【Https（二】】实战 openssl 配置 tomcat

CA私钥

使用如下命令生成CA私钥:

openssl genrsa -out CaPriKey.pem

直接查看私钥文件：

openssl生成的相关文件均以pem格式存储，pem仅仅是一种文件格式，以特定的标记开头和结尾。

可以使用如下命令输出私钥明文：

openssl rsa -in CaPriKey.pem -text

明文：

Private-Key: (2048 bit)
modulus:00:d2:23:47:32:3d:57:89:e3:b9:d6:0d:2a:9e:36:0a:c2:4d:fd:3c:6c:73:cd:45:13:64:89:f9:74:16:d8:e5:86:81:64:04:25:f8:ce:d0:14:04:b1:b0:af:60:e3:65:f1:ec:25:87:d1:19:56:41:56:b4:09:1e:ac:94:84:80:cd:fd:8e:da:83:23:6a:ad:83:d1:e8:dd:4d:34:b1:88:1d:7e:fb:11:80:67:50:a9:5f:d2:af:fb:36:ef:60:48:ea:6a:8a:3f:e6:aa:c7:6c:c1:28:82:82:03:d7:20:67:02:6c:8d:31:dd:d6:10:eb:49:ba:13:76:c8:bf:a8:a8:fe:55:0f:2e:6d:9e:9b:0d:cf:30:8e:0c:4f:67:71:7b:ee:58:a7:46:52:ac:76:1c:af:24:b4:59:0d:18:9c:96:36:68:d1:4d:9d:de:df:6d:d5:25:cb:f0:09:9d:11:7a:08:87:6a:59:ab:fc:d0:c4:03:24:13:cc:6d:59:de:43:9e:80:f8:84:b8:b1:66:f2:53:54:0d:33:9c:21:dd:59:a9:ce:1d:41:12:22:2c:91:41:5d:5f:73:b3:d9:27:e1:39:b9:cd:5f:38:a2:42:00:3d:6a:1e:51:32:e2:a9:80:5b:08:99:18:44:79:e3:68:c9:31:96:fb:48:ee:c9:da:63
publicExponent: 65537 (0x10001)
privateExponent:11:b4:ab:41:0e:6e:1b:ce:36:50:54:d7:ac:70:fd:43:15:f3:2a:6e:30:eb:b0:d0:4b:7e:5c:a8:6d:6c:65:1a:8a:38:75:29:05:e7:d7:1c:78:b0:c8:24:5e:d3:8a:39:72:1e:4f:6d:4c:e7:39:a6:26:91:46:26:60:75:31:ad:29:9a:29:cb:36:e6:bc:2c:09:39:c7:bb:c3:9e:d9:cb:32:71:d1:2d:b2:86:d7:5e:9d:8f:fa:68:cc:8e:9e:56:32:17:e7:fe:75:91:4c:16:92:65:3c:b3:3a:23:1e:ca:d3:7e:aa:1e:f8:f4:7f:fe:bc:50:fb:87:3a:ae:e9:5e:2d:8c:98:b9:01:ba:5e:de:9b:64:a3:0b:aa:ad:c8:aa:10:c2:61:ad:f1:a9:cb:46:ca:f7:e7:27:24:15:44:55:b0:32:56:fc:e0:67:d7:a9:db:2f:53:c1:2d:11:dc:33:1e:ca:49:78:29:ea:86:48:46:62:3f:b4:49:54:03:31:11:c1:ff:6f:73:99:c7:82:78:cb:9c:32:00:60:5a:1e:c9:ab:cd:e9:f2:f9:39:3b:78:b5:c5:09:39:e4:f5:e3:f7:f6:86:e1:ba:9b:02:db:e6:1d:9e:b8:73:a5:ea:9b:24:04:89:1a:42:1b:9e:4c:d3:c5:7a:56:3f:a1:ac:41
