在AWS Route 53中获取域托管区域的SSL证书
[英]Obtaining an SSL cert for a domain hosted zone in AWS Route 53
问题描述
The title of the question is a mouthful, but I am trying to configure a Go Daddy SSL cert which I purchased for my domain on AWS. 
该问题的标题很冗长,但是我正在尝试配置我在AWS上为我的域购买的Go Daddy SSL证书。 I purchased the domain myapp.com (not the real name) from AWS, and then I configured myapp.myapp.com as a record set in Route 53 to point to an EC2 instance, which in turn is running the actual Tomcat server which I expect users would be hitting. 我从AWS购买了域名myapp.com (不是真实名称),然后将myapp.myapp.com配置为Route 53中的记录集,以指向EC2实例,该实例又在运行我实际的Tomcat服务器。预计用户会受到打击。 In other words, this is the site used to hit the app/website, and I have confirmed that it works and is reachable. 换句话说,这是用来访问应用程序/网站的网站,我已经确认它可以正常工作并且可以访问。
I purchased an SSL cert from Go Daddy for myapp.myapp.com . 我从Go Daddy购买了myapp.myapp.com的SSL证书。 I followed the instructions to import the root, intermediate, and issued certificates (3 in total) into my Java keystore. 我按照说明将根证书,中间证书和颁发的证书(总共3个)导入到Java密钥库中。 Then, I configured my Tomcat server.xml to use this keystore. 然后,我将Tomcat server.xml配置为使用此密钥库。 I am not certain that I did this correctly, or in the correct order, if that matters. 我不确定我是否正确或正确地执行了此操作(如果有关系的话)。 In any case, when I try to hit the address 无论如何,当我尝试点击地址时
https://myapp.myapp.com:8443/
I get the following error on Chrome: 我在Chrome上收到以下错误:
Your connection is not private
NET::ERR_CERT_AUTHORITY_INVALID
Can anyone shed some light on what I might be doing wrong here? 谁能告诉我我在这里做错了什么? Go Daddy's customer support, while free, does not offer this level of tech support. Go Daddy的客户支持虽然免费,但不提供此级别的技术支持。 I could go with AWS, but they tend to charge enterprise rates. 我可以使用AWS,但是他们倾向于收取企业费率。
An ideal answer would include, at least as an outline, the following steps: 理想的答案至少包括以下步骤:
- How to import the Go Daddy certs into my Java keystone 如何将Go Daddy证书导入我的Java梯形失真
- How to configure Tomcat server.xml properly to use the keystore 如何正确配置Tomcat server.xml以使用密钥库
- Sanity checks along the way, which someone else with a similar problem would be able to use 进行健全性检查,其他有类似问题的人也可以使用
Here are the three certs which Go Daddy returned to me: 以下是Go Daddy返回给我的三个证书:
c4c170b79c58acc3.crt (root?)
gd_bundle-g2-g1.crt (intermediate?)
gdig2.crt.pem (primary/issued?)
I am not sure which of these certs are root, intermediate, and issued, but this SO question would label them as I have above. 我不确定这些证书中的哪一个是根证书,中间证书和已颁发证书,但是这个SO问题会像上面一样标记它们。
1 个解决方案
解决方案1
0 2018-05-03 18:50:37
To do this for a spring boot app do the following: 为此,请执行以下操作:
sudo openssl pkcs12 -export -out cs.pkcs12 -inkey /path/to/domain.key -in /path/to/domain.cer -certfile /path/to/domain.ca-bundle -name server -passout somestorepass
sudo keytool -v -importkeystore -srckeystore cs.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS -srcstorepass somestorepass -deststorepass somestorepass
in application.properties 在application.properties
server.ssl.enabled=true
server.ssl.key-alias=server
server.ssl.key-password=somestorepass
server.ssl.key-store-type=JKS
If you have tomcat, the first two commands stay the same, you just need to configure tomcat to to use the correct alias and the correct key store password. 如果您有tomcat,则前两个命令保持不变,您只需要配置tomcat即可使用正确的alias和正确的密钥存储密码。
Have a look at the Connector configuration for tomcat to configure the alias, keystore password, keystore etc. 看一下tomcat的Connector配置,以配置别名,密钥库密码,密钥库等。
Edit: Would recommend that you delete the intermediate files (not the JKS) once done. 编辑:建议您完成后删除中间文件(不是JKS)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.