當前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

【Https（二】】实战 openssl 配置 tomcat

發布時間：2023/12/10 编程问答 26 豆豆

生活随笔收集整理的這篇文章主要介紹了【Https（二】】实战 openssl 配置 tomcat 小編覺得挺不錯的,現在分享給大家,幫大家做個參考.

CA私鑰

使用如下命令生成CA私鑰:

openssl genrsa -out CaPriKey.pem

直接查看私鑰文件：

openssl生成的相關文件均以pem格式存儲，pem僅僅是一種文件格式，以特定的標記開頭和結尾。

可以使用如下命令輸出私鑰明文：

openssl rsa -in CaPriKey.pem -text

明文：

Private-Key: (2048 bit) modulus:00:d2:23:47:32:3d:57:89:e3:b9:d6:0d:2a:9e:36:0a:c2:4d:fd:3c:6c:73:cd:45:13:64:89:f9:74:16:d8:e5:86:81:64:04:25:f8:ce:d0:14:04:b1:b0:af:60:e3:65:f1:ec:25:87:d1:19:56:41:56:b4:09:1e:ac:94:84:80:cd:fd:8e:da:83:23:6a:ad:83:d1:e8:dd:4d:34:b1:88:1d:7e:fb:11:80:67:50:a9:5f:d2:af:fb:36:ef:60:48:ea:6a:8a:3f:e6:aa:c7:6c:c1:28:82:82:03:d7:20:67:02:6c:8d:31:dd:d6:10:eb:49:ba:13:76:c8:bf:a8:a8:fe:55:0f:2e:6d:9e:9b:0d:cf:30:8e:0c:4f:67:71:7b:ee:58:a7:46:52:ac:76:1c:af:24:b4:59:0d:18:9c:96:36:68:d1:4d:9d:de:df:6d:d5:25:cb:f0:09:9d:11:7a:08:87:6a:59:ab:fc:d0:c4:03:24:13:cc:6d:59:de:43:9e:80:f8:84:b8:b1:66:f2:53:54:0d:33:9c:21:dd:59:a9:ce:1d:41:12:22:2c:91:41:5d:5f:73:b3:d9:27:e1:39:b9:cd:5f:38:a2:42:00:3d:6a:1e:51:32:e2:a9:80:5b:08:99:18:44:79:e3:68:c9:31:96:fb:48:ee:c9:da:63 publicExponent: 65537 (0x10001) privateExponent:11:b4:ab:41:0e:6e:1b:ce:36:50:54:d7:ac:70:fd:43:15:f3:2a:6e:30:eb:b0:d0:4b:7e:5c:a8:6d:6c:65:1a:8a:38:75:29:05:e7:d7:1c:78:b0:c8:24:5e:d3:8a:39:72:1e:4f:6d:4c:e7:39:a6:26:91:46:26:60:75:31:ad:29:9a:29:cb:36:e6:bc:2c:09:39:c7:bb:c3:9e:d9:cb:32:71:d1:2d:b2:86:d7:5e:9d:8f:fa:68:cc:8e:9e:56:32:17:e7:fe:75:91:4c:16:92:65:3c:b3:3a:23:1e:ca:d3:7e:aa:1e:f8:f4:7f:fe:bc:50:fb:87:3a:ae:e9:5e:2d:8c:98:b9:01:ba:5e:de:9b:64:a3:0b:aa:ad:c8:aa:10:c2:61:ad:f1:a9:cb:46:ca:f7:e7:27:24:15:44:55:b0:32:56:fc:e0:67:d7:a9:db:2f:53:c1:2d:11:dc:33:1e:ca:49:78:29:ea:86:48:46:62:3f:b4:49:54:03:31:11:c1:ff:6f:73:99:c7:82:78:cb:9c:32:00:60:5a:1e:c9:ab:cd:e9:f2:f9:39:3b:78:b5:c5:09:39:e4:f5:e3:f7:f6:86:e1:ba:9b:02:db:e6:1d:9e:b8:73:a5:ea:9b:24:04:89:1a:42:1b:9e:4c:d3:c5:7a:56:3f:a1:ac:41 prime1:00:f0:21:16:c5:db:4b:fd:4a:db:a6:c8:2f:65:cf:29:c8:e2:bb:68:0d:08:08:e6:8a:ff:4a:fd:85:d3:08:1c:d6:19:9f:fb:a2:94:97:2e:72:8b:58:48:9b:ba:9e:2c:7e:b6:f3:2a:0e:3b:e7:a8:0e:e3:6f:01:f9:87:7c:9d:92:b2:a9:ea:fa:06:08:15:4d:3e:1d:27:f8:4d:c5:92:36:24:21:31:3a:a7:a4:f6:a4:e2:bb:5d:bd:f8:82:2c:f8:11:c2:10:b1:b2:2a:51:99:92:bf:95:89:85:d2:bc:b1:96:74:83:02:28:32:bc:ab:19:2f:f6:e7:c8:fb:91:11 prime2:00:e0:06:be:4a:a6:af:ed:e3:14:50:04:f7:f6:cf:b1:01:83:11:1f:11:78:ac:c6:1b:b2:7f:ca:47:cb:43:6a:de:1b:15:2b:d1:39:30:3a:db:19:9b:d9:d8:79:71:7b:7b:65:96:3c:34:8b:78:d0:e8:13:47:82:a9:8d:32:cd:07:f5:d9:58:dd:c6:7a:ff:b0:7d:b0:05:d1:0c:a2:be:4f:f9:f9:7c:26:6f:59:53:bd:ac:ee:2e:4c:b6:8b:32:38:4c:69:ef:4a:b1:90:9d:2a:9c:6c:23:81:32:a2:5d:9e:f0:89:0a:24:68:3a:10:83:3f:e3:12:4c:d7:ec:b4:33 