全球服務(wù)器證書SSL 配置手冊Tomcat 4.1全球服務(wù)器證書SSL 配置手冊Tomcat 4.1北京數(shù)字證書認(rèn)證中心BEIJING CERTIFICATE AUTHORITY

全球服務(wù)器證書SSL 配置手冊

Tomcat 4.1

全球服務(wù)器證書SSL 配置手冊

Tomcat 4.1

北京數(shù)字證書認(rèn)證中心

BEIJING CERTIFICATE AUTHORITY

全球服務(wù)器證書SSL 配置手冊

Tomcat 4.1

目 錄

1

2

3

4

5

6

7

8 開始申請之前需要注意...........................................................................................................3 如何產(chǎn)生私鑰...........................................................................................................................3 CSR生成指南..........................................................................................................................5 證書安裝指南...........................................................................................................................6 如何配置SSL.........................................................................................................................12 啟動和停止Tomcat ................................................................................................................13 驗(yàn)證SSL 連接.........................................................................................................................13 災(zāi)難恢復(fù).................................................................................................................................13

全球服務(wù)器證書SSL 配置手冊

Tomcat 4.1

1 開始申請之前需要注意

需要安裝服務(wù)器軟件并配置環(huán)境，下面我們以Keytool 和Tomcat 為例進(jìn)行說明： a) 首先需要準(zhǔn)備所需的軟件：

z Java(TM) 2 SDK, Standard Edition 1.4.1_01

下載j2sdk-1_4_1_01-windows-i586.exe

z Tomcat 4.1

下載tomcat-4.1.18.exe

z Windows 2000 SP 2 or Windows NT SP6a

z Tomcat做為單獨(dú)的服務(wù)器

b) 環(huán)境變量設(shè)置為： Variable Value User Name

CATALINA_HOME[SYSTEM]

[SYSTEM]

Administrator

c) 測試服務(wù)器

安裝完Tomcat ，并配置完環(huán)境后，啟動Tomcat 并進(jìn)行測試：

如果沒有問題，我們可以進(jìn)行下一步操作了。

2 如何產(chǎn)生私鑰

新打開一個DOS 窗口：

1) 新建一個本地的證書密鑰存儲（Certificate keystore）

全球服務(wù)器證書SSL 配置手冊

Tomcat 4.1

keytool -genkey -alias tomcat -keyalg RSA -keystore

請注意：

! 當(dāng)keystore 建立后，需要指定keystore 的存儲位置

! 如果更新證書，你必須重新創(chuàng)建一個新的密鑰對和keystore

! 當(dāng)您生成CSR 或安裝自簽的keystore 證書時，請使用相同的別名

例如：

C:>keytool -genkey -alias myalias -keyalg RSA -keystore c:.mykeystore

Enter keystore password: 輸入keystore 口令，如password

What is your first and last name?

[Unknown]: 輸入通用名，如www.bjca.org.cn

What is the name of your organizational unit?

[Unknown]: 輸入部門名稱，如Sales Dept

What is the name of your organization?

[Unknown]: 輸入您的組織名稱，如Beijing Certificate Authority

What is the name of your City or Locality?

[Unknown]: 輸入您所在的市/縣/區(qū)，如Beijing

What is the name of your State or Province?

[Unknown]: 輸入您所在的省/自治區(qū)/直轄市，如Beijing

What is the two-letter country code for this unit?

[Unknown]: 輸入您所在國家的ISO 國家代碼，中國為CN

is CN=www.bjca.org.cn, OU=Sales Dept, O=Beijing Certificate Authority, L=Beijing, ST=Beijing, C=CN correct?

[no]: yes

Enter key password for (RETURN if same as keystore password): 輸入密鑰口令

The same password MUST be used.

非常重要: Tomcat will recognize the location of this keystore even if the specified attributes in your server.xml point to a different keystore.