prime1:00:f0:21:16:c5:db:4b:fd:4a:db:a6:c8:2f:65:cf:29:c8:e2:bb:68:0d:08:08:e6:8a:ff:4a:fd:85:d3:08:1c:d6:19:9f:fb:a2:94:97:2e:72:8b:58:48:9b:ba:9e:2c:7e:b6:f3:2a:0e:3b:e7:a8:0e:e3:6f:01:f9:87:7c:9d:92:b2:a9:ea:fa:06:08:15:4d:3e:1d:27:f8:4d:c5:92:36:24:21:31:3a:a7:a4:f6:a4:e2:bb:5d:bd:f8:82:2c:f8:11:c2:10:b1:b2:2a:51:99:92:bf:95:89:85:d2:bc:b1:96:74:83:02:28:32:bc:ab:19:2f:f6:e7:c8:fb:91:11
prime2:00:e0:06:be:4a:a6:af:ed:e3:14:50:04:f7:f6:cf:b1:01:83:11:1f:11:78:ac:c6:1b:b2:7f:ca:47:cb:43:6a:de:1b:15:2b:d1:39:30:3a:db:19:9b:d9:d8:79:71:7b:7b:65:96:3c:34:8b:78:d0:e8:13:47:82:a9:8d:32:cd:07:f5:d9:58:dd:c6:7a:ff:b0:7d:b0:05:d1:0c:a2:be:4f:f9:f9:7c:26:6f:59:53:bd:ac:ee:2e:4c:b6:8b:32:38:4c:69:ef:4a:b1:90:9d:2a:9c:6c:23:81:32:a2:5d:9e:f0:89:0a:24:68:3a:10:83:3f:e3:12:4c:d7:ec:b4:33
exponent1:00:90:af:5f:49:58:19:31:45:29:94:14:8a:7a:8d:98:5f:b2:3d:b9:34:20:e3:3c:06:04:4c:ea:f4:f7:72:ab:ed:55:03:50:5b:65:ac:b2:0f:d2:66:1f:59:b5:d8:18:77:41:44:c2:d2:50:c6:04:3c:f4:4c:ae:a3:eb:3e:ea:b2:b9:74:28:60:fd:c1:61:14:69:98:a7:bc:b5:1f:96:39:89:0b:76:de:20:a5:04:f7:d4:a5:90:96:26:66:49:32:2f:80:ff:0e:12:8b:ed:1e:db:8d:14:4d:08:95:31:9c:cf:4a:e4:a5:28:13:6a:1a:ad:d2:78:b2:b0:26:e4:01
exponent2:71:62:b8:59:6c:38:4a:fc:cd:c1:1a:62:ae:66:bc:3d:f9:aa:66:c1:1f:04:c3:58:2d:66:04:69:85:f5:5f:57:7e:f9:9e:2d:cc:f6:1e:33:da:a8:49:00:09:a7:68:4a:32:46:71:be:5e:81:0d:ab:08:66:ff:38:f5:a0:2a:a9:c6:c2:f4:f9:7a:85:b2:78:0f:85:51:cc:56:ca:df:eb:f6:a7:51:30:da:d6:a9:4d:ad:02:f8:28:17:94:28:1c:da:80:1b:7f:00:94:23:17:f8:07:bb:88:9e:aa:13:1c:68:bd:d3:86:4d:c2:65:ad:28:5e:b3:5a:75:46:f6:85
coefficient:00:a1:28:b4:fd:74:22:b7:03:16:00:36:0d:f5:ff:d8:f4:7b:f6:4e:52:d1:3a:2f:1a:33:a1:26:fd:cd:54:71:40:cc:76:f9:89:bf:91:b2:ad:c6:52:05:23:6d:78:c5:67:15:1c:5a:07:27:e3:02:70:de:04:76:35:1c:62:43:6c:c5:1b:b9:ab:93:b3:aa:00:9f:45:b8:29:e1:c9:76:7b:79:7d:1a:43:f0:0f:dd:23:4f:24:79:ae:c9:71:04:d6:0d:43:e1:16:ee:86:9a:02:a3:d2:4a:06:c2:1e:99:79:6b:d1:e4:ee:38:50:99:97:28:b7:43:ab:e9:c1:0e:20
