TOMCAT-HTTPS证书制作配置

方式一：

用OPENSSL工具建立一个根证书，用它作签名生成对应证书。

1）修改CA的一些配置文件

vi /etc/pki/tls/openssl.cnf：

[ policy_match ]
countryName             = match
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

不用修改，看看即可，[ policy_match ]中的设定的匹配规则，是有可能因为证书使用的工具不一样，导致即使设置了csr中看起来有相同的countryName,stateOrProvinceName等，但在最终生成证书时依然报错，就是证书和CA要匹配的规则。

2）生成根密钥

 

# cd /etc/pki/CA/

在CA目录下创建两个初始文件：

# touch index.txt serial
# echo 01 > serial
# openssl genrsa -out private/cakey.pem 2048

2）生成根证书

使用req命令生成自签证书：

# openssl req -new -x509 -days 36500 -key private/cakey.pem -out cacert.pem

会提示输入一些内容，因为是私有的，所以可以随便输入（之前修改的openssl.cnf会在这里呈现），最好记住能与后面保持一致。上面的自签证书cacert.pem应该生成在/etc/pki/CA下

3）为服务器生成可用证书

以上都是在CA服务器上做的操作，而且只需进行一次，现在转到nginx服务器上执行

# cd /etc/nginx/ssl
# openssl genrsa -out nginx.key 2048

4）为服务器证书生成签署请求

 

# openssl req -new -key nginx.key -out nginx.csr
...
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:GD
Locality Name (eg, city) []:SZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:COMPANY
Organizational Unit Name (eg, section) []:IT_SECTION
Common Name (e.g. server FQDN or YOUR name) []:your.domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
...

同样会提示输入一些内容，其它随便，除了Commone Name一定要是你要授予证书的服务器域名或主机名，challenge password不填

5）用私有CA为服务器证书生成签名生成对应证书

接下来要把上一步生成的证书请求csr文件，发到CA服务器上，在CA上执行

 openssl ca -in nginx.csr -days 3650 -out nginx.crt

另外在极少数情况下，上面的命令生成的证书不能识别，试试下面的命令：
# openssl x509 -req -in nginx.csr -days 3650 -CA /etc/pki/CA/cacert.pem -CAkey
 /etc/pki/CA/private/cakey.pem -CAcreateserial -out server.crt

上面签发过程其实默认使用了-cert cacert.pem -keyfile cakey.pem，这两个文件就是前两步生成的位于/etc/pki/CA下的根密钥和根证书。将生成的crt证书发回nginx服务器使用。

到此我们已经拥有了建立ssl安全连接所需要的所有文件，并且服务器的crt和key都位于配置的目录下，剩下的是如何使用证书的问题。

   6）为linux添加根证书

    

这一步不是必须的，一般出现在开发测试环境中，而且具体的应用程序应该提供添加证书的方法。

curl工具可以在linux上模拟发送请求，但当它去访问https加密网站时就会提示如下信息：

# curl https://sean:sean@registry.domain.com:8000/
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

提示上面的信息说明curl在linux的证书信任集里没有找到根证书，你可以使用curl --insecure来不验证证书的可靠性，这只能保证数据是加密传输的但无法保证对方是我们要访问的服务。使用curl --cacert cacert.pem可以手动指定根证书路径。我们也可以把根证书添加到系统（CentOS 5,6）默认的bundle：

# cp /etc/pki/tls/certs/ca-bundle.crt{,.bak}    备份以防出错
# cat /etc/pki/CA/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt

# curl https://sean:sean@registry.domain.com:8000
"docker-registry server (dev) (v0.8.1)"

   7）nginx配置证书

   在nginx配置文件（可能是/etc/nginx/sites-available/default）的server指令下添加：

  ssl on;
  ssl_certificate /etc/nginx/ssl/nginx.crt;
  ssl_certificate_key /etc/nginx/ssl/nginx.key;

同时注意 server_name 与证书申请时的 Common Name 要相同，打开443端口。当然关于web服务器加密还有其他配置内容，如只对部分URL加密，对URL重定向实现强制https访问，请参考其他资料。

     8）tomcat配置证书

Tomcat currently operates only on JKS, PKCS11 or PKCS12 format keystores

不支持直接配置证书，普通模式不支持。如果是APR模式则可用。

 

<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
           protocol="org.apache.coyote.http11.Http11AprProtocol"
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           SSLCertificateFile="/usr/local/ssl/server.crt"
           SSLCertificateKeyFile="/usr/local/ssl/server.pem"
           SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/>

普通的NIO BIO模式，需先做转换对应的KEYSTORE

openssl pkcs12 -export -in server.crt -inkey nginx.key
                       -out mycert.p12 -name tomcat -CAfile cacrt.pem
                       -caname root -chain
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" 
SSLEnabled="true" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25"
                   enableLookups="false" disableUploadTimeout="true"
                   acceptCount="100" scheme="https" secure="true" 
clientAuth="false" sslProtocol="TLS"
  keystoreFile="conf/mycert.p12" keystorePass="123456" keystoreType="PKCS12" />

完成。下一步把CA证书导入客户端浏览器就可以安全访问。

 

方式二：没试过

 

To obtain and install a Certificate from a Certificate Authority (like verisign.com, thawte.com or trustcenter.de), read the previous section and then follow these instructions:

Create a local Certificate Signing Request (CSR)

In order to obtain a Certificate from the Certificate Authority of your choice you have to create a so called Certificate Signing Request (CSR). That CSR will be used by the Certificate Authority to create a Certificate that will identify your website as "secure". To create a CSR follow these steps:

• Create a local self-signed Certificate (as described in the previous section):

  keytool -genkey -alias tomcat -keyalg RSA
      -keystore <your_keystore_filename>

  Note: In some cases you will have to enter the domain of your website (i.e. www.myside.org) in the field "first- and lastname" in order to create a working Certificate.
• The CSR is then created with:

  keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr
      -keystore <your_keystore_filename>

Now you have a file called certreq.csr that you can submit to the Certificate Authority (look at the documentation of the Certificate Authority website on how to do this). In return you get a Certificate.

Importing the Certificate

Now that you have your Certificate you can import it into you local keystore. First of all you have to import a so called Chain Certificate or Root Certificate into your keystore. After that you can proceed with importing your Certificate.

• Download a Chain Certificate from the Certificate Authority you obtained the Certificate from.
  For Verisign.com commercial certificates go to: http://www.verisign.com/support/install/intermediate.html
  For Verisign.com trial certificates go to: http://www.verisign.com/support/verisign-intermediate-ca/Trial_Secure_Server_Root/index.html
  For Trustcenter.de go to: http://www.trustcenter.de/certservices/cacerts/en/en.htm#server
  For Thawte.com go to: http://www.thawte.com/certs/trustmap.html
• Import the Chain Certificate into your keystore

  keytool -import -alias root -keystore <your_keystore_filename>
      -trustcacerts -file <filename_of_the_chain_certificate>

• And finally import your new Certificate

  keytool -import -alias tomcat -keystore <your_keystore_filename>
      -file <your_certificate_filename>

参考资料：

http://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html

https://segmentfault.com/a/1190000002569859

https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.2/html/Administration_and_Configuration_Guide/Generate_a_SSL_Encryption_Key_and_Certificate.html