openssl genrsa -des3 -out localhost 2048生成私钥.使用HTTPS运行Web服务器所需的是私钥和证书.您需要一步来生成证书.

openssl genrsa -des3 -out localhost 2048 generates a private key. What you need to run a web server using HTTPS is a private key and a certificate. You'll need a step to generate a certificate.

根据是否使用APR连接器，您可以使用两种几乎完全不同的方法在Tomcat中配置HTTPS.

You can configure HTTPS in Tomcat using 2 almost completely different approaches, depending on whether you're using the APR connector or not.

如果您使用的是 APR连接器 ，因此使用OpenSSL生成密钥/证书是有意义的，因为它是期望的格式. (如果有足够的自签名证书，可以使用OpenSSL生成自签名证书的教程很多.​​)

If you're using the APR connector, it makes sense to use OpenSSL to generate the keys/certificate, since it's the format it expects. (There are a number of tutorials to generate self-signed certificates with OpenSSL, if a self-signed certificate is sufficient for your environment.)

如果您不使用APR ，必须将OpenSSL生成的密钥/证书转换为JRE支持的密钥库格式.来自OpenSSL，将您的私钥+证书转换为PKCS#12存储库(.p12)通常是最简单的:通过具有PKCS12密钥库类型的Oracle/OpenJDK直接支持此操作. (您可以将PKCS#12文件转换为JKS存储，但这不是必需的.)

If you're not using APR, you would have to convert the keys/cert generated with OpenSSL into a keystore format supported by your JRE. Coming from OpenSSL, converting your private key + certificate into a PKCS#12 store (.p12) is usually the easiest: this is supported directly via Oracle/OpenJDK with the PKCS12 keystore type. (You could convert your PKCS#12 file into a JKS store, but that's not necessary.)

但是，如果您还没有任何密钥/证书，则为Tomcat生成自签名证书的最简单方法是直接使用keytool.这将产生一个JKS密钥库，这是默认类型. keytool -genkey 不仅会生成密钥/密钥对，而且足以产生CSR，但它会关联一个自签名证书(如果需要的话，至少是暂时的，直到从CA导入证书为止).

However, if you don't have any keys/cert yet, the easiest way to generate a self-signed certificate for Tomcat is to use keytool directly. This will produce a JKS keystore, which is the default type. keytool -genkey not only generates a key/pair and enough to produce a CSR, but it associates a self-signed certificate (at least temporarily until you import the certificate coming from a CA if necessary).