更新时间:2023-11-24 17:44:22
我假设您已经按照上述声明维护了密钥库.为了避免任何意外,请先备份密钥库.
I'm assuming you already have keystore maintained as per your statements above. Take a backup of your keystore first in order to avoid any mishap.
除了拥有的文件之外,您还应该具有所生成证书的私钥.
Apart from the files you have, you should also has Private Key of your generated certificate.
现在按照步骤进行操作.
Now follow the steps as ordered.
keytool -delete -alias tomcat -keystore domain.jks
您还可以通过 keytool -list -keystore domain.jks
删除它们来查看其他任何现有条目.
openssl pkcs12 -export -in fce4f111a61ea3f4.crt -inkey private.key -out cert_and_key.p12 -name tomcat -CAfile gd_bundle-g2-g1.crt -caname root
如果您收到类似以下错误的消息
unable to load private key
139995851216720:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: ANY PRIVATE KEY
这表示您的private.key
格式不正确,您需要将编码更改为ASCII text
运行以下命令来转换私钥
It means your private.key
isn't in proper format, you need to change encoding to ASCII text
run following command to convert your private key
# You can do a dry run before manipulating the actual file
tail -c +4 private.key | file -
# Change encoding
tail -c +4 private.key > private.key
keytool -importkeystore -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -alias tomcat -keystore domain.jks
keytool -import -trustcacerts -alias root -file $certdir/gd_bundle-g2-g1.crt -noprompt -keystore domain.jks
server.xml
server.xml
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150"
SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
keystoreFile="/path/to/keysore/domain.jks" keystorePass="xxxxxx"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA" />
别忘了用您的JKS密钥库密码和keystoreFile
参数替换xxxxxx
Don't forget to replace xxxxxx
with your JKS keystore password and keystoreFile
parameter
sudo service tomcat7 restart
sudo tail -f /var/log/tomcat7/catalina.out
注意:用您的实际密钥库文件替换domain.jks
.
Note: replace domain.jks
with your actual keystore file.