basic concepts
SSL certificate : SSL certificate is a digital certificate one, similar to the electronic copy of a driver's license, passport and business license. Because the configuration on the server, also known as SSL server certificate.
SSL certificates that comply with the SSL protocol, digital certificate authority CA trusted certificate, issued after verifying the identity of the server with server authentication and data encryption.
SSL certificates on the client browser and the Web server to establish a secure channel SSL (Secure socket layer (SSL) security protocol designed by Netscape Communication Company developed between the security protocol mainly used to provide authentication of users and servers; For data transfer is encrypted and hidden; to ensure that data is not altered in transit, that the integrity of the data, has become a standard in the field of globalization due to SSL technology has been established in all major browsers and. the WEB server program Therefore, only install a server certificate can activate this feature a), i.e. it can be activated by the SSL protocol, encryption of data transmission of information between the client and the server can prevent the leakage of data information, both to ensure the transmission of information are security, and the user can verify that he visited the site of the server certificate is authentic. Digital information file digital signature, also known as digital identity, signature (ie Digital Certificate, Digital ID), provides a method for authentication on the Internet is used to sign and certify the identity of both the communications network, similar in concept to everyday life driver's license or ID card. Digital signature is mainly used to send secure e-mail, access to a secure site, online bidding and tendering, online contract, online ordering, online documents safe transfer, online office, online payment, online shopping and online tax secure online electronic transactions.
HTTPS protocol : HTTPS (full name: Hyper Text Transfer Protocol over Secure Socket Layer), is safe for the target HTTP channel, simply, is a safe version of HTTP. I.e. HTTP added SSL layer, SSL security infrastructure is HTTPS, thus requires detailed encrypted SSL. It is a URI scheme (abstract identifier system), syntax similar to http: System. HTTP data for secure transmission. https: URL indicates that it uses the HTTP, HTTPS but there is a default different from the HTTP port and an encryption / authentication layer (between the HTTP and TCP). The system originally developed by Netscape (Netscape), and its built-in browser Netscape Navigator, provides authentication and encryption communication method. It is now widely used in the World Wide Web on security-sensitive communications, such as transaction payments.
The difference between HTTP and HTTPS : HTTP protocol to transmit data is unencrypted, clear text that is, so using HTTP protocol to transmit private information very unsafe, in order to ensure the privacy of data can be encrypted transmission, so Netscape designed the SSL ( Secure Sockets Layer) protocol for data transmitted over HTTP are encrypted, and thus was born HTTPS. In simple terms, HTTPS protocol is constructed from SSL + HTTP protocol can be encrypted transmission, network authentication protocol than http protocol security.
Official Documents
The official document: https://tomcat.apache.org/tomcat-8.5-doc/config/http.html
Steps
Obtain an SSL Certificate
1, Ali cloud for a free SSL certificate
Ali cloud free SSL certificate request Address: https://common-buy.aliyun.com/?spm=5176.10695662.958455.3.58d37d544FnuYs&commodityCode=cas#/buy
Download SSL Certificates
Tomcat configuration
Ali cloud SSL certificate official Tomcat configuration instructions:
Tomcat support JKS certificate format, also supports start from Tomcat7 PFX certificate formats both certificate format and submission.
File Description:1. The certificate file xxxx.pem, contains two paragraphs, do not remove any piece of content.
2. If the CSR certificate system is created, further comprising: a certificate private key file xxxx.key, PFX format certificate file xxxx.pfx, PFX format Certificate password file pfx-password.txt.
1, certificate format conversion
All files created cert directory under the Tomcat installation directory, and download a copy of the cert directory. If the application for a certificate is CSR files you created, the annex contains only xxxx.pem file, you also need to copy the file onto a cert directory named xxxx.key; if CSR is created by the system, please go directly to step 2 .
