Jakarta-Tomcat 服务器SSL数字证书安装指南
Jakarta-Tomcat 服务器SSL数字证书安装指南
Installing your Web Server Certificate
Your certificate will be sent to you by email. The email message includes the web server certificate that you purchased in the body of the email message.
Copy the certificate from the body of the email and paste it into a text editor (such as notepad) to create text files.
Note if you are installing the certificate on anything other than a Sun system you will have to convert the certificate to binary format. You can use OpenSSL (obtained from www.openssl.org) to convert the certificate to binary format.
Install the QuickSSL certificate:
1. Copy/paste your GeoTrust root certificate into a text editor and save the file as geotrustca.pem. The root certificate is not normally sent out with GeoTrust certificates.
您收到来自GeoTrust的Email的最下面就是您的证书,请复制从“-----BEGIN CERTIFICATE-----”开始 (包括-----BEGIN CERTIFICATE-----)到“-----END CERTIFICATE-----”结束(包括-----END CERTIFICATE-----) 的整段字符到记事本中,并另存为您申请证书时使用的网址.cer文件,如您申请证书时使用的网址为secure.domainname.com,则另存为secure.domainname.com.cer,再点击此文件请查看您的证书的颁发者名称,再根据此名称到http://www.WoTrust.com/support/root_certificates.htm 页面上下载相应的根证书,一般是ROOT 5,下载第1个格式文件就可以了。
2. Copy/paste your web server certificate into a text editor and save the file as domainname.pem (substitute domainname for the domain name that you purchased the certificate for.)
把您的服务器证书重新命名为.pem后缀文件,并拷到服务器上,如:secure.domainname.com.pem 。
2a. If necessary, convert the server certificate and root certificate to binary format (must have openssl installed) using the following command:
如果需要把根证书和服务器证书转换为二进制文件(必须已经安装OpenSSL),请使用如下命令:
openssl x509 -in domainname.pem -inform PEM -outform DER -out domainname.crt
openssl x509 -in geotrustca.pem -inform PEM -outform DER -out geotrustca.crt
3. Import the "Root Certificate" using the following command(使用如下命令导入根证书):
$JAVA_HOME/bin/keytool -import -alias geotrustca -keystore /path/to/domainname.kdb -file geotrustca.crt
4. Import the "Server Certificate" using the following command(使用如下命令导入服务器证书):
$JAVA_HOME/bin/keytool -import -alias tomcat -keystore /path/to/domainname.kdb -file domainname.crt
Note: You must use the alias name of "tomcat"
Update server.xml configuration file(修改配置文件: server.xml):
1. Open "$JAKARTA_HOME/conf/server.xml" in a text editor.
2. Find the following section:
<Connector className="org.apache.catalina.connector.http.HttpConnector"
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true"
acceptCount="10" debug="0" scheme="https" secure="true">
<Factory className="org.apache.catalina.net.SSLServerSocketFactory"
clientAuth="false" protocol="TLS"
keystoreFile="tomcat.kdb"
keystorePass="password"/>
3. If you want Tomcat to use the default SSL port, change all instances of the port number 8443 to 443.
如果您希望Tomcat使用SSL标准端口,请修改端口8443为443。如果您在同一台物理服务器上要安装多个SSL证书,则不同的域名要使用不同的端口如448,SSL访问时则必须使用https://secure.domainname2.com:448/ 。
4. Add the keystoreFile and keystorePass directives to correspond with the keystore file and password that you are using.
修改正确的keystoreFile和keystorePass的存放目录。
5. Start or restart Tomcat using the appropriate startup script (startup.sh for unix/linux or startup.bat for windows)
重新启动Tomcat即可,注意使用合适的启动脚本。
http://www.wotrust.com 提供技术支持!
