tomcat configurationhttps
Preparation
After downloading the certificate file, you can choose tomcat file when downloading. I downloaded it as a compressed package. After decompression, it will look like the picture below.
The file ending with .key is the key of the certificate
The file ending with .pem is the certificate file
first step
In the Tomcat directory, create a folder. My file name is cert. Unzip the downloaded certificate and copy it to this folder. Tomcat supports certificates in PFX format and JKS format. You can choose one of the certificate formats to install on Tomcat according to your Tomcat version. Obviously, the files I downloaded do not contain the above two files, so we need to convert them to pfx files or jks files, both of which are supported, just choose one.
Go to the cert directory and execute the following command to complete the PFX format conversion command. Here you need to set the PFX certificate password, please keep in mind:
openssl pkcs12 -export -out 2424966.pfx -inkey 2424966.key -in 2424966.pem
The file name can be customized.
After this command is executed, a .pfx file can be generated.
second step
Find the file server.xml in the directory where Tomcat is installed. Generally, the default path is in the conf folder. Find the <Connection port="xxx" tag and add the following attributes. The complete configuration is as follows: (The port attribute should be modified according to your actual situation)
<Connector port="443"
protocol="HTTP/1.1"
SSLEnabled="true"
scheme="https"
secure="true"
keystoreFile="cert/domain name.pfx" #此处keystoreFile代表证书文件的路径,请用您证书的文件名替换。
keystoreType="PKCS12"
keystorePass="证书密码" #请用您证书密码文件中的密码替换“证书密码”。
clientAuth="false"
SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"/>
After the configuration is complete, restart tomcat, and then access the domain name for testing.
Certificate configuration method in jks format
Use java jdk to convert the PFX format certificate to the JKS format certificate (windows environment, pay attention to execute in the %JAVA_HOME%/jdk/bin directory) keytool -importkeystore
-srckeystore 2424966.pfx -destkeystore your-name.jks -srcstoretype PKCS12 -deststoretype JKS
return After driving, enter the JKS certificate password and PFX certificate password. It is strongly recommended that the JKS password and PFX certificate password be the same, otherwise Tomcat may fail to start. (The file name in the above command can be changed to your own)
The writing method of the tomcat configuration file server.xml is as follows:
<Connector port="443"
protocol="HTTP/1.1"
SSLEnabled="true"
scheme="https"
secure="true"
keystoreFile="cert/domain name.jks" #此处keystoreFile代表证书文件的路径,请用您证书的文件名替换domain name。
keystoreType="PKCS12"
keystorePass="证书密码" #请用您证书密码文件中的密码替换“证书密码”。
clientAuth="false"
SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"/>
Save the changes and restart tomcat for testing.
The solution to the prompt that the server lacks intermediate certificates when performing certificate detection
You can go to this website to check the configured https https://www.myssl.cn/tools/check-server-cert.html The problem I encountered here is that there is no problem with URL access, but it is put in the background service of the WeChat applet On the Internet, there will be problems when the applet is accessed, because the server lacks an intermediate certificate. This happens in the Android environment, but not in Apple, but it still has to be solved. The solution is to generate an intermediate certificate as required on the website https://www.myssl.cn/tools/downloadchain.html , and then paste the content of the generated intermediate certificate into the previously downloaded certificate file. Then reconfigure it again according to the method of configuring https before. Then restart tomcat and test again.