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA0iNHMj1XieO51g0qnjYKwk39PGxzzUUTZIn5dBbY5YaBZAQl
+M7QFASxsK9g42Xx7CWH0RlWQVa0CR6slISAzf2O2oMjaq2D0ejdTTSxiB1++xGA
Z1CpX9Kv+zbvYEjqaoo/5qrHbMEogoID1yBnAmyNMd3WEOtJuhN2yL+oqP5VDy5t
npsNzzCODE9ncXvuWKdGUqx2HK8ktFkNGJyWNmjRTZ3e323VJcvwCZ0RegiHalmr
/NDEAyQTzG1Z3kOegPiEuLFm8lNUDTOcId1Zqc4dQRIiLJFBXV9zs9kn4Tm5zV84
okIAPWoeUTLiqYBbCJkYRHnjaMkxlvtI7snaYwIDAQABAoIBABG0q0EObhvONlBU
16xw/UMV8ypuMOuw0Et+XKhtbGUaijh1KQXn1xx4sMgkXtOKOXIeT21M5zmmJpFG
JmB1Ma0pminLNua8LAk5x7vDntnLMnHRLbKG116dj/pozI6eVjIX5/51kUwWkmU8
szojHsrTfqoe+PR//rxQ+4c6ruleLYyYuQG6Xt6bZKMLqq3IqhDCYa3xqctGyvfn
JyQVRFWwMlb84GfXqdsvU8EtEdwzHspJeCnqhkhGYj+0SVQDMRHB/29zmceCeMuc
MgBgWh7Jq83p8vk5O3i1xQk55PXj9/aG4bqbAtvmHZ64c6XqmyQEiRpCG55M08V6
Vj+hrEECgYEA8CEWxdtL/UrbpsgvZc8pyOK7aA0ICOaK/0r9hdMIHNYZn/uilJcu
cotYSJu6nix+tvMqDjvnqA7jbwH5h3ydkrKp6voGCBVNPh0n+E3FkjYkITE6p6T2
pOK7Xb34giz4EcIQsbIqUZmSv5WJhdK8sZZ0gwIoMryrGS/258j7kRECgYEA4Aa+
Sqav7eMUUAT39s+xAYMRHxF4rMYbsn/KR8tDat4bFSvROTA62xmb2dh5cXt7ZZY8
NIt40OgTR4KpjTLNB/XZWN3Gev+wfbAF0Qyivk/5+Xwmb1lTvazuLky2izI4TGnv
SrGQnSqcbCOBMqJdnvCJCiRoOhCDP+MSTNfstDMCgYEAkK9fSVgZMUUplBSKeo2Y
X7I9uTQg4zwGBEzq9Pdyq+1VA1BbZayyD9JmH1m12Bh3QUTC0lDGBDz0TK6j6z7q
srl0KGD9wWEUaZinvLUfljmJC3beIKUE99SlkJYmZkkyL4D/DhKL7R7bjRRNCJUx
nM9K5KUoE2oardJ4srAm5AECgYBxYrhZbDhK/M3BGmKuZrw9+apmwR8Ew1gtZgRp
hfVfV375ni3M9h4z2qhJAAmnaEoyRnG+XoENqwhm/zj1oCqpxsL0+XqFsngPhVHM
Vsrf6/anUTDa1qlNrQL4KBeUKBzagBt/AJQjF/gHu4ieqhMcaL3Thk3CZa0oXrNa
dUb2hQKBgQChKLT9dCK3AxYANg31/9j0e/ZOUtE6LxozoSb9zVRxQMx2+Ym/kbKt
xlIFI214xWcVHFoHJ+MCcN4EdjUcYkNsxRu5q5OzqgCfRbgp4cl2e3l9GkPwD90j
TyR5rslxBNYNQ+EW7oaaAqPSSgbCHpl5a9Hk7jhQmZcot0Or6cEOIA==
-----END RSA PRIVATE KEY-----

