Apache利用JDK自身keytool实现HTTPS
因为一个偶然机会,想把自己的webserver通过https加密访问,这里就采用JDK自带的keytool工具实现,tomcat官方也推荐这种方式,英文好的同学走这里:https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html实验环境:
os: centos 6.6 x86_64
tomcat: tomcat7(tomcat6 too)
jdk: 1.7,1.6(只要有keytool就行)
首先,你的tomcat环境是可以正常运行的,这个不在这里的讨论范围之内。
1.生成 keystore
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# keytool -genkey -v -alias tomcat -keyalg RSA -keystore mykeystore
Enter keystore password: #设置密码
Re-enter new password: #重复一次
What is your first and last name?
:Alex Lu #随便填
What is the name of your organizational unit?
:visionet #随便填
What is the name of your organization?
:visionet #随便填
What is the name of your City or Locality?
:SH #随便填
What is the name of your State or Province?
:SH #随便填
What is the two-letter country code for this unit?
:ZH #随便填
Is CN=Alex Lu, OU=visionet, O=visionet, L=SH, ST=SH, C=ZH correct?
:Y #这里要Y,确认前面信息。
Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 90 days
for: CN=Alex Lu, OU=visionet, O=visionet, L=SH, ST=SH, C=ZH
Enter key password for <tomcat>
(RETURN if same as keystore password): #默认回车即可,不需要设置太多密码
# ls
Catalinacatalina.policycatalina.propertiescontext.xmllogging.propertiesmykeystoreserver.xmltomcat-users.xmlweb.xml
注意:-keystore是用来指定keystore保存位置,如果不加参数默认保存的当前用户家目录为~/.keystore
-validity 可以用来指定证书有效期,单位为天,缺省值为90天。
2.备份$tomcatdir/conf/server.xml To $tomcatdir/conf/server.xml.bak
1
cp $tomcatdir/conf/server.xml $tomcatdir/conf/server.xml
3.修改server.xml
a.注释一下:(tomcat注释用:<!-- XXXX --> ) ###如何也想保留http访问,可以不注释
1
2
3
4
5
6
<!--
<Connector executor="tomcatThreadPool"
port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
b.取消下面注释
1
2
3
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
c.增加keystoreFile和keystorePass
1
2
3
4
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="conf/mykeystore" keystorePass="123456"/>
keystoreFile=跟keystore文件位置
keystorePass=跟当时keytool命令执行时输入的密码
4. 重启tomcat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# ../bin/catalina.sh stop && ../bin/catalina.sh start
Using CATALINA_BASE: /home/pms/apache-tomcat-6.0.44
Using CATALINA_HOME: /home/pms/apache-tomcat-6.0.44
Using CATALINA_TMPDIR: /home/pms/apache-tomcat-6.0.44/temp
Using JRE_HOME: /home/pms/jdk1.7.0_65
Using CLASSPATH: /home/pms/apache-tomcat-6.0.44/bin/bootstrap.jar
Using CATALINA_BASE: /home/pms/apache-tomcat-6.0.44
Using CATALINA_HOME: /home/pms/apache-tomcat-6.0.44
Using CATALINA_TMPDIR: /home/pms/apache-tomcat-6.0.44/temp
Using JRE_HOME: /home/pms/jdk1.7.0_65
Using CLASSPATH: /home/pms/apache-tomcat-6.0.44/bin/bootstrap.jar
# netstat -ntlup | grep -e "80\|443"
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 21960/java
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 21960/java
tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN 21960/java
tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN 21960/java
#
5. successful !
页:
[1]