Under cert directory to execute the following command to complete the PFX format conversion command here to set the PFX certificate password, keep in mind:openssl pkcs12 -export -out xxxx.pfx -inkey xxx.key -in xxxx.pem2, PFX certificate installation
Find the file server.xml under the Tomcat installation directory, usually the default path is the folder in the conf file. Found <Connection port = "8443" tag, add the following properties:
keystoreFile="cert/xxxx.pfx" keystoreType="PKCS12"
Open the server.xml , locate the following code, uncomment
Note: can not be found directly added
change into
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="D:/apache-tomcat-8.5.15/cert/xxx.pfx"
certificateKeystoreType="PKCS12" certificateKeystorePassword="xxx" />
</SSLHostConfig>
</Connector>Parameter information:
| Attributes | description |
|---|---|
certificateRevocationListFile |
包含证书颁发机构的级联证书吊销列表的文件名。格式是PEM编码的。如果未定义,则不会根据证书吊销列表检查客户端证书(除非使用了基于OpenSSL的连接器并且 定义了certificateRevocationListPath)。相对路径将针对解析 |
certificateRevocationListPath |
仅OpenSSL。 包含证书颁发机构的证书吊销列表的目录的名称。格式是PEM编码的。相对路径将针对解析 |
certificateVerification |
设置为 |
certificateVerificationDepth |
验证客户端证书时允许的中间证书的最大数量。如果未指定,将使用默认值10。 |
ciphers |
使用OpenSSL语法启用的密码。(有关支持的密码列表和语法,请参见OpenSSL文档。)或者,可以使用逗号分隔的使用标准OpenSSL密码名称或标准JSSE密码名称的密码列表。 对于基于JSSE的连接器,从OpenSSL语法转换为JSSE密码时,OpenSSL语法分析的行为与OpenSSL 1.1.0开发分支的行为保持一致。 仅使用SSL实施支持的密码。 如果未指定,将使用默认值(使用OpenSSL表示法) 请注意,默认情况下,定义密码的顺序被视为优先顺序。请参阅 |
hostName |
SSL主机的名称。这应该是完全限定域名(例如 |
protocols |
与客户端通信时要支持的协议的名称。这应该是以下各项的任意组合的列表:
列表中的每个标记都可以带有加号(“ +”)或减号(“-”)前缀。加号添加协议,减号将其从当前列表中删除。该列表是从一个空列表开始构建的。 令牌 请注意, 请注意, 请注意, 如果未指定, |
sessionCacheSize |
要在会话缓存中维护的SSL会话数。指定 |
sessionTimeout |
创建SSL会话后将超时的时间(以秒为单位)。指定 |
sslProtocol |
仅限JSSE。 要使用的SSL协议(一个值可以启用多个协议-有关详细信息,请参阅JVM文档)。如果未指定,则默认为 |
注:Tomcat 8.0及以下配置:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="F:\Keystore\tomcat.keystore" keystorePass="123456"/>参数信息:
属性 描述 clientAuth 如果设为true,表示Tomcat要求所有的SSL客户出示安全证书,对SSL客户进行身份验证 keystoreFile 指定keystore文件的存放位置,可以指定绝对路径,也可以指定相对于<CATALINA_HOME>(Tomcat安装目录)环境变量 的相对路径。如果此项没有设定,默认情况下,Tomcat将从当前操作系统用户的用户目录下读取名为“.keystore”的文件。 keystorePass 指定keystore的密码,如果此项没有设定,在默认情况下,Tomcat将使用“changeit”作为默认密码。 sslProtocol 指定套接字(Socket)使用的加密/解密协议,默认值为TLS,用户不应该修改这个默认值。 ciphers 指定套接字可用的用于加密的密码清单,多个密码间以逗号(,)分隔。如果此项没有设定,在默认情况下,套接字可以使用任意一个可用的密码。
保存
重启Tomcat
访问
https//:域名:端口注:HTTPS协议默认端口443
常见问题
暂无
参考文章
https://segmentfault.com/a/1190000009780545
https://www.jianshu.com/p/9aabef3373ee
https://www.cnblogs.com/liaojie970/p/6693841.html