C:>

2) 確認(rèn)keystore 建立成功

全球服務(wù)器證書SSL 配置手冊

Tomcat 4.1

例如：

C:>keytool -list -v -keystore c:.mykeystore

Enter keystore password: password

Keystore type: jks

Keystore provider: SUN

Your keystore contains 1 entry

Alias name: myalias

Creation date: Jan 8, 2003

Entry type: keyEntry

Certificate chain length: 1

Certificate[1]:

Owner: CN=www.bjca.org.cn, OU=Sales Dept, O=Beijing Certificate Authority, L=Beijing, ST=Beijing, C=CN

Issuer: CN=www.bjca.org.cn, OU=Sales Dept, O=Beijing Certificate Authority, L=Beijing, ST=Beijing, C=CN

Serial number: 3e1cd4e9

Valid from: Wed Jan 08 20:48:25 EST 2003 until: Tue Apr 08 21:48:25 EDT 2003 Certificate fingerprints:

MD5: D0:BA:7C:A4:D1:D9:CF:46:38:E5:48:22:8E:AB:E2:9B

SHA1: 4A:33:FA:11:D6:5F:F4:73:9D:7A:2B:E2:89:F8:C3:57:69:0C:DC:7E

3 CSR生成指南

1) 按照如下方法生成CSR

keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore

重要提示：

! 當(dāng)您生成CSR 或安裝自簽的keystore 證書時，請使用相同的別名

例如：

C:>keytool -certreq -keyalg RSA -alias myalias -file certreq.txt -keystore c:.mykeystore

全球服務(wù)器證書SSL 配置手冊

Tomcat 4.1

Enter keystore password: password

C:>

2) 生成的CSR 如下：

-----BEGIN NEW CERTIFICATE REQUEST-----

MIIBujCCASMCAQAwejELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xDz ANBgNVBAcTBk90

dGF3YTEQMA4GA1UEChMHRW50cnVzdDETMBEGA1UECxMKRW50cnVzdCBDUzEh MB8GA1UEAxMYd3d3

5w6T q/f wIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAF 0hqAqXumz/vGrzGVhKHlnxd7HW3ezS

GIbIUcOy1YdDc/1ZCqRpu3utYIZ6welK l QjlbL6p5RJJETkkLKXjb/WVFajNuPl7Yob9pbwA7

JBrCCKbFj kzDNbGhCR1RgFA9vQj5vob41Vj k TQchliuTLL9rFXNDHrtgTMtA= -----END NEW CERTIFICATE REQUEST-----

4 證書安裝指南

按照如下方法安裝BJCA 的SSL 證書

1) 安裝SSL 證書和證書鏈

輸入命令：

keytool -import -alias root -keystore your_keystore_filename -trustcacerts -file filename_of_the_combined_chain_and_webcert

例如: C:>keytool -import -alias myalias -keystore c:.mykeystore -trustcacerts -file c:webcert.txt

由于java 把“cacerts”文件看作可信任的根CA ，如果根證書已經(jīng)存在，則不必再將證書鏈導(dǎo)入“cacerts”。

例如：

-----BEGIN CERTIFICATE-----

MIIC4zCCAkygAwIBAgIBAzANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJVUzE Y

全球服務(wù)器證書SSL 配置手冊

Tomcat 4.1

MBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMRwwGgYDVQQDExNHVEUgQ3liZXJUc nVz

dCBSb290MB4XDTAxMDgyMTIwMDIwOVoXDTA2MDEwMTIzNTkwMFowgcMxCzAJBg NV

BAYTAlVTMRQwEgYDVQQKEwtFbnRydXN0Lm5ldDE7MDkGA1UECxMyd3d3LmVudH J1

c3QubmV0L0NQUyBpbmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNV

BAsTHChjKSAxOTk5IEVudHJ1c3QubmV0IExpbWl0ZWQxOjA4BgNVBAMTMUVudHJ1 Ct8k2pzWUHmBelrTN/fCStgpkiZk0eSYbDoAivU0m2X47eMQ//24SVjcoN6COWuB

sRYZYblUtuZDAgEDo2YwZDAPBgNVHRMECDAGAQH/AgEDMA4GA1UdDwEB/wQEAwIB

BjBBBgNVHR8EOjA4MDagNKAyhjBodHRwOi8vY2RwLmJhbHRpbW9yZS5jb20vY2dp LWJpbi9DUkwvR1RFUm9vdC5jZ2kwDQYJKoZIhvcNAQEFBQADgYEAgbZwffFU Fjj NYTSoUFyRAAysIauOknVaLteQPQJxBGLMhXGdfejVBTWLb1UTFBQXNNCiqm8Co d YikuVB 0/1habRkb k4vFe6tn5IvQMnfhZbSJNoXn5IlGVDWQYlfC0/R1wjfv U6 rzTJbJ7WXX0Ka5jKLKuckXNvu7EqOA4=

