SSLCertificateFile |
Name of the file that contains the server certificate. The format is PEM-encoded. In addition to the certificate, the file can also contain as optional elements DH parameters and/or an EC curve name for ephemeral keys, as generated by |
SSLCertificateKeyFile |
Name of the file that contains the server private key. The format is PEM-encoded. The default value is the value of "SSLCertificateFile" and in this case both certificate and private key have to be in this file (NOT RECOMMENDED). |
i.Windows下APR安装过程
1.下载安装native
Windows下的APR安装和配置比较简单,可以直接下载Tomcat-native的二进制的版本包:
下载之后的目录结构为:
tcnative-1.dll这个库已经包含了APR,openssl的核心引擎,还有tomcat-native的代码,openssl.exe是集成的openssl的命令行工具;
x64位是64位的文件夹。
但是,值得注意的是,如果要想使用这个openssl.exe 进行发证,需要首先手动设置一个openssl.cnf,也可以去openssl的官网上下载一个来,需要先设置一下环境变量:
set OPENSSL_CONF=openssl.cnf
对于上述的下载,对于每一个tomcat可能对应的tomcat-native不同,一个最好的办法是,在tomcat的二进制介质中bin目录中,就有对应的:
解压之后,和上述的下载的一样,只不过版本和当前的tomcat是对应的;
在这一步中,你也可以选择下载源码,然后在VC中进行编译,可能openssl的编译需要安装perl的环境。
2.openssl生成密钥库和证书库
(生成服务器端密钥库)
D:\software\tomcat8032\bin>openssl.exe genrsa -out rsa-private-key.pem 1024
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Generating RSA private key, 1024 bit long modulus
.....++++++
...............................++++++
e is 65537 (0x10001)
(设置环境变量)
D:\software\tomcat8032\bin>set OPENSSL_CONF=openssl.cnf
(生成服务端证书库)
D:\software\tomcat8032\bin>openssl.exe req -new -x509 -nodes -sha1 -days 365 -key rsa-private-key.pem -out self-signed-cert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:haidian
Organization Name (eg, company) [Internet Widgits Pty Ltd]:css
Organizational Unit Name (eg, section) []:guodian
Common Name (e.g. server FQDN or YOUR name) []:xixi
Email Address []:xixi@163.com
3.配置server.xml
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLSv1"
SSLCertificateKeyFile="D:\software\tomcat8032\conf\openssl\rsa-private-key.pem"
SSLCertificateFile="D:\software\tomcat8032\conf\openssl\self-signed-cert.pem"/>
对于上述的配置,配置APR的protocol需要换成 Http11AprProtocol,其次,SSLCertificateKeyFile指的是openssl的服务器端的密钥库,SSLCertificateFile指的是服务器端的证书库(不带私钥,只有公钥)。
4.启动
启动之后,发现:
访问之前,需要在浏览器端,将上述的
openssl pkcs12 -export -clcerts -in server/self-signed-cert.pem -inkey server/rsa-private-key.pem -out server/server.p12 导出为P12格式的证书文件,
这样浏览器可以导入
导入进来之后,浏览器可以进行访问: