Windows 版 (生成 SSL 证书工具) - 可以取代第 1-2 步
http://jasonmun.blogspot.my/2017/02/windows-ssl.html
会生成文件于 /etc/letsencrypt/live/member.dlinkddns.com/*.pem
2. 生成文件 fullchain_and_key.p12
给 SSL 证书密码为 123
$ cd /etc/letsencrypt/live/member.dlinkddns.com
$ openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out fullchain_and_key.p12 -name tomcat -passout pass:123
3. 生成文件 MyDSKeyStore.jks
一个为 JKS 密码, 另一个为 KeyStore 密码
$ keytool -importkeystore -deststorepass 456 -destkeypass 789 -destkeystore MyDSKeyStore.jks -srckeystore fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass 123 -alias tomcat
* Windows 版的 Java, bin 里有 keytool.exe 可用
4. 编辑 server.xml
Ubuntu
$ cp /etc/letsencrypt/live/member.dlinkddns.com/MyDSKeyStore.jks /etc/tomcat8
$ gedit /etc/tomcat8/server.xml
CentOS / Fedora / OpenSUSE
$ cp /etc/letsencrypt/live/member.dlinkddns.com/MyDSKeyStore.jks /etc/tomcat
$ gedit /etc/tomcat/server.xml
Windows
将 MyDSKeyStore.jks 复制到 apache-tomcat-8.0.33/conf
在 apache-tomcat-8.0.33/conf/server.xml 加入
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
URIEncoding="UTF-8" maxThreads="150" SSLEnabled="true"
scheme="https" secure="true" clientAuth="false"
sslProtocol="TLS"
keystoreFile="conf/MyDSKeyStore.jks"
keystorePass="456"
keyAlias="tomcat"
keyPass="789"/>
5. 防火壁
Ubuntu
$ systemctl start ufw
2. 生成文件 fullchain_and_key.p12
给 SSL 证书密码为 123
$ cd /etc/letsencrypt/live/member.dlinkddns.com
$ openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out fullchain_and_key.p12 -name tomcat -passout pass:123
3. 生成文件 MyDSKeyStore.jks
一个为 JKS 密码, 另一个为 KeyStore 密码
$ keytool -importkeystore -deststorepass 456 -destkeypass 789 -destkeystore MyDSKeyStore.jks -srckeystore fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass 123 -alias tomcat
* Windows 版的 Java, bin 里有 keytool.exe 可用
4. 编辑 server.xml
Ubuntu
$ cp /etc/letsencrypt/live/member.dlinkddns.com/MyDSKeyStore.jks /etc/tomcat8
$ gedit /etc/tomcat8/server.xml
CentOS / Fedora / OpenSUSE
$ cp /etc/letsencrypt/live/member.dlinkddns.com/MyDSKeyStore.jks /etc/tomcat
$ gedit /etc/tomcat/server.xml
Windows
将 MyDSKeyStore.jks 复制到 apache-tomcat-8.0.33/conf
在 apache-tomcat-8.0.33/conf/server.xml 加入
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
URIEncoding="UTF-8" maxThreads="150" SSLEnabled="true"
scheme="https" secure="true" clientAuth="false"
sslProtocol="TLS"
keystoreFile="conf/MyDSKeyStore.jks"
keystorePass="456"
keyAlias="tomcat"
keyPass="789"/>
5. 防火壁
Ubuntu
$ systemctl start ufw
$ ufw allow 8080/tcp
$ ufw allow 8443/tcp
CentOS / Fedora
$ systemctl start firewalld
$ firewall-cmd --get-active-zones
$ firewall-cmd --permanent --add-port={8080,8443} --zone=home
$ firewall-cmd --reload
$ firewall-cmd --list-all --zone=home
6. 重启和浏览
http://member.dlinkddns.com:8080/
https://member.dlinkddns.com:8443/
CentOS / Fedora
$ systemctl start firewalld
$ firewall-cmd --get-active-zones
$ firewall-cmd --permanent --add-port={8080,8443} --zone=home
$ firewall-cmd --reload
$ firewall-cmd --list-all --zone=home
6. 重启和浏览
http://member.dlinkddns.com:8080/
https://member.dlinkddns.com:8443/
没有评论:
发表评论