https://gethttpsforfree.com/上提供了一个获取free https certificates的办法,他的证书来自于the non-profit certificate authority Let's Encrypt。
You can now get free https certificates from the non-profit certificate authority Let's Encrypt! This is a website that will take you through the manual steps to get your free https certificate so you can make your own website use https! This website is open source and NEVER asks for your private keys. Never trust a website that asks for your private keys!
https://community.letsencrypt.org/t/rate-limits-for-lets-encrypt/6769
用Let's Encrypt获取free https certificates的一些频率限制。
https://letsencrypt.org/certificates/
Let's Encrypt的根证书和中间证书
Cross Signing
Our intermediate “Let’s Encrypt Authority X1” represents a single public/private key pair. The private key of that pair generates the signature for all end-entity certificates (also known as leaf certificates), i.e. the certificates we issue for use on your server.
Our intermediate is signed by ISRG Root X1. However, since we are a very new certificate authority, ISRG Root X1 is not yet trusted in most browsers. In order to be broadly trusted right away, our intermediate is also cross-signed by another certificate authority, IdenTrust, whose root is already trusted in all major browsers. Specifically, IdenTrust has cross-signed our intermediate using their DST Root CA X3.
由于我们是一个很新的CA, ISRG Root X1在大部分浏览器上都不被信任,为了能立刻被广泛信任,我们的中间证书也被另一个CA IdenTrust交叉签名,IdenTrust的root证书已经在所有的主流浏览器上被信任了。明确地讲,IdenTrust 用它们的DST Root CA X3对我们的中间证书进行交叉签名
That means there are two certificates available that both represent our intermediate. One is signed by DST Root CA X3, and the other is signed by ISRG Root X1. The easiest way to distinguish the two is by looking at their Issuer field.
DST Root CA X3的证书
https://www.identrust.com/certificates/trustid/root-download-x3.html
https://www.identrust.com/certificates/trustid/install-miis4.html
a) Copy and paste the contents of the certificate, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- into a text file.
b) Save the file as * certificate.crt on your computer.
注意:证书中不要包含空格,否则导入时会报错。
使用gethttpsforfree.com获取free https certificates的步骤
第一步:输入账户信息。
输入email。
用openssl创建一个RSA的密钥对,导出公钥,输入进去。
注意:用jdk的keytool导出的公钥,填进去总是通不过。考虑到后面的校验部分都是用openssl,所以还是老老实实用openssl来生成密钥对,导出公钥。
点击“Validate Account Info”,如果验证通过,会显示“Looks good! Proceed to Step 2!”。
第二步:输入CSR(Certificate Signing Request)
网页给出的例子是用openssl创建TLS private key,生成CSR。如果你需要用keytool来管理存储在java keystore的证书,情况会有些不同。用keytool生成的CSR的前缀和后缀分别是-----BEGIN NEW CERTIFICATE REQUEST-----和-----END NEW CERTIFICATE REQUEST-----,而用openssl生成的CSR前缀和后缀分别是-----BEGIN CERTIFICATE REQUEST-----和-----END CERTIFICATE REQUEST-----。该网站只接受openssl生成的CSR的格式,所以需要将keytool生成的CSR的前缀和后缀改掉,再复制到网页上对应的文本框中。
点击“Validate CSR”,如果验证通过,会显示“Found domains! Proceed to Step 3! ”
用keytool生成CSR的命令可以参考:
keytool -genkeypair -dname "CN=www.mysite.com" -keyalg RSA -alias mysite -keypass 123456 -keystore my.jks -storepass 123456 -validity 3650
keytool -certreq -keyalg RSA -keystore my.jks -storepass 123456 -alias mysite
第三步:对API请求签名(Sign API Requests)
Let's Encrypt需要你用私钥签名发给他们的所有请求。将网页上的命令复制到第一步生成密钥对的地方,执行后将结果复制到命令下面的文本框中。注意要让命令中的PRIV_KEY指向你的私钥。
点击“Validate Signatures”,如果验证通过,会显示“Step 3 complete! Please proceed to Step 4.”
第四步:验证对域名的所有权(Verify Ownership)
同样要先对命令进行签名。
如果是python server,可以选第一种验证方式,运行命令。
如果是其它服务器,就得选择第二种验证方式,在服务器指定的目录下放一个指定名字和内容的文件。
点击“I’m now serving...”,如果验证通过,会提示“Domain verified!”。
如果CSR中包含多个域名,需要对每个域名都进行验证。
第五步:安装证书(Install Certificate)
Signed Certificate是对CSR的签名,复制下来,保存为文件response.crt,Intermediate Certificate是中间证书,复制下来,保存为文件intermediate.crt;下载DST Root CA X3的证书,保存为root.crt。
依次将root.crt、intermediate.crt和response.crt导入到java keystore中。可以参考下面的命令:
keytool -importcert -alias root -keystore my.jks -trustcacerts -file root.crt
keytool -importcert -alias intermed -keystore my.jks -trustcacerts -file intermediate.crt
keytool -importcert -alias mysite -keystore my.jks -trustcacerts -file response.crt
然后将这个java keystore配置到Tomcat的server.xml,重启Tomcat就可以了。