另外，RSA算法的私钥是以PCKS协议存储的，所以可以从私钥中到处匹配的公钥，详情见：https://blog.csdn.net/zhymax/article/details/7683925#

这也是为什么这一步只生成了私钥文件，而没有公钥。当然我们可以使用如下命令导入对应的公钥：

openssl rsa -in CaPriKey.pem -pubout -out CaPubKey.pem

公钥明文：

CA证书请求

所谓证书请求就是一个csr文件，里面会包括申请者的身份信息以及公钥，然后由CA结构对该身份信息进行认证，生成证书。生成csr命令：

openssl req -new -out CaReq.csr -key CaPriKey.pem

如之前的介绍，这里传入私钥的目的是反解出公钥。查看该csr文件：

也可以使用如下命令查看csr文件明文：

openssl req -in CaReq.csr -noout -text

明文：

Certificate Request:Data:Version: 0 (0x0)Subject: C=CN, ST=ShanXi, L=XinZhou, O=LY, OU=LiYao, CN=Root CA/emailAddress=ca@xx.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (2048 bit)Modulus:00:d2:23:47:32:3d:57:89:e3:b9:d6:0d:2a:9e:36:0a:c2:4d:fd:3c:6c:73:cd:45:13:64:89:f9:74:16:d8:e5:86:81:64:04:25:f8:ce:d0:14:04:b1:b0:af:60:e3:65:f1:ec:25:87:d1:19:56:41:56:b4:09:1e:ac:94:84:80:cd:fd:8e:da:83:23:6a:ad:83:d1:e8:dd:4d:34:b1:88:1d:7e:fb:11:80:67:50:a9:5f:d2:af:fb:36:ef:60:48:ea:6a:8a:3f:e6:aa:c7:6c:c1:28:82:82:03:d7:20:67:02:6c:8d:31:dd:d6:10:eb:49:ba:13:76:c8:bf:a8:a8:fe:55:0f:2e:6d:9e:9b:0d:cf:30:8e:0c:4f:67:71:7b:ee:58:a7:46:52:ac:76:1c:af:24:b4:59:0d:18:9c:96:36:68:d1:4d:9d:de:df:6d:d5:25:cb:f0:09:9d:11:7a:08:87:6a:59:ab:fc:d0:c4:03:24:13:cc:6d:59:de:43:9e:80:f8:84:b8:b1:66:f2:53:54:0d:33:9c:21:dd:59:a9:ce:1d:41:12:22:2c:91:41:5d:5f:73:b3:d9:27:e1:39:b9:cd:5f:38:a2:42:00:3d:6a:1e:51:32:e2:a9:80:5b:08:99:18:44:79:e3:68:c9:31:96:fb:48:ee:c9:da:63Exponent: 65537 (0x10001)Attributes:challengePassword        :unable to print attributeSignature Algorithm: sha256WithRSAEncryption4c:2c:82:a6:df:ab:c8:25:4c:b6:14:62:81:68:6b:22:16:34:be:ae:87:aa:41:8c:77:1f:90:94:f1:bc:d4:22:97:8d:08:c9:e6:ec:b9:b1:20:98:73:dc:62:39:be:cb:f3:a9:21:06:61:e9:fa:db:c1:3e:78:b7:2e:0a:87:ab:f8:5b:1f:2a:70:58:9f:b0:e5:0c:35:02:d9:3b:8b:4d:2d:9d:ff:da:b7:69:df:89:e9:8a:e7:32:92:c7:3f:a7:f2:8d:59:eb:f5:a7:89:bb:3d:ad:7f:a1:fa:8c:ce:df:20:f2:30:29:b1:82:99:23:cf:f3:54:c2:b1:90:1e:6d:40:e3:a5:ae:62:21:73:76:12:10:55:de:3b:ef:fc:ad:9e:a5:5c:4a:b1:e8:93:9e:0b:be:3b:2d:cd:36:8a:f8:67:99:db:fc:b1:c8:25:f0:a5:27:6f:66:cc:25:07:f0:8f:7f:17:27:61:d2:eb:bc:de:d6:c1:bf:00:28:f4:7a:0b:bb:b0:e7:62:8e:dc:d9:00:66:d8:fb:91:5d:08:e4:a2:0b:f3:d5:4b:19:53:30:f7:0a:e1:9b:24:11:2f:7e:e1:7f:89:00:d3:73:8e:64:5e:8d:ce:7e:38:75:c7:a9:31:41:48:64:33:02:e6:9a:70:c7:17:5c:fd:a0:aa:3d