exponent1:00:90:af:5f:49:58:19:31:45:29:94:14:8a:7a:8d:98:5f:b2:3d:b9:34:20:e3:3c:06:04:4c:ea:f4:f7:72:ab:ed:55:03:50:5b:65:ac:b2:0f:d2:66:1f:59:b5:d8:18:77:41:44:c2:d2:50:c6:04:3c:f4:4c:ae:a3:eb:3e:ea:b2:b9:74:28:60:fd:c1:61:14:69:98:a7:bc:b5:1f:96:39:89:0b:76:de:20:a5:04:f7:d4:a5:90:96:26:66:49:32:2f:80:ff:0e:12:8b:ed:1e:db:8d:14:4d:08:95:31:9c:cf:4a:e4:a5:28:13:6a:1a:ad:d2:78:b2:b0:26:e4:01 exponent2:71:62:b8:59:6c:38:4a:fc:cd:c1:1a:62:ae:66:bc:3d:f9:aa:66:c1:1f:04:c3:58:2d:66:04:69:85:f5:5f:57:7e:f9:9e:2d:cc:f6:1e:33:da:a8:49:00:09:a7:68:4a:32:46:71:be:5e:81:0d:ab:08:66:ff:38:f5:a0:2a:a9:c6:c2:f4:f9:7a:85:b2:78:0f:85:51:cc:56:ca:df:eb:f6:a7:51:30:da:d6:a9:4d:ad:02:f8:28:17:94:28:1c:da:80:1b:7f:00:94:23:17:f8:07:bb:88:9e:aa:13:1c:68:bd:d3:86:4d:c2:65:ad:28:5e:b3:5a:75:46:f6:85 coefficient:00:a1:28:b4:fd:74:22:b7:03:16:00:36:0d:f5:ff:d8:f4:7b:f6:4e:52:d1:3a:2f:1a:33:a1:26:fd:cd:54:71:40:cc:76:f9:89:bf:91:b2:ad:c6:52:05:23:6d:78:c5:67:15:1c:5a:07:27:e3:02:70:de:04:76:35:1c:62:43:6c:c5:1b:b9:ab:93:b3:aa:00:9f:45:b8:29:e1:c9:76:7b:79:7d:1a:43:f0:0f:dd:23:4f:24:79:ae:c9:71:04:d6:0d:43:e1:16:ee:86:9a:02:a3:d2:4a:06:c2:1e:99:79:6b:d1:e4:ee:38:50:99:97:28:b7:43:ab:e9:c1:0e:20 writing RSA key -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA0iNHMj1XieO51g0qnjYKwk39PGxzzUUTZIn5dBbY5YaBZAQl +M7QFASxsK9g42Xx7CWH0RlWQVa0CR6slISAzf2O2oMjaq2D0ejdTTSxiB1++xGA Z1CpX9Kv+zbvYEjqaoo/5qrHbMEogoID1yBnAmyNMd3WEOtJuhN2yL+oqP5VDy5t npsNzzCODE9ncXvuWKdGUqx2HK8ktFkNGJyWNmjRTZ3e323VJcvwCZ0RegiHalmr /NDEAyQTzG1Z3kOegPiEuLFm8lNUDTOcId1Zqc4dQRIiLJFBXV9zs9kn4Tm5zV84 okIAPWoeUTLiqYBbCJkYRHnjaMkxlvtI7snaYwIDAQABAoIBABG0q0EObhvONlBU 16xw/UMV8ypuMOuw0Et+XKhtbGUaijh1KQXn1xx4sMgkXtOKOXIeT21M5zmmJpFG JmB1Ma0pminLNua8LAk5x7vDntnLMnHRLbKG116dj/pozI6eVjIX5/51kUwWkmU8 szojHsrTfqoe+PR//rxQ+4c6ruleLYyYuQG6Xt6bZKMLqq3IqhDCYa3xqctGyvfn JyQVRFWwMlb84GfXqdsvU8EtEdwzHspJeCnqhkhGYj+0SVQDMRHB/29zmceCeMuc MgBgWh7Jq83p8vk5O3i1xQk55PXj9/aG4bqbAtvmHZ64c6XqmyQEiRpCG55M08V6 Vj+hrEECgYEA8CEWxdtL/UrbpsgvZc8pyOK7aA0ICOaK/0r9hdMIHNYZn/uilJcu cotYSJu6nix+tvMqDjvnqA7jbwH5h3ydkrKp6voGCBVNPh0n+E3FkjYkITE6p6T2 pOK7Xb34giz4EcIQsbIqUZmSv5WJhdK8sZZ0gwIoMryrGS/258j7kRECgYEA4Aa+ Sqav7eMUUAT39s+xAYMRHxF4rMYbsn/KR8tDat4bFSvROTA62xmb2dh5cXt7ZZY8 NIt40OgTR4KpjTLNB/XZWN3Gev+wfbAF0Qyivk/5+Xwmb1lTvazuLky2izI4TGnv SrGQnSqcbCOBMqJdnvCJCiRoOhCDP+MSTNfstDMCgYEAkK9fSVgZMUUplBSKeo2Y X7I9uTQg4zwGBEzq9Pdyq+1VA1BbZayyD9JmH1m12Bh3QUTC0lDGBDz0TK6j6z7q srl0KGD9wWEUaZinvLUfljmJC3beIKUE99SlkJYmZkkyL4D/DhKL7R7bjRRNCJUx nM9K5KUoE2oardJ4srAm5AECgYBxYrhZbDhK/M3BGmKuZrw9+apmwR8Ew1gtZgRp hfVfV375ni3M9h4z2qhJAAmnaEoyRnG+XoENqwhm/zj1oCqpxsL0+XqFsngPhVHM Vsrf6/anUTDa1qlNrQL4KBeUKBzagBt/AJQjF/gHu4ieqhMcaL3Thk3CZa0oXrNa dUb2hQKBgQChKLT9dCK3AxYANg31/9j0e/ZOUtE6LxozoSb9zVRxQMx2+Ym/kbKt xlIFI214xWcVHFoHJ+MCcN4EdjUcYkNsxRu5q5OzqgCfRbgp4cl2e3l9GkPwD90j TyR5rslxBNYNQ+EW7oaaAqPSSgbCHpl5a9Hk7jhQmZcot0Or6cEOIA== -----END RSA PRIVATE KEY-----

