Java Tomcat HTTPS 密钥库证书
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/2055314/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Tomcat HTTPS keystore certificate
提问by tmbrggmn
Ran into another problem using SSL and Tomcat: I've configured a keystore which contains a key and a certificate (the server certificate I wish to present to the clients connecting to the site). I've done the same for the truststore (I'm going to need client authentication).
使用 SSL 和 Tomcat 遇到另一个问题:我配置了一个包含密钥和证书的密钥库(我希望向连接到站点的客户端提供服务器证书)。我对信任库做了同样的事情(我将需要客户端身份验证)。
The problem I have now is that when I connect to my Tomcat instance via HTTPS, the certificate presented to me (the server certificate) is not my actual server certificate, but rather the keyin the JKS keystore. Using -Djavax.net.debug=ssl reveals that it's presenting the correct CA for client authentication, but not the correct server certificate.
我现在的问题是,当我连接到通过HTTPS我的Tomcat实例,介绍给我(服务器证书)证书不是我的实际服务器证书,而是重点在JKS密钥库中。使用 -Djavax.net.debug=ssl 表明它为客户端身份验证提供了正确的 CA,但没有提供正确的服务器证书。
adding as trusted cert: Subject: CN=A Issuer: CN=A Algorithm: RSA; Serial number: - Valid from Tue Nov 10 14:48:31 CET 2009 until Mon Feb 08 14:48:31 CET 2010 adding as trusted cert: Subject: X Issuer: X Algorithm: RSA; Serial number: - Valid from Wed Jan 19 01:00:00 CET 2005 until Mon Jan 19 00:59:59 CET 2015
I've replaced the real values with place holders. A = the domain name of the server (but in this case, for some reason this is the key and not the certificate). X = a VeriSign CA (this should be correct). I have an existing certificate I would like to use to present to the clients, which I imported into a JKS keystore using keytool.
我已经用占位符替换了真实值。A = 服务器的域名(但在这种情况下,出于某种原因,这是密钥而不是证书)。X = VeriSign CA(这应该是正确的)。我有一个现有的证书,我想用它来呈现给客户,我使用 keytool 将其导入 JKS 密钥库。
The Tomcat connector configuration:
Tomcat 连接器配置:
<Connector port="444" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="conf/ssl/keystore.jks"
keystorePass="xx"
keyAlias="testkey"
truststoreFile="conf/ssl/truststore.jks"
truststorePass="xx" />
Any idea why my Tomcat instance is not presenting the correct certificate?
知道为什么我的 Tomcat 实例没有提供正确的证书吗?
采纳答案by tmbrggmn
The problem is (apparently - I can not really confirm this) that it's impossible to properly import a previously generated certificate (and matching key) into a JKS keystore and have it presented properly by Tomcat.
问题是(显然 - 我无法真正确认这一点)无法将先前生成的证书(和匹配密钥)正确导入 JKS 密钥库并由 Tomcat 正确呈现。
The situation in which my problem occurred is as follows:
我的问题出现的情况如下:
- I have a certificate file, which I generated myself using OpenSSL from scratch (key + CSR -> certificate), signed by my own CA.
- I wish to configure Tomcat so that it presents this particular certificateto the users connecting to my site.
- 我有一个证书文件,它是我从头开始使用 OpenSSL 生成的(密钥 + CSR -> 证书),由我自己的 CA 签名。
- 我希望配置 Tomcat,以便它向连接到我的站点的用户提供此特定证书。
The solution I found to work is:
我发现有效的解决方案是:
Convert the existing certificate andits private key to the DER format. For example (using OpenSSL):
For the private key;
openssl pkcs8 -topk8 -nocrypt -in my_private_key.key -inform PEM -out my_private_key.der -outform DERFor the actual signed certificate;
openssl x509 -in my_certificate.crt -inform PEM -out my_certificate.der -outform DERImport both DER files into a keystore (JKS file) using a custom Java class.
java ImportKey my_private_key.der my_certificate.derI did not figure this out myself (all credit goes to the original inventor(s)).The source for this Java class, and some more details can be found hereand here. I modified this class slightly so that there is a 3rd (or 4th) parameter that specifies the output location of the resulting JKS file.
转换现有证书和其私钥的DER格式。例如(使用 OpenSSL):
对于私钥;
openssl pkcs8 -topk8 -nocrypt -in my_private_key.key -inform PEM -out my_private_key.der -outform DER对于实际签署的证书;
openssl x509 -in my_certificate.crt -inform PEM -out my_certificate.der -outform DER使用自定义 Java 类将两个 DER 文件导入密钥库(JKS 文件)。
java ImportKey my_private_key.der my_certificate.der我自己没有弄清楚(所有功劳都归功于原始发明者)。这个 Java 类的源代码,以及更多细节可以在这里和这里找到。我稍微修改了这个类,以便有第三个(或第四个)参数指定生成的 JKS 文件的输出位置。
The end result is a JKS keystore which can then be used in the Tomcat Connector configuration as the keystore. The above tool will generate the JKS file with default passwords for the key and JKS file itself, these can be changed later using keytool -storepasswdand keytool -keypasswd. Hope this helps for people facing the same issue.
最终结果是一个 JKS 密钥库,然后它可以在 Tomcat 连接器配置中用作密钥库。上述工具将使用密钥和 JKS 文件本身的默认密码生成 JKS 文件,稍后可以使用keytool -storepasswd和更改这些密码keytool -keypasswd。希望这对面临同样问题的人有所帮助。
回答by Bozho
Your configuration should work correctly.
您的配置应该可以正常工作。
Tomcat's how-toexplains the steps to take in order to have a proper JKS.
Tomcat 的 how-to解释了为了拥有合适的 JKS 需要采取的步骤。
Make sure you have imported the Certificate to the jks, with the appropriate alias (testKey)
确保您已使用适当的别名 (testKey) 将证书导入 jks
回答by SayeedHussain
Expanding on @Bozho comment,
扩展@Bozho 评论,
This was really critical. "The key and the purchased certificate are to be under the same alias".
这真的很关键。“密钥和购买的证书要在同一个别名下”。
The SSL certificate bought from the CA (Verisign, Digicert etc.) should be imported with the same alias as the private key generated before creating the csr. After importing the purchased certificate into the keystore using java keytool, you will see "Certificate reply added to keystore".
从 CA(Verisign、Digicert 等)购买的 SSL 证书应使用与创建 csr 之前生成的私钥相同的别名导入。使用java keytool将购买的证书导入keystore后,会看到“Certificate reply added to keystore”。
To check the trust chain, use the terminal command openssl s_client -connect yourdomain.com:443 -showcerts.It starts at your cert and leads to up to a trusted root CA.
要检查信任链,请使用终端命令openssl s_client -connect yourdomain.com:443 -showcerts。它从您的证书开始,一直通向受信任的根 CA。
