我知道这个问题可能听起来太简单了,我应该阅读互联网上所有可用的文档,事实是我确实这样做了,但我没有运气,这让我有点困惑,我已经安装过很多次这个东西,但都是针对 Apache 的,从来没有针对 Tomcat 的。
我想安装来自 GoDaddy 的证书,因此我遵循了以下说明
我像这样创建了我的密钥文件
keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
keytool -certreq -keyalg RSA -alias tomcat -file csr.csr -keystore tomcat.keystore
我将 tomcat 改为 mydomain.com .. 这有错吗?
我创建了密钥库,后来又创建了 csr,之后问题就出现了,我在配置文件夹中添加了 server.xml
<Connector port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="path to your keystore file" keystorePass="changeit" clientAuth="false" sslProtocol="TLS"/>
后来我导入了证书
keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file valicert_class2_root.crt
我做到了,但我没有 gd_intermediate.crt,最后一步是
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file <name of your certificate>
在其他博客中,我看到他们在这里导入了 crt,但是 tomcat 是我必须留下的用户吗?或者它只是举例而已?
在 tomcat 的文档中我发现了这个(http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html)
从您获得证书的证书颁发机构下载链证书 keytool -import -alias root -keystore \ -trustcacerts -file
And finally import your new Certificate keytool -import -alias tomcat -keystore <your_keystore_filename> \ -file <your_certificate_filename>
但我不知道什么是“链式证书”...有人能帮我吗?我真的很困惑和迷茫。我正在使用 Tomcat7
谢谢。
答案1
我花了几个小时试图解决这个问题,以下是我的劳动成果
问题
您无法使用 GoDaddy crt 和密钥文件创建有效的 Tomcat 密钥库
Curl 输出可能如下所示:
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
获取脚本
curl -O https://raw.github.com/ssstonebraker/braker-scripts/master/working-scripts/crt_to_keystore.sh
chmod +x crt_to_keystore.sh
使用脚本
./crt_to_keystore.sh <path_to_crt> <path_to_key>
脚本的 RAW 内容
#!/bin/bash
# Filename: crt_to_keystore.sh
# Description: create tomcat keystore from cert and key
# Usage: "Usage: ./crt_to_keystore.sh <path_to_crt> <path_to_key>"
# Author: Steve Stonebraker
# pretty printing functions
function print_status { echo -e "\x1B[01;34m[*]\x1B[0m $1"; }
function print_good { echo -e "\x1B[01;32m[*]\x1B[0m $1"; }
function print_error { echo -e "\x1B[01;31m[*]\x1B[0m $1"; }
function print_notification { echo -e "\x1B[01;33m[*]\x1B[0m $1"; }
function printline { hr=-------------------------------------------------------------------------------------------------------------------------------
printf '%s\n' "${hr:0:${COLUMNS:-$(tput cols)}}"
}
####################################
# print message and exit program
function die { print_error "$1" >&2;exit 1; }
####################################
# function that is called when the script exits
function finish {
[ -f $(dirname $0)/temp.p12 ] && shred -u $(dirname $0)/temp.p12;
}
#whenver the script exits call the function "finish"
trap finish EXIT
#######################################
# if file exists remove it
function move_file_if_exist {
[ -e $1 ] && mv $1 $1.old && print_status "moved file $1 to $1.old";
}
#######################################
# Verify user provided valid file
function file_must_exist {
[ ! -f $1 ] && die "$1 is not a valid file, please provide a valid file name! Exiting....";
print_status "$1 is a valid file"
}
#######################################
# Verify user provided two arguments
# Verify user provided two arguments
[ $# -ne 2 ] && die "Usage: ./crt_to_keystore.sh <path_to_crt> <path_to_key>";
# Assign user's provided input to variables
crt=$1
key=$2
#read -p "Provide password to export .crt and .key: " key_pw
read -p "Provide password for new keystore: " pw
# Define some Variables
readonly ourPath="$(dirname $0)"
readonly gdbundle="$ourPath/gd_bundle.crt"
readonly keystore="$ourPath/tomcat.keystore"
readonly p12="$ourPath/temp.p12"
readonly KEYTOOL=$(which keytool)
readonly OPENSSL=$(which openssl)
#######################################
# Functions used by main execution
function gd_check_cert {
# Verify gd_bundle.crt exists
[ ! -f "$1" ] && print_error "$1 not found! Downloading..." && wget https://certs.godaddy.com/repository/$1;
[ ! -f "$1" ] && die "$1 must exist in current path! Exiting....";
[ -f "$1" ] && print_status "found $1 in current path"
}
function verify_before_execution {
printline
#verify godaddy cert
gd_check_cert $gdbundle
#Check to make sure the user provided valid files
file_must_exist ${crt}
file_must_exist ${key}
move_file_if_exist ${keystore}
}
function import_godaddy_root {
print_status "Importing gd_bundle.crt to java key store..."
${KEYTOOL} -import \
-alias root \
-keystore ${keystore} \
-trustcacerts \
-file ${gdbundle} \
-keypass ${pw} \
-storepass ${pw} >/dev/null 2>/dev/null
[ ! $? -eq 0 ] && die "Error running command... Exiting!";
}
function export_to_p12 {
printline
print_status "Exporting your key and cert to pkcs12 format..."
${OPENSSL} pkcs12 -export -chain -CAfile gd_bundle.crt -inkey ${key} -in ${crt} -out ${p12} -password pass:${pw}
[ ! $? -eq 0 ] && die "Error running command... Exiting!";
}
function import_p12_file {
print_status "Importing p12 file to java key store..."
${KEYTOOL} -importkeystore \
-srcalias 1 \
-destalias tomcat \
-srckeystore ${p12} \
-srcstoretype PKCS12 \
-srcstorepass ${pw} \
-destkeystore ${keystore} \
-keypass ${pw} \
-storepass ${pw} \
-dest‐storepass ${pw} >/dev/null 2>/dev/null
[ ! $? -eq 0 ] && die "Error running command... Exiting!";
}
function print_msg_after_creation {
printline
print_good "Keystore ${keystore} creation complete!"
printline
print_status "Don't forget to copy ${keystore} to /etc/tomcat7/tomcat.keystore and update server.xml"
printline
}
#######################################
# Main Execution
verify_before_execution
export_to_p12
import_godaddy_root
import_p12_file
print_msg_after_creation
来源:http://brakertech.com/convert-valid-godaddy-cert-key-to-java-keystore/
答案2
我将尝试稍微澄清一下签名程序:
- 密钥生成:您创建一个私钥
- CSR 生成:使用你的私钥向认证机构创建包含要签名的证书的请求
- CA 签名:CA 对您的证书进行签名并将其发回给您(现在它里面有您的指纹和 CA 的指纹)。
- 证书导入:在密钥库中导入签名的证书,从而使其可供 tomcat 使用
- chain-cert import:导入定义信任链的证书
CA 可以委托签名,因此为了确保签名的证书有效,客户端应该能够检查每个 CA 身份。(例如,您的证书由 ca.contoso 签名,而 contoso 使用 verisign 作为证书颁发机构;客户端将先检查 contoso,然后再检查 verisign,如果一切正常,您的证书即被视为有效)