Tomcat certificate deployment
Get a certificate
If you fill in the private key password when applying for the certificate, you can download the Tomcat folder, which contains the keystore www.domain.com.jks;
if the private key password is not filled in, the Tomcat folder of the certificate download package includes the keystore file www.domain.com.jks and the keystore password file keystorePass.txt
When the user chooses to paste the CSR, the download of the Tomcat certificate file is not provided, and the user needs to manually convert the format to generate it. The operation method is as follows:
The certificate conversion tool in jks format can be generated from the certificate file and private key file in the Nginx folder : https://www.trustasia.com/tools/cert-converter.htm
When using the tool, pay attention to fill in the keystore password and configure it when installing the certificate Required to fill in the file.
Certificate installation
Configure the SSL connector, store the www.domain.com.jksfiles in the conf directory, and then configure the server.xmlfiles in the same directory:
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="conf/www.domain.com.jks"
keystorePass="changeit"
clientAuth="false" sslProtocol="TLS" />
Note:
Configuration file parameter description| clientAuth | If set to true, it means that Tomcat requires all SSL clients to present security certificates to authenticate SSL clients |
| keystoreFile | Specify the storage location of the keystore file. You can specify an absolute path or a relative path relative to the (Tomcat installation directory) environment variable. If this item is not set, by default, Tomcat will read a file named ".keystore" from the user directory of the current operating system user. |
| keystorePass | Keystore password, specifies the password of the keystore. (If you fill in the private key password when applying for a certificate, the keystore password is the private key password, otherwise fill in the password in the keystore password file) |
| sslProtocol | Specifies the encryption/decryption protocol used by the socket. The default value is TLS |
Security configuration of http automatic jump to https
Go to web.xml in the conf directory. In the </welcome-file-list>back, </web-app>, that is, in the penultimate paragraph, add such a paragraph
<login-config>
<!-- Authorization setting for SSL -->
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>
<!-- Authorization setting for SSL -->
<web-resource-collection>
<web-resource-name>SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
The purpose of this step is to make the non-ssl connector jump to the ssl connector. So you also need to go to server.xml to configure:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
Change redirectPort to port 443 of the ssl connector, which will take effect after restarting.