自签nginx ssl证书转换tomcat或者resin fpx和crt证书
转换证书关系图
- 转换关系图
nginx自签私有ssl证书
- 自签nginx证书
[root@ccod root]# mkdir crt
[root@ccod root]# cd crt
[root@ccod crt]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
..................++++++
.................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key: 输入---》 123456
Verifying - Enter pass phrase for server.key: 输入---》 123456
[root@ccod crt]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
.......................++++++
................................................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
140287965706128:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:831:You must type in 4 to 1023 characters
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[root@ccod crt]#
[root@ccod crt]# ls -htrl
total 4.0K
-rw-r--r-- 1 root root 963 Jul 9 13:19 server.key
[root@ccod crt]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN 输入---》 CN
State or Province Name (full name) []:beijing 输入---》 beijing
Locality Name (eg, city) [Default City]:shijingshan 输入---》 shijingshan
Organization Name (eg, company) [Default Company Ltd]:XXX 输入---》 xxx
Organizational Unit Name (eg, section) []:XXX 输入---》 XX
Common Name (eg, your name or your server's hostname) []:cegc.com.cn #输入---》该域名就是你实际的域名是多少就填写多少即可。
Email Address []:123@163.com 输入---》输入邮箱地址
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456 输入---》输入密码123456
An optional company name []:
然后在执行下面命令
[root@host crt]# openssl rsa -in server.key -out server.key
[root@host crt]# openssl x509 -req -days 36500 -in server.csr -signkey server.key -out server.crt
- 配置nginx证书
server {
listen 443 ssl;
server_name aicc.cegc.com.cn;
access_log logs/aicc.cegc.com.cn.access.log ;
ssl_certificate /usr/local/nginx/conf/crt/server.crt;
ssl_certificate_key /usr/local/nginx/conf/crt/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
include vhosts/local_location_WebRTC.conf;
include vhosts/local_location.conf;
include vhosts/local_location_webAgent.conf;
}
- 访问验证
把nginx crt证书转换fpx证书
- 转换
[root@host crt]# openssl pkcs12 -export -in server.crt -inkey server.key -out server.pfx
通过ie浏览器进行证书转换
- 双击该server.pfx文件
- 选择导入
-
输入之前nginx中设置的密码
image.png
- 然后在导入系统中
- 然后完成,,然后就提示导入成功
- 然后打开ie浏览器选择internet选项
- 然后在选择内容中的证书选项
- 然后选择证书在导出
- 然后下一步
- 然后在导出证书
-
选择Base64编码x.509导出证书,命名为:cert.cer ,然后在导出到桌面
image.png
把证书导入到jdk中
- 导入操作
上传证书到$JAVA_HOME/jre/lib/security/改jdk目录下,执行如下命令:
keytool -import -alias uaac_sso -file $JAVA_HOME/jre/lib/security/cert.cer -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
如有问题删除重新导入:
keytool -delete -alias uaac_sso -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
Tomcat配置支持证书
- 配置
上传证书到conf下,命名为server.pfx,然后进行相关配置
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
port="8443" minSpareThreads="5" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/home/jar/apache-tomcat-6.0.35/conf/cert/ccod.pfx" keystorePass="123456"
keystoreType="PKCS12"
clientAuth="false" sslProtocol="TLS"/>
- 然后重启resin容器或者tomcat容器,在或者是string程序,然后在验证https是否正常
网友评论