可以看到csr其实就是身份信息，包括了公钥，基本信息以及签名。

生成自签证书

使用Ca的私钥对csr文件自签名：

openssl x509 -req -in CaReq.csr -out CaCer.pem -signkey CaPriKey.pem -days 365

csr原信息：

使用如下命令查看证书明文：

openssl x509 -in CaCer.pem -noout -text

证书明文：

Certificate:Data:Version: 1 (0x0)Serial Number: 12547342102288706766 (0xae211d29d238acce)Signature Algorithm: sha1WithRSAEncryptionIssuer: C=CN, ST=ShanXi, L=XinZhou, O=LY, OU=LiYao, CN=Root CA/emailAddress=ca@xx.comValidityNot Before: May  2 14:13:49 2020 GMTNot After : May  2 14:13:49 2021 GMTSubject: C=CN, ST=ShanXi, L=XinZhou, O=LY, OU=LiYao, CN=Root CA/emailAddress=ca@xx.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (2048 bit)Modulus:00:d2:23:47:32:3d:57:89:e3:b9:d6:0d:2a:9e:36:0a:c2:4d:fd:3c:6c:73:cd:45:13:64:89:f9:74:16:d8:e5:86:81:64:04:25:f8:ce:d0:14:04:b1:b0:af:60:e3:65:f1:ec:25:87:d1:19:56:41:56:b4:09:1e:ac:94:84:80:cd:fd:8e:da:83:23:6a:ad:83:d1:e8:dd:4d:34:b1:88:1d:7e:fb:11:80:67:50:a9:5f:d2:af:fb:36:ef:60:48:ea:6a:8a:3f:e6:aa:c7:6c:c1:28:82:82:03:d7:20:67:02:6c:8d:31:dd:d6:10:eb:49:ba:13:76:c8:bf:a8:a8:fe:55:0f:2e:6d:9e:9b:0d:cf:30:8e:0c:4f:67:71:7b:ee:58:a7:46:52:ac:76:1c:af:24:b4:59:0d:18:9c:96:36:68:d1:4d:9d:de:df:6d:d5:25:cb:f0:09:9d:11:7a:08:87:6a:59:ab:fc:d0:c4:03:24:13:cc:6d:59:de:43:9e:80:f8:84:b8:b1:66:f2:53:54:0d:33:9c:21:dd:59:a9:ce:1d:41:12:22:2c:91:41:5d:5f:73:b3:d9:27:e1:39:b9:cd:5f:38:a2:42:00:3d:6a:1e:51:32:e2:a9:80:5b:08:99:18:44:79:e3:68:c9:31:96:fb:48:ee:c9:da:63Exponent: 65537 (0x10001)Signature Algorithm: sha1WithRSAEncryption18:b0:86:ed:76:c1:7e:07:78:44:27:c8:0d:16:cc:74:11:34:34:92:54:dd:2d:72:96:92:34:f2:47:0a:23:2d:3f:04:6f:27:bb:4f:87:f9:fc:de:e8:c1:39:32:0a:42:0e:64:f9:5b:ac:bc:e0:29:18:d6:d7:8e:68:7b:ce:e6:db:bd:02:d8:fc:1b:ff:87:b7:ff:ae:67:48:6e:64:5f:af:04:47:89:03:0d:09:20:d6:c8:f0:c0:8b:69:3d:8f:bc:98:34:1d:9b:e7:d7:13:d8:24:b8:d2:bc:bb:db:62:79:f8:81:e4:52:af:df:ba:fc:7b:03:e9:c8:39:0b:c4:ad:c3:5f:e8:f3:13:51:0e:d0:ba:a1:51:fb:23:4c:9b:cd:10:92:f4:bd:fe:8e:70:da:db:0d:3d:90:4c:88:e5:eb:78:cd:20:6d:a3:92:79:3e:19:db:f8:8f:b2:0a:37:8b:3f:20:ac:a7:e2:0e:34:76:f6:c3:07:af:36:f3:a3:2a:2d:62:98:ba:df:8f:76:ea:54:8e:c0:bf:6b:80:86:b7:a9:aa:44:92:47:94:a6:25:2c:7a:43:73:98:d3:81:04:e6:5c:77:59:20:ca:35:eb:d6:63:a9:3f:5f:3b:4e:ce:e8:34:ab:17:c2:a4:71:71:6d:58:2a:9e:ef:7e:37
-----BEGIN CERTIFICATE-----
MIIDbjCCAlYCCQCuIR0p0jiszjANBgkqhkiG9w0BAQUFADB5MQswCQYDVQQGEwJD
TjEPMA0GA1UECAwGU2hhblhpMRAwDgYDVQQHDAdYaW5aaG91MQswCQYDVQQKDAJM
WTEOMAwGA1UECwwFTGlZYW8xEDAOBgNVBAMMB1Jvb3QgQ0ExGDAWBgkqhkiG9w0B
CQEWCWNhQHh4LmNvbTAeFw0yMDA1MDIxNDEzNDlaFw0yMTA1MDIxNDEzNDlaMHkx
CzAJBgNVBAYTAkNOMQ8wDQYDVQQIDAZTaGFuWGkxEDAOBgNVBAcMB1hpblpob3Ux
CzAJBgNVBAoMAkxZMQ4wDAYDVQQLDAVMaVlhbzEQMA4GA1UEAwwHUm9vdCBDQTEY
MBYGCSqGSIb3DQEJARYJY2FAeHguY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA0iNHMj1XieO51g0qnjYKwk39PGxzzUUTZIn5dBbY5YaBZAQl+M7Q
FASxsK9g42Xx7CWH0RlWQVa0CR6slISAzf2O2oMjaq2D0ejdTTSxiB1++xGAZ1Cp
X9Kv+zbvYEjqaoo/5qrHbMEogoID1yBnAmyNMd3WEOtJuhN2yL+oqP5VDy5tnpsN
zzCODE9ncXvuWKdGUqx2HK8ktFkNGJyWNmjRTZ3e323VJcvwCZ0RegiHalmr/NDE
AyQTzG1Z3kOegPiEuLFm8lNUDTOcId1Zqc4dQRIiLJFBXV9zs9kn4Tm5zV84okIA
PWoeUTLiqYBbCJkYRHnjaMkxlvtI7snaYwIDAQABMA0GCSqGSIb3DQEBBQUAA4IB
AQAYsIbtdsF+B3hEJ8gNFsx0ETQ0klTdLXKWkjTyRwojLT8Ebye7T4f5/N7owTky
CkIOZPlbrLzgKRjW145oe87m270C2Pwb/4e3/65nSG5kX68ER4kDDQkg1sjwwItp
PY+8mDQdm+fXE9gkuNK8u9tiefiB5FKv37r8ewPpyDkLxK3DX+jzE1EO0LqhUfsj
TJvNEJL0vf6OcNrbDT2QTIjl63jNIG2jknk+Gdv4j7IKN4s/IKyn4g40dvbDB682
86MqLWKYut+PdupUjsC/a4CGt6mqRJJHlKYlLHpDc5jTgQTmXHdZIMo169ZjqT9f
O07O6DSrF8KkcXFtWCqe7343
-----END CERTIFICATE-----

