在Tomcat Apache Web服务器上安装WildCard SSL证书(通过Comodo)
[英]Installation of WildCard SSL certificate (By Comodo) on Tomcat Apache Web Server
问题描述
I am installing a wild Card SSL certificate to my keystore which will be used for Apache Tomcat web server. 
我正在将通配SSL证书安装到我的密钥库中,该证书将用于Apache Tomcat Web服务器。 Description : My Tomcat Server is installed on windows 2012 server. 说明:我的Tomcat服务器已安装在Windows 2012服务器上。 And I have certificates provided from COMODO . 而且我有COMODO提供的证书。 The wildcard cert I'm using has already been used previously on a few servers. 我正在使用的通配符证书已经在少数服务器上使用过。 so I am directly installing same on my apache tomcat server . 所以我直接在apache tomcat服务器上安装了它。 so what I've generated a public keystore using keytool providing the same information used while purchasing the certificate using following tool command. 因此,我使用keytool生成了一个公共密钥库,它提供了使用以下工具命令购买证书时所使用的相同信息。
keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
Then I have attached my certificates to the generated keystore using following commond For "Comodo" certificates 然后,使用以下常见的“ Comodo”证书将我的证书附加到生成的密钥库中
i.keytool -import -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystoreselfservice.keystore
And I have used correct chain of installation of certificate like root , all intermediate, primary from above command. 而且我从上面的命令使用了root,所有中间,主要证书的正确安装链。
And while installing each certificate i received the following message 在安装每个证书时,我收到以下消息
"Certificate added to keystore"
Though I have not got any error . 虽然我没有任何错误。 And when i have opened my keystore there were no certificate chain , means there is individual entry of each certificate . 当我打开密钥库时,没有证书链,这意味着每个证书都有单独的条目。 but there is no chain hierarchy of certificates like Root then intermediate then primary. 但是没有证书的链层次结构,例如“根”,“中间”,“主要”。 And in my final PI or certifcate, i am getting provider as local first name instead of Comodo . 在我的最终PI或证书中,我正在将提供者作为本地名字代替Comodo。 EXAMPLE : 范例:
CN=nims.ABC.com,OU=abcCommunications,O=abc Group LLC, L=Roseville,ST=Minnesota,C=US
Provider must be 提供者必须是
CN=COMODO RSA Organization Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
So I would like to know which steps I have missed or used any extra steps . 所以我想知道我错过了哪些步骤或使用了任何额外的步骤。 Please provide a solution to install a wild card certificate . 请提供安装通配符证书的解决方案。 Thanks in advance 提前致谢
2 个解决方案
解决方案1
0 2015-01-27 06:15:28
You did everything correctly. 您做的一切正确。 The trust chain is important for another aspect. 信任链对于另一个方面很重要。 If you trust one 'certificate' of the chain, you trust the following 'certificates' of the chain too. 如果您信任链中的一个“证书”,那么您也信任链中的以下“证书”。 So to trust all certs of a CA you just have to trust the root CA's cert. 因此,要信任CA的所有证书,您只需信任根CA的证书即可。
What you realy need to make the wild card certificate work on you server is to import the private key part of it. 使通配符证书在服务器上起作用的真正需要是导入它的私钥部分。
解决方案2
0 2015-01-27 12:36:31
I assume you mean Tomcat using Java SSL (JSSE) not APR/Native (OpenSSL). 我假设您的意思是使用Java SSL(JSSE)而不是APR / Native(OpenSSL)的Tomcat。 If you want Tomcat-APR, change your question. 如果您需要Tomcat-APR,请更改您的问题。
If the cert you want to use is already in use on other servers, and you "generated a public keystore using" the keytool command you showed on the NEW server, you generated a NEW KEY which is different from the key the other servers used and different from the key included in the certificate, thus the certificate DOES NOT MATCH that new key and cannot be used with that new key. 如果要使用的证书已在其他服务器上使用,并且您使用在NEW服务器上显示的keytool命令“生成了公共密钥库”,则生成的NEW KEY与其他服务器使用的密钥不同,并且与证书中包含的密钥不同,因此证书不匹配该新密钥,并且不能与该新密钥一起使用。 You also implicitly generated (and have not replaced) a self-signed cert, with both subject and issuer (what you call provider) identifying you rather than a CA like Comodo. 您还隐式生成(但未替换)自签名证书,主题和颁发者(您称为提供者)都可以识别您,而不是像Comodo这样的CA。 This certificate is not good for general use but can be useful for some testing, which is why keytool does it implicitly. 该证书不能很好地用于一般用途,但是对于某些测试很有用,这就是为什么keytool隐式地执行它的原因。
You need to get the certificate, the ALREADY EXISTING private key that MATCHES the certficate, and the needed chain cert(s) into your JKS as a privateKey entry. 您需要获取证书,与证书匹配的“已存在”私钥,以及所需的链证书作为privateKey条目进入JKS。 If an existing SSL server is Java (using JSSE), just copy its JKS. 如果现有的SSL服务器是Java(使用JSSE),则只需复制其JKS。 If you want or need to change the password(s) on the copy for your new server, see keytool -storepassword and keytool -keypasswd . 如果要或需要更改新服务器副本上的密码,请参阅keytool -storepassword和keytool -keypasswd 。
If an existing server is OpenSSL (including Apache httpd and nginx), convert the OpenSSL PEM format to PKCS#12 (preferably on the old server); 如果现有服务器为OpenSSL(包括Apache httpd和nginx),则将OpenSSL PEM格式转换为PKCS#12(最好在旧服务器上); depending on that server's file layout this is something like 根据该服务器的文件布局,这类似于
openssl pkcs12 -export -in certfile -inkey keyfile -certfile chaincert -out xxx
and then use keytool to convert PKCS#12 to JKS (preferably on the new server) 然后使用keytool将PKCS#12转换为JKS(最好在新服务器上)
keytool -importkeystore -srckeystore xxx -srcstoretype pkcs12 -destkeystore yyy
Note you must use a password on the PKCS#12. 请注意,您必须在PKCS#12上使用密码。 This does not need to be the same as the old server keyfile (if any) or the new server JKS, but it's usually more convenient if it is. 这并不需要是相同的旧服务器密钥文件(如有)或新服务器JKS,但它通常是,如果它是更方便。
If an existing server is IIS, you should be able to export the cert WITH private key AS PFX/PKCS#12 from the Certificate snapin of mmc , and then convert the PKCS12 to JKS as just above. 如果现有服务器是IIS,则应该能够从mmc的证书管理单元中将带有私钥的证书AS PFX / PKCS#12导出,然后将PKCS12转换为JKS,如上所述。
If an existing server is something else, add it to the question. 如果现有服务器是其他服务器,请将其添加到问题中。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.