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

MIIGEjCCBXugAwIBAgIEN0w5HDANBgkqhkiG9w0BAQQFADCBwzELMAkGA1UE BhMCVVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50 cnVzdC5uZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTEl

MCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UE AxMxRW50cnVzdC5uZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1

dGhvcml0eTAeFw0wMzAxMDkxNzE4MjFaFw0wMzExMTAxNzQ2NDFaMHoxCzAJ

BgNVBAYTAkNBMRAwDgYDVQQIEwdPbnRhcmlvMQ8wDQYDVQQHEwZPdHRhd2Ex EDAOBgNVBAoTB0VudHJ1c3QxEzARBgNVBAsTCkVudHJ1c3QgQ1MxITAfBgNV BAMTGHd3dy50ZXN0Y2VydGlmaWNhdGVzLmNvbTCBnzANBgkqhkiG9w0BAQEF MCfPxacCAwEAAaOCA1kwggNVMAsGA1UdDwQEAwIFoDArBgNVHRAEJDAigA8y BAMCBkAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwggFoBgNVHSAEggFfMIIBWzCC AVcGCSqGSIb2fQdLAjCCAUgwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuZW50

全球服務(wù)器證書SSL 配置手冊

Tomcat 4.1

cnVzdC5uZXQvY3BzMIIBHAYIKwYBBQUHAgIwggEOGoIBClRoZSBFbnRydXN0 IFNTTCBXZWIgU2VydmVyIENlcnRpZmljYXRpb24gUHJhY3RpY2UgU3RhdGVt ZW50IChDUFMpIGF2YWlsYWJsZSBhdCB3d3cuZW50cnVzdC5uZXQvY3BzICBp IGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5IEVu

dHJ1c3QubmV0IExpbWl0ZWQxOjA4BgNVBAMTMUVudHJ1c3QubmV0IFNlY3Vy ZSBTZXJ2ZXIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxDjAMBgNVBAMTBUNS TDU2MCygKqAohiZodHRwOi8vd3d3LmVudHJ1c3QubmV0L0NSTC9zZXJ2ZXIx LmNybDAfBgNVHSMEGDAWgBTwF2ITVT2z/woAa/tQhJfz7WLQGjAdBgNVHQ4E FgQU8PAQJvkXpS82OTYbatZ36ZPmzM4wCQYDVR0TBAIwADAZBgkqhkiG9n0H

QQAEDDAKGwRWNS4wAwIDKDANBgkqhkiG9w0BAQQFAAOBgQCviVPHpMdBNRc J88 VVW8k3bQQlyIsbtBr3XYDkqS5o9tSXXmpwJU6G40StrObPdKLHI2C ho

GiXnmXjFlKXPe/pOjHnU3azNBPJR7edrp523EB0muGTadk9rhnoRNEpUAw9u

hgdRmxjwjO0XhBLVPcsCiiyFoDZpaU9o3MHVXQ==

-----END CERTIFICATE-----

您必須接受這個可信的CA 。

您應(yīng)該收到這樣的信息："Certificate Reply Was Installed Into Keystore"

如果在UNIX 環(huán)境下，以上的例子是顛倒的。

2) 在SUN JAVA 1.4.1或更低版本上安裝SSL 證書

輸入命令：

keytool -import -alias root -keystore -trustcacerts –file

! 注意：當(dāng)您生成CSR 或安裝自簽的keystore 證書時，請使用相同的別名

例如：

C:>keytool -import -alias myalias -keystore c:.mykeystore -trustcacerts -file c:webcert.txt 由于java 把“cacerts”文件看作可信任的根CA ，Entrust 的根證書沒有預(yù)埋到j(luò)ava 1.4.x或更低版本中，不必將證書鏈導(dǎo)入“cacerts”。

例如：

-----BEGIN CERTIFICATE-----

全球服務(wù)器證書SSL 配置手冊

Tomcat 4.1

MIIE2DCCBEGgAwIBAgIEN0rSQzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhM C

VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC 5u

ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05OTA1

MjUxNjA5NDBaFw0xOTA1MjUxNjM5NDBaMIHDMQswCQYDVQQGEwJVUzEUMBIGA 1UE

ChMLRW50cnVzdC5uZXQxOzA5BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5j b3JwLiBieSByZWYuIChsaW1pdHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBF bnRydXN0Lm5ldCBMaW1pdGVkMTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cm Ug