至此CA根证书已经生成，将使用该证书签发网站证书。

生产Server私钥：

openssl genrsa -out ServerPriKey.pem 1024

生成csr请求：

openssl req -new -out ServerReq.csr -key ServerPriKey.pem

这里填入的Common Name必须与网站的域名一致，本例为localhost。

使用CA证书签发该csr：这里需要注意的是，必须为openssl的配置文件添加必要的配置信息，否则会报各种错误。

配置文件位置（Mac OS）: /private/etc/ssl/openssl.cnf

示例：

[ req ]
#default_bits       = 2048
#default_md     = sha256
#default_keyfile    = privkey.pem
distinguished_name  = req_distinguished_name
attributes      = req_attributes[ req_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_min         = 2
countryName_max         = 2
stateOrProvinceName     = State or Province Name (full name)
localityName            = Locality Name (eg, city)
0.organizationName      = Organization Name (eg, company)
organizationalUnitName      = Organizational Unit Name (eg, section)
commonName          = Common Name (eg, fully qualified host name)
commonName_max          = 64
emailAddress            = Email Address
emailAddress_max        = 64[ req_attributes ]
challengePassword       = A challenge password
challengePassword_min       = 4
challengePassword_max       = 20[ ca ]
default_ca = CA_default[ CA_default ]
dir                 = /Users/miracle/Key/CA
new_certs_dir           = $dir/newcerts
certs               = $dir/certs
private_key         = $dir/private/CaPriKey.pem
certificate         = $dir/certs/CaCer.pem
database            = $dir/index.txt
serial              = $dir/serial
default_md          = default
policy              = policy_match
preserve            = no
default_days            = 365
default_crl_dats        = 30[ policy_match ]
countryName             = match
stateOrProvinceName         = match
organizationName            = match
organizationalUnitName      = optional
commonName              = supplied
emailAddress            = optional

这里的[ca]、[ca_default]以及[policy_match]均是后面添加的，如果不配置会报错。注意根据实际情况调整目录结构。如何生成serial文件：cat 00 >> serial。

参考：https://www.cnblogs.com/f-ck-need-u/p/6091027.html

接着，使用如下命令签发csr：

openssl ca -in ServerReq.csr -out ServerCer.pem

如果配置文件没有问题，会有如下确认信息：

Using configuration from /private/etc/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :ASN.1 12:'ShanXi'
localityName          :ASN.1 12:'XinZhou'
organizationName      :ASN.1 12:'LY'
organizationalUnitName:ASN.1 12:'LiYao'
commonName            :ASN.1 12:'localhost'
emailAddress          :IA5STRING:'localhost@xx.com'
Certificate is to be certified until May  2 15:28:39 2021 GMT (365 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

