linux服务tomcat配置https协议和ca证书生成

1、CA证书生成

[root@localhost ~]# openssl genrsa -out tomcat.key 2048

Generating RSA private key, 2048 bit long modulus (2 primes)

..............+++++

.......................................+++++

e is 65537 (0x010001)

[root@localhost ~]# ll

总用量 12K

-rw-------. 1 root root 1.7K 10月 24 15:34 tomcat.key

[root@localhost ~]# openssl req -new -key tomcat.key -out tomcat.csr

Can't load /root/.rnd into RNG

140005478807360:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:98:Filename=/root/.rnd

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:BEIJING

Locality Name (eg, city) [Default City]:BEIJING

Organization Name (eg, company) [Default Company Ltd]:ZTFF

Organizational Unit Name (eg, section) []:DEV

Common Name (eg, your name or your server's hostname) []:ztff.com

Email Address []:bb@ztff.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[root@localhost ~]# ll

总用量 16K

-rw-r--r--. 1 root root 1.1K 10月 24 15:36 tomcat.csr

-rw-------. 1 root root 1.7K 10月 24 15:34 tomcat.key

[root@localhost ~]# mv tomcat.key tomcat.key.src

[root@localhost ~]# ll

总用量 16K

-rw-r--r--. 1 root root 1.1K 10月 24 15:36 tomcat.csr

-rw-------. 1 root root 1.7K 10月 24 15:34 tomcat.key.src

[root@localhost ~]# openssl rsa -in tomcat.key.src -out tomcat.key

writing RSA key

[root@localhost ~]# ll

总用量 20K

-rw-r--r--. 1 root root 1.1K 10月 24 15:36 tomcat.csr

-rw-------. 1 root root 1.7K 10月 24 15:38 tomcat.key

-rw-------. 1 root root 1.7K 10月 24 15:34 tomcat.key.src

[root@localhost ~]# openssl x509 -req -days 365 -in tomcat.csr -signkey tomcat.key -out tomcat.crt

Signature ok

subject=C = CN, ST = BEIJING, L = BEIJING, O = ZTF, OU = DEV, CN = ztff.com, emailAddress = bb@ztff.com

Getting Private key

[root@localhost ~]# ls

tomcat.crt tomcat.csr tomcat.key tomcat.key.src

2、配置tomcat目录/conf/server.xml,使用生成的crt格式证书配置HTTPS

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"

maxThreads="150" SSLEnabled="true" scheme="https">

<SSLHostConfig sslProtocol="TLS">

<Certificate certificateFile="/opt/ssl_file/tomcat.crt" certificateKeyFile="/opt/ssl_file/tomcat.key"

type="RSA"/>

</SSLHostConfig>

</Connector>