简体繁体 English

使用SSL CERTIFICATE，PRIVATE KEY和SSLCertificateChain CERTIFICATE在Tomcat上启用SSL

[英]Enable SSL on Tomcat using SSL CERTIFICATE, PRIVATE KEY and SSLCertificateChain CERTIFICATE

原文 2013-11-02 15:14:33 7 1 security/ tomcat/ ssl/ https

I have SSL CERTIFICATE, PRIVATE KEY and SSLCertificateChain CERTIFICATE as follows: 我有SSL CERTIFICATE，PRIVATE KEY和SSLCertificateChain CERTIFICATE，如下所示：

SSL CERTIFICATE: SSL凭证：
-----BEGIN CERTIFICATE----- ----- BEGIN证书-----
certificate here 证书在这里
-----END CERTIFICATE----- -----结束证书-----
PRIVATE KEY: 私钥：
-----BEGIN RSA PRIVATE KEY----- ----- BEGIN RSA私钥-----
key here 关键在这里
-----END RSA PRIVATE KEY----- -----结束RSA私钥-----
SSLCertificateChain CERTIFICATE: SSLCertificateChain证书：
-----BEGIN CERTIFICATE----- ----- BEGIN证书-----
SSLCertificateChain here SSLCertificateChain在这里
-----END CERTIFICATE----- -----结束证书-----
I have saved certificate in SSLCertificateFile.crt, key in SSLCertificateKeyFile.key and SSLCertificateChain certificate in SSLCertificateChainFile.crt. 我已将证书保存在SSLCertificateFile.crt中，密钥保存在SSLCertificateKeyFile.key中，而SSLCertificateChain证书保存在SSLCertificateChainFile.crt中。 All the three files are saved at /opt/tomcat/conf/ 所有这三个文件都保存在/ opt / tomcat / conf /
In /opt/tomcat/conf/server.xml modified the connector as: 在/opt/tomcat/conf/server.xml中，将连接器修改为：

I've restarted the tomcat server, http://www.digicert.com/help/ show the error "SSL Certificate is not trusted" as shown in the image. 如图所示，我已经重新启动了雄猫服务器http://www.digicert.com/help/，显示错误“ SSL证书不受信任”。

在此处输入图片说明

Is there anything wrong in file extensions or the connetcor? 文件扩展名或connetcor有什么问题吗？

1 个解决方案

You've blanked out the information that would be required to give you the definitive answer: 您已经清空了获得确切答案所需的信息：

"Certificate does not match name" means that you have a certificate for one server name, but access it as another server - this could be as simple as accessing "www.example.com" as "example.com" if the certificate is only valid for "www.example.com" “证书与名称不匹配”表示您拥有一个服务器名称的证书，但是以另一台服务器的身份对其进行访问-如果仅是证书，则可以像访问“ example.com”一样简单地访问“ www.example.com”对“ www.example.com”有效

The "not trusted" points either again to the mismatch, but more likely you have a self-signed certificate? “不可信”再次指向不匹配，但您更有可能拥有自签名证书？ You don't mention where you got the certificate from, only that you have it. 您没有提到您从何处获得证书，只是提到您拥有它。 By going directly to your server (not to digicert) you probably will get the same mismatch. 通过直接转到服务器（而不是digicert），您可能会得到相同的不匹配。

Even if you got the certificate from a certification authority, make sure that it indeed is trusted. 即使您是从证书颁发机构获得的证书，也要确保它确实是受信任的。 I've seen "demo" certificates (or "class 0" certificates) which were issued to demonstrate the ease of certification, but without any identity check free of charge. 我见过为证明认证容易而发行的“演示”证书（或“ 0级”证书），但没有任何免费的身份检查。 Those class 0 certificates are not trusted. 这些0类证书不受信任。 Typically you'll need to pay some money for a trusted certificate to some certification agency. 通常，您需要向一些认证机构支付一些费用才能获得受信任的证书。

I assume the server is visible on the internet (otherwise digicert won't see it), so if you would share the address, it would be easy to point you to the actual root cause. 我假设服务器在Internet上可见（否则digicert看不到它），因此，如果您共享地址，则很容易将您指向实际的根本原因。 You can also inspect the certificate, eg with Firefox: This is offered through a dialog that opens from the button on the "not trusted" warning page. 您也可以检查证书，例如使用Firefox：这是通过从“不可信”警告页面上的按钮打开的对话框提供的。