则说明签发成功。

查看Server证书：

Certificate:Data:Version: 1 (0x0)Serial Number: 0 (0x0)Signature Algorithm: sha1WithRSAEncryptionIssuer: C=CN, ST=ShanXi, L=XinZhou, O=LY, OU=LiYao, CN=Root CA/emailAddress=ca@xx.comValidityNot Before: May  2 15:28:39 2020 GMTNot After : May  2 15:28:39 2021 GMTSubject: C=CN, ST=ShanXi, O=LY, OU=LiYao, CN=localhost/emailAddress=localhost@xx.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (1024 bit)Modulus:00:a3:6e:d7:1e:33:56:48:f1:d4:51:30:3a:e4:5e:94:cf:c5:c1:5e:b8:c3:eb:aa:f6:85:43:f6:9a:ad:3f:ec:d7:c7:a4:cf:65:06:83:d5:08:19:0c:0a:f4:14:ff:24:ea:a4:66:62:80:d3:36:ae:f2:51:f2:66:fc:3b:9e:f6:ae:8d:06:52:ef:d2:d9:b3:ec:8c:36:57:f0:7f:82:9d:aa:df:7d:67:91:c7:ce:de:3b:41:96:0d:e7:ae:eb:50:f7:35:30:8d:30:9a:5e:b6:1d:d8:1e:7a:b4:6b:6e:68:cb:51:21:11:b1:60:00:9f:b7:f9:a8:62:20:73:33:78:d1Exponent: 65537 (0x10001)Signature Algorithm: sha1WithRSAEncryption2a:d4:20:79:ad:d6:c6:06:a7:ad:0b:dd:b4:42:c4:3c:70:78:7d:85:da:ce:c9:8d:f4:58:df:fc:1b:9c:48:a6:b1:27:75:02:3c:8c:6c:98:df:32:1b:75:e0:25:ba:fa:4d:47:02:1b:a0:3e:0f:30:3e:aa:95:d6:5a:47:53:cb:ae:a7:99:a5:e1:12:5a:33:4e:f7:a8:1b:33:4c:59:54:43:d2:f4:b3:80:f1:ea:f4:5e:03:a1:05:64:b6:dc:3e:57:0e:1b:cd:ae:de:c2:eb:02:70:19:ea:49:3d:8f:d5:33:85:38:30:85:34:b6:a0:ef:ea:5d:3e:e8:1d:be:b4:7e:65:1e:90:51:cf:e0:60:68:08:b4:35:e9:6d:ce:bb:60:23:17:38:ac:5a:80:ad:27:7b:9a:0a:cf:5d:84:47:e3:70:59:95:7e:6c:3f:61:74:82:a3:f9:a8:c8:5e:c5:7b:7f:0f:15:af:b8:4f:b5:84:74:ae:7e:93:ea:ee:d5:20:9b:47:35:29:d7:86:2d:29:ce:34:99:de:55:15:bf:aa:f3:f3:b3:dd:15:1f:43:2e:e8:5e:7c:d2:23:1b:e5:3c:a2:3e:d2:d1:f3:be:4b:d6:08:a5:e1:98:97:70:98:49:76:81:f5:f6:43:3c:92:50:7d:e1:a3:b3:ca:ea:e8
-----BEGIN CERTIFICATE-----
MIIC2TCCAcECAQAwDQYJKoZIhvcNAQEFBQAweTELMAkGA1UEBhMCQ04xDzANBgNV
BAgMBlNoYW5YaTEQMA4GA1UEBwwHWGluWmhvdTELMAkGA1UECgwCTFkxDjAMBgNV
BAsMBUxpWWFvMRAwDgYDVQQDDAdSb290IENBMRgwFgYJKoZIhvcNAQkBFgljYUB4
eC5jb20wHhcNMjAwNTAyMTUyODM5WhcNMjEwNTAyMTUyODM5WjBwMQswCQYDVQQG
EwJDTjEPMA0GA1UECAwGU2hhblhpMQswCQYDVQQKDAJMWTEOMAwGA1UECwwFTGlZ
YW8xEjAQBgNVBAMMCWxvY2FsaG9zdDEfMB0GCSqGSIb3DQEJARYQbG9jYWxob3N0
QHh4LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo27XHjNWSPHUUTA6
5F6Uz8XBXrjD66r2hUP2mq0/7NfHpM9lBoPVCBkMCvQU/yTqpGZigNM2rvJR8mb8
O572ro0GUu/S2bPsjDZX8H+CnarffWeRx87eO0GWDeeu61D3NTCNMJpeth3YHnq0
a25oy1EhEbFgAJ+3+ahiIHMzeNECAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAKtQg
ea3WxganrQvdtELEPHB4fYXazsmN9Fjf/BucSKaxJ3UCPIxsmN8yG3XgJbr6TUcC
G6A+DzA+qpXWWkdTy66nmaXhElozTveoGzNMWVRD0vSzgPHq9F4DoQVkttw+Vw4b
za7ewusCcBnqST2P1TOFODCFNLag7+pdPugdvrR+ZR6QUc/gYGgItDXpbc67YCMX
OKxagK0ne5oKz12ER+NwWZV+bD9hdIKj+ajIXsV7fw8Vr7hPtYR0rn6T6u7VIJtH
NSnXhi0pzjSZ3lUVv6rz87PdFR9DLuhefNIjG+U8oj7S0fO+S9YIpeGYl3CYSXaB
9fZDPJJQfeGjs8rq6A==
-----END CERTIFICATE-----