U2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGdMA0GCSqGSIb3DQEBAQUA A4GLADCBhwKBgQDNKIM0VBuJ8w vN5Ex/68xYMmo6LIQaO2f55M28Qpku0f1BBc/ I0dNxScZgSYMVHINiC3ZH5oSn7yzcdOAGT9HZnuMNSjSuQrfJNqc1lB5gXpa0zf3 wkrYKZImZNHkmGw6AIr1NJtl O3jEP/9uElY3KDegjlrgbEWGWG5VLbmQwIBA6OC AdcwggHTMBEGCWCGSAGG EIBAQQEAwIABzCCARkGA1UdHwSCARAwggEMMIHeoIHb

oIHYpIHVMIHSMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLRW50cnVzdC5uZXQxO zA5

BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5jb3JwLiBieSByZWYuIChsaW1p dHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBFbnRydXN0Lm5ldCBMaW1pdGV k

MTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUgU2VydmVyIENlcnRpZmljYXR p

b24gQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMCmgJ6AlhiNodHRwOi8vd3d3Lm Vu

dHJ1c3QubmV0L0NSTC9uZXQxLmNybDArBgNVHRAEJDAigA8xOTk5MDUyNTE2MDk 0

全球服務(wù)器證書SSL 配置手冊

Tomcat 4.1

MFqBDzIwMTkwNTI1MTYwOTQwWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAU 8Bdi

E1U9s/8KAGv7UISX8 1i0BowHQYDVR0OBBYEFPAXYhNVPbP/CgBr 1CEl/PtYtAa MAwGA1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EABAwwChsEVjQuMAMCBJAwDQYJK oZI

hvcNAQEFBQADgYEAkNwwAvpkdMKnCqV8IY00F6j7Rw7/JXyNEwr75Ji174z4xRAN 95K 8cPV1ZVqBLssziY2ZcgxxufuP NXdYR6Ee9GTxj005i7qIcyunL2POI9n9cd 2cNgQ4xYDiKWL2KjLB 6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G bI=

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

MIIGEjCCBXugAwIBAgIEN0w5HDANBgkqhkiG9w0BAQQFADCBwzELMAkGA1UE BhMCVVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50 cnVzdC5uZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTEl

MCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UE AxMxRW50cnVzdC5uZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1

dGhvcml0eTAeFw0wMzAxMDkxNzE4MjFaFw0wMzExMTAxNzQ2NDFaMHoxCzAJ

BgNVBAYTAkNBMRAwDgYDVQQIEwdPbnRhcmlvMQ8wDQYDVQQHEwZPdHRhd2Ex EDAOBgNVBAoTB0VudHJ1c3QxEzARBgNVBAsTCkVudHJ1c3QgQ1MxITAfBgNV BAMTGHd3dy50ZXN0Y2VydGlmaWNhdGVzLmNvbTCBnzANBgkqhkiG9w0BAQEF MCfPxacCAwEAAaOCA1kwggNVMAsGA1UdDwQEAwIFoDArBgNVHRAEJDAigA8y BAMCBkAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwggFoBgNVHSAEggFfMIIBWzCC AVcGCSqGSIb2fQdLAjCCAUgwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuZW50 cnVzdC5uZXQvY3BzMIIBHAYIKwYBBQUHAgIwggEOGoIBClRoZSBFbnRydXN0 IFNTTCBXZWIgU2VydmVyIENlcnRpZmljYXRpb24gUHJhY3RpY2UgU3RhdGVt ZW50IChDUFMpIGF2YWlsYWJsZSBhdCB3d3cuZW50cnVzdC5uZXQvY3BzICBp IGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5IEVu

dHJ1c3QubmV0IExpbWl0ZWQxOjA4BgNVBAMTMUVudHJ1c3QubmV0IFNlY3Vy ZSBTZXJ2ZXIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxDjAMBgNVBAMTBUNS TDU2MCygKqAohiZodHRwOi8vd3d3LmVudHJ1c3QubmV0L0NSTC9zZXJ2ZXIx LmNybDAfBgNVHSMEGDAWgBTwF2ITVT2z/woAa/tQhJfz7WLQGjAdBgNVHQ4E