如何在没有CSR的Tomcat中安装GoDaddy SSL证书?
我们的一位客户购买了通配SSL证书(* .example.com)
从GoDaddy获得,他只需下载就不会提供CSR数据.该zip文件中有3个文件.这些是fce4f111a61ea3f4.crt,gd_bundle-g2-g1.crt和gdig2.crt.pem.
One of our clients purchased wild card SSL certificates (*.example.com)
from GoDaddy and he simply downloaded without giving CSR data. We have 3 files in that zip file. Those are fce4f111a61ea3f4.crt, gd_bundle-g2-g1.crt and gdig2.crt.pem.
我搜索了很多与此相关的文章,但每个人都说首先要从您的服务器中获取CSR数据,然后将其传递到GoDaddy中以获取SSL证书.
I searched so many articles regarding this but everyone is saying first take the CSR data from your server and past it in the GoDaddy for getting SSL certificates.
就我而言,我们没有向GoDaddy提供CSR数据,这意味着我没有密钥库文件.
In my case we didn't provide CSR data to GoDaddy, which means I don't have the keystore file.
现在,我尝试将没有密钥库的证书安装到我的服务器上.为此,我使用以下命令没有成功:
Now, I tried to install certificates without keystore to my server. For that I used the below commands with no success:
keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file fce4f111a61ea3f4.crt
keytool -import -alias interm -keystore tomcat.keystore -trustcacerts -file gd_bundle-g2-g1.crt
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file gdig2.crt.pem
我假设您已经按照上述声明维护了密钥库.为了避免任何意外,请先备份密钥库.
I'm assuming you already have keystore maintained as per your statements above. Take a backup of your keystore first in order to avoid any mishap.
除了拥有的文件之外,您还应该具有所生成证书的私钥.
Apart from the files you have, you should also has Private Key of your generated certificate.
现在按照步骤进行操作.
Now follow the steps as ordered.
- 首先从密钥库文件中删除所有现有条目.
keytool -delete -alias tomcat -keystore domain.jks
您还可以通过 keytool -list -keystore domain.jks 删除它们来查看其他任何现有条目.
- 现在将证书和私钥导出到PKCS12文件中
openssl pkcs12 -export -in fce4f111a61ea3f4.crt -inkey private.key -out cert_and_key.p12 -name tomcat -CAfile gd_bundle-g2-g1.crt -caname root
如果您收到类似以下错误的消息
unable to load private key
139995851216720:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: ANY PRIVATE KEY
这表示您的private.key格式不正确,您需要将编码更改为ASCII text运行以下命令来转换私钥
It means your private.key isn't in proper format, you need to change encoding to ASCII text run following command to convert your private key
# You can do a dry run before manipulating the actual file
tail -c +4 private.key | file -
# Change encoding
tail -c +4 private.key > private.key
- 将PKCS12文件导入JKS密钥库:
keytool -importkeystore -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -alias tomcat -keystore domain.jks
- 现在将根证书导入JKS密钥库(具有根别名)
keytool -import -trustcacerts -alias root -file $certdir/gd_bundle-g2-g1.crt -noprompt -keystore domain.jks
- 在
server.xml中添加以下内容
- Add following in
server.xml
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150"
SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
keystoreFile="/path/to/keysore/domain.jks" keystorePass="xxxxxx"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA" />
别忘了用您的JKS密钥库密码和keystoreFile参数替换xxxxxx
Don't forget to replace xxxxxx with your JKS keystore password and keystoreFile parameter
- 完成.现在,重新启动您的 Tomcat服务器,并收听您的日志文件
- Done. Now restart your Tomcat server and listen to your log file
sudo service tomcat7 restart
sudo tail -f /var/log/tomcat7/catalina.out
注意:用您的实际密钥库文件替换domain.jks.
Note: replace domain.jks with your actual keystore file.