我假设您已经按照上述声明维护了密钥库.为了避免任何意外，请先备份密钥库.

I'm assuming you already have keystore maintained as per your statements above. Take a backup of your keystore first in order to avoid any mishap.

除了拥有的文件之外，您还应该具有所生成证书的私钥.

Apart from the files you have, you should also has Private Key of your generated certificate.

现在按照步骤进行操作.

Now follow the steps as ordered.

1. 首先从密钥库文件中删除所有现有条目.

keytool -delete -alias tomcat -keystore domain.jks

您还可以通过 keytool -list -keystore domain.jks 删除它们来查看其他任何现有条目.

1. 现在将证书和私钥导出到PKCS12文件中

openssl pkcs12 -export -in fce4f111a61ea3f4.crt -inkey private.key -out cert_and_key.p12 -name tomcat -CAfile gd_bundle-g2-g1.crt -caname root

如果您收到类似以下错误的消息

unable to load private key
139995851216720:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: ANY PRIVATE KEY

这表示您的private.key格式不正确，您需要将编码更改为ASCII text运行以下命令来转换私钥

It means your private.key isn't in proper format, you need to change encoding to ASCII text run following command to convert your private key

# You can do a dry run before manipulating the actual file
tail -c +4 private.key | file -

# Change encoding
tail -c +4 private.key > private.key

1. 将PKCS12文件导入JKS密钥库:

keytool -importkeystore -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -alias tomcat -keystore domain.jks

1. 现在将根证书导入JKS密钥库(具有根别名)

keytool -import -trustcacerts -alias root -file $certdir/gd_bundle-g2-g1.crt -noprompt -keystore domain.jks

1. 在server.xml
中添加以下内容

1. Add following in server.xml

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150"
    SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
    keystoreFile="/path/to/keysore/domain.jks" keystorePass="xxxxxx"
    ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
    TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,
    TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA" />

别忘了用您的JKS密钥库密码和keystoreFile参数替换xxxxxx

Don't forget to replace xxxxxx with your JKS keystore password and keystoreFile parameter

1. 完成.现在，重新启动您的 Tomcat服务器，并收听您的日志文件

1. Done. Now restart your Tomcat server and listen to your log file

sudo service tomcat7 restart
sudo tail -f /var/log/tomcat7/catalina.out

注意:用您的实际密钥库文件替换domain.jks.

Note: replace domain.jks with your actual keystore file.