其中的Issuer就是证书的签发机构，即我们之前创建的Root CA。

配置tomcat：

这里以Tomcat9为例：

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"maxThreads="150" SSLEnabled="true" ><UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /><SSLHostConfig><Certificate certificateKeyFile="/Users/miracle/Key/ServerPriKey.pem"certificateFile="/Users/miracle/Key/ServerCer.pem"certificateChainFile="/Users/miracle/Key/CA/certs/CaCer.pem"type="RSA" /></SSLHostConfig></Connector>

然后将javaweb项目的war包部署至Tomcat，访问链接：

始终报NET::ERR_CERT_INVALID错误，原因待排查。。。

【Https（二】】实战 openssl 配置 tomcat相关推荐

Tomcat下载以及IDEA配置Tomcat
一,Tomcat下载下载:可以选择在官网下载对应版本,下载之后就可以进行配置. 启动:双击: bin\startup.bat,后浏览器访问http://localhost:8080,若显示内容则启动 ...
javaSE：配置tomcat失败解决办法、环境变量
一.环境变量配置. 1.先进入电脑环境变量,新建系统变量. 2.然后编辑系统变量 3. 打开cmd输入startup,显示不是内部命令可运行程序,tomact启动失败:这时就要cd命令切换到安装tom ...
配置Tomcat使用https协议
一. 创建tomcat证书这里使用JDK自带的keytool工具来生成证书: 1. 在jdk的安装目录\bin\keytool.exe下打开keytool.exe 2. 在命令行中输入以下命令: ...
reload端口 tomcat_CentOS 7配置tomcat https并改端口为443
CentOS 7配置tomcat https并改端口为443: 安装tomcat: yum install tomcat (默认为tomcat 7) 配置tomcat证书(有公司https key.c ...
Linux下nginx与Tomcat的https非443端口配置
nginx的安装本文中采用编译安装.步骤如下: # 检查和安装依赖项(gcc.正则表达式工具.传送内容压缩的zlib库.openssl开启https支持),-y表示静默安装 yum -y insta ...
Windows下配置Tomcat使用https协议
场景首先需要知道 HTTP+加密+数据完整性保护+认证=HTTPS HTTP+SSL=HTTPS (在TCP与HTTP之间多了一层SSL/TSL协议) 所以配置Tomcat使用https协议,你需要 ...
配置Tomcat使用https协议(配置SSL协议)
转载地址:http://ln-ydc.iteye.com/blog/1330674 内容概览: 如果希望 Tomcat 支持 Https,主要的工作是配置 SSL 协议 1.生成安全证书 2.配置to ...
[Jexus系列] 二、Jexus配置https
注意,本教程使用的jexus版本为5.8.3专业版,操作系统为 Ubunutu 16.04 64位之前的教程: [Jexus系列] 一.安装并运行 Jexus 获取https证书并上传到服务器 1. ...
JAVA小萌新（二）—— eclipse配置 jdk 和 tomcat
1.本文章适用于eclipse配置完成的条件下(jdk配置完成)对eclipse配置Tomcat F:话不多说,开始操作 ①打开eclipse(如果没有配置JDK的话,Eclipse也不会正常打开的) ...
【Tomcat】一分钟教你eclipse如何配置tomcat（二）
对于初学者来说,在eclipse下如何配置tomcat,完全是一团雾水,不知怎么下手,在此,我们花费十分钟的时间,使用最简单的图文解说方式介绍一下,希望对大家有所帮助. 准备工具 windows操作系 ...

【Https（二】】实战 openssl 配置 tomcat

【Https（二】】实战 openssl 配置 tomcat相关推荐

最新文章

热门文章