server
1. 保存证书文件 Save the certificate file
一旦您申请的SSL证书成功颁发,您会收到一个邮件通知您取回证书,点击邮件中的取回证书链接,就可以得到您的证书文件。此文件是一个打包文件,包含了您申请的证书类型的证书链文件、公钥证书。或 直接给您的是包含证书公钥和私钥的打包文件,有支持所有服务器类型的3种格式证书文件和各级根证书文件。
2. 导入证书 Import the certificate
请使用以下命令导入WoSign中级根证书到您的Keystore中:
Use the same process for the WoSign certificate using the keytool command:
keytool -import -trustcacerts -alias INTER -file intermediate.cer -keystore [keystore_name]
请使用以下命令导入您的证书到您的Keystore中,其中:
Use the same process for the site certificate using the keytool command, if you are using an alias then please include the alias command in the string:
keytool -import -trustcacerts -alias [keyEntry_name] -file mycert.crt -keystore [keystore_name]
以下图例为导入测试证书:In the example in this screenshot we are using a Test Certificate.
请注意:如果您在生成 keystore 没有指定名称,则不需要 -keystore 选项。
Note: If you did not specify a keystore name when the keystore was originally generated please omit the -keystore parameter from the command)
在运行此命令时会提示您输入密码,也就是您在生成 keystore 时设置的密码。
When you execute this command you will be prompted for the keystore password, please specify the password you set when you generated the keystore.
当导入证书到您的 keystore 时,一定要使用生成CSR时一样的别名(alias),同时使用 -trustcacerts 参数。如果不指定一样的别名,将不能安装成功!
When importing the certificate into your keystore use the same alias as the private key the certificate request (CSR) was created from (this will be the keyEntry listed in your keystore) and use the '-trustcacerts' parameter in your keytool -import command. If you do not specify the alias of the keyEntry your certificate will not be tied to the private key and you will not be able to use the certificate properly.
如果您忘了您的别名,请使用如下命令查看您的别名:
If you are unsure of the alias for the KeyEntry please use the following command to check the output from the keystore in order to verify the keyEntry name (alias):
keytool –list -keystore [keystore_name] -v
以下图例的别名为:tomcat。In the example in this screenshot the alias is “tomcat”.
3. 配置Tomcat
要使SSL证书正常工作,先需要给 Tomcat 配置一个SSL连接器。
Tomcat will first need a SSL Connector configured before it can accept secure connections.
Note: By default Tomcat will look for your Keystore with the file name .keystore in the home directory with the default password 'changeit'. The home directory is generally /home/user_name/ on Unix and Linux systems, and Home_Directory/conf/ on Microsoft Windows systems. -- It is possible to change the filename, password, and even location that Tomcat looks for the keystore. If you need to do this, pay special attention to #8 of Option 1 or #5 of Option 2 below.
方法一: 在server.xml文件中配置SSL连接器
Option 1 -- Configure the SSL Connector in server.xml:
把您的Keystore文件复制到Tomcat的配置文件server.xml所在目录
Copy your keystore file [keystore_name] to the home directory
用记事本打开server.xml文件
Open the file Home_Directory/conf/server.xml in a text editor
去掉"SSL Connector"配置行的注释符
Uncomment the 'SSL Connector' Configuration
一定要修改 'Connector Port'(连接端口)为:443
Make sure that the 'Connector Port' is 443
一定要指明Keystore文件名和保存路径,以及私钥密码(缺省为:changeit)
If your keystore filename is something other than the default file name ( .keystore ) and/or your keystore password is something other than default ('changeit') then you will need to specify the correct keystore filename and/or password in your connector configuration -- ex. keypass="newpassword". When you are done your connector should look something like this:
参考配置文件内容为:
保存server.xml文件
Save the changes to server.xml
重启Tomcat
Restart Tomcat
方法二: 使用AdminTool添加SSL连接器
Option 1 -- Add an SSL Connector using admintool:
启动Tomcat
Start Tomcat
启动AdminTool: http://localhost:8080/admin,请注意:缺省是没有安装AdminTool的,需要下载AdminTool并安装
Enter 'http://localhost:8080/admin' in a local browser to start admintool
输入管理员用户名和密码
Type a username and password with administrator rights
选择左边菜单的'Service'
On the left select 'Service' (Java Web Services Developer Pack)
从下拉菜单中选择'Create New Connector'(创建新的连接器)
Select 'Create New Connector' from the drop-down list on the right
'Type'(类型)选'HTTPS'
Choose 'HTTPS' in the 'Type' field
在'Port'(端口)栏输入:443,定义TCP/IP的SSL连接侦听端口
In the 'Port' field, enter '443'. This defines the TCP/IP port number on which Tomcat will listen for secure connections
输入您的Keystore名称、保存目录和私钥密码
Enter the Keystore Name and Keystore Password if (a.) your keystore is named something other than .keystore , (b.) if .keystore is located in a directory other than the home directory of the machine on which Tomcat is running, or if (c.) the password is something other than the default value of 'changeit'. If you have used the default values, you can leave these fields blank.
选中'Save'生成新的SSL连接器
Select 'Save' to save the new Connector
选中'Commit Changes' 保存新的SSL连接器信息到server.xml文件中,重启Tomcat即可。
Select 'Commit Changes' to save the new Connector information to the server.xml file so that it is available the next time Tomcat is started
4. 完成配置 Setup the server
请一定要分配443端口和一个固定的IP地址给主机(注意:防火墙一定要开放443端口TCP)。
Make sure you assign port 443 and a unique ip address to the virtual host.Note: If the server is behind a firewall please make sure port 443 has been enabled on the firewall.
在浏览器地址栏输入:https://yourdomain.com(申请证书的域名)测试您的SSL证书是否安装成功,如果成功,则浏览器下方会显示一个安全锁标志。请注意:如果您的网页中有不安全的元素,则会提供“是否显示不安全的内容”,建议修改网页删除不安全的内容。
Test your certificate by using a browser to connect to your server. Use the https protocol directive (e.g. https://your server/) to indicate you wish to use secure HTTP. The padlock icon on your browser will be displayed in the locked position if your certificates are installed correctly and the server is properly configured for SSL.