Nginx 与 Tomcat 配置Https 总结

Posted 2022-12-13 coder_up

1. 前提你已经得到了CA机构颁发的证书了

2. 合并证书(这里证书机构选择的是comodo)

1. 假设你的被签名证书的名字叫xxx.crt，你的密钥文件叫server.key，除了以上你自己的xxx.crt，还有COMODORSAAddTrustCA.crt，COMODORSADomainValidationSecureServerCA.crt, AddTrustExternalCARoot.crt

2. 合并证书使用cat命令

   cat COMODORSAAddTrustCA.crt >> xxx.crt
   cat AddTrustExternalCARoot.crt >> xxx.crt
   cat COMODORSADomainValidationSecureServerCA.crt >> xxx.crt

3. nginx 配置证书

server 
    server_name YOUR_DOMAINNAME_HERE;
    listen 443;
    ssl on;
    keepalive_timeout   70;
    ssl_certificate /path/to/xxx.crt;
    ssl_certificate_key /path/to/server.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_client_certificate  /path/to/cacert.pem;
    # ssl_verify_client       on;                         服务器验证客户端，暂时不开启，让没有证书的客户端可以访问
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout     5m;

sudo /etc/init.d/nginx configtest
sudo /etc/init.d/nginx restart

4. 在tomcat下配置https生成keystore的步骤

1. Convert x509 Cert and Key to a pkcs12 file（将证书和私钥转换为p12格式的证书）

openssl pkcs12 -export -in server.crt -inkey server.key \\
               -out server.p12 -name some-alias \\
               -CAfile ca.crt -caname root  （这里如果手动将证书链合并了那么就不需要加这个了，我是将ca.crt domain.crt mycrt.crt 合并后为server.crt后执行的）

Note: Make sure you put a password on the p12 file - otherwise you’ll get a null reference exception when you try to import it. (In case anyone else had this headache). (Thanks jocull!)

Note: You might want to add the -chainoption to preserve the full certificate chain. (Thanks Mafuba)

2. Convert the pkcs12 file to a java keystore （将pkcs12格式的证书转换成java keystore）

keytool -importkeystore \\
        -deststorepass changeit -destkeypass changeit -destkeystore server.keystore \\
        -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass changeit \\
        -alias some-alias(生成p12时候的-name参数)

3. 配置 tomcat

vim  /usr/local/tomcat/conf/server.xml

<Connector port="443"
                protocol="org.apache.coyote.http11.Http11NioProtocol"
                SSLEnabled="true"
                maxThreads="300"
                scheme="https"
                secure="true"
                keystoreFile="server.keystore"
                keystorePass="changeit"
                sslProtocol="TLS"
                URIEncoding="utf-8" />

重启即可