Shulou(Shulou.com)06/03 Report--

Principle:

Convert the certificate (or public key) + private key into a keystore file of jks type, and configure to open it in the server.xml of tomcat

Step on the pit:

1. Most articles generate certificates for themselves and configure two-way encryption, and the process includes generating, merging, exporting, configuring the server, configuring the client, and so on.

2. Most of the articles are based on experiments, mistakenly thinking that the name of the generated keystore file can be named at will, and directly use the copy command to generate a tomcat.keystore file.

The correct command method should be (certificate name. KeyStore), or the CN name when the certificate was generated.

3. ClientAuth= "true" is used for two-way authentication and needs to be configured as false.

4. At the beginning, when you configure to use the name tomcat.keystore, it is normal to access it with an intranet browser, but then you cannot use the public network to access the domain name by actually applying for a certificate.

Then find out the reason, various tests, various configuration modifications, and the intranet browser test cannot be accessed. The personal guess here is that at the beginning, tomcat thought that a certificate was configured, and then provided access according to the rules.

But later, when using the real domain name to access, tomcat received a certificate with the same content as its own, but the name or CN name was not the same, and then tomcat was no longer providing the service.

Process:

1. Convert the certificate to keystore form, and the name of p12 can be converted into p12 in the middle.

A, convert to p12 format first

Openssl pkcs12-export-in. / www.123.com.cn.cer-inkey. / server.key-out. / projectX.p12

Remember the password you entered

B. Convert p12 to .Keystore format

Keytool-importkeystore-v-srckeystore. / projectX.p12-srcstoretype pkcs12-srcstorepass 123456-destkeystore. / www.123.com.cn.keystore-deststoretype jks-deststorepass 123456

2. Configure the server.xml file under tomcat

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.