另外，RSA算法的私鑰是以PCKS協議存儲的，所以可以從私鑰中到處匹配的公鑰，詳情見：https://blog.csdn.net/zhymax/article/details/7683925#

這也是為什么這一步只生成了私鑰文件，而沒有公鑰。當然我們可以使用如下命令導入對應的公鑰：

openssl rsa -in CaPriKey.pem -pubout -out CaPubKey.pem

公鑰明文：

CA證書請求

所謂證書請求就是一個csr文件，里面會包括申請者的身份信息以及公鑰，然后由CA結構對該身份信息進行認證，生成證書。生成csr命令：

openssl req -new -out CaReq.csr -key CaPriKey.pem

如之前的介紹，這里傳入私鑰的目的是反解出公鑰。查看該csr文件：
?

也可以使用如下命令查看csr文件明文：

openssl req -in CaReq.csr -noout -text

明文：

Certificate Request:Data:Version: 0 (0x0)Subject: C=CN, ST=ShanXi, L=XinZhou, O=LY, OU=LiYao, CN=Root CA/emailAddress=ca@xx.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (2048 bit)Modulus:00:d2:23:47:32:3d:57:89:e3:b9:d6:0d:2a:9e:36:0a:c2:4d:fd:3c:6c:73:cd:45:13:64:89:f9:74:16:d8:e5:86:81:64:04:25:f8:ce:d0:14:04:b1:b0:af:60:e3:65:f1:ec:25:87:d1:19:56:41:56:b4:09:1e:ac:94:84:80:cd:fd:8e:da:83:23:6a:ad:83:d1:e8:dd:4d:34:b1:88:1d:7e:fb:11:80:67:50:a9:5f:d2:af:fb:36:ef:60:48:ea:6a:8a:3f:e6:aa:c7:6c:c1:28:82:82:03:d7:20:67:02:6c:8d:31:dd:d6:10:eb:49:ba:13:76:c8:bf:a8:a8:fe:55:0f:2e:6d:9e:9b:0d:cf:30:8e:0c:4f:67:71:7b:ee:58:a7:46:52:ac:76:1c:af:24:b4:59:0d:18:9c:96:36:68:d1:4d:9d:de:df:6d:d5:25:cb:f0:09:9d:11:7a:08:87:6a:59:ab:fc:d0:c4:03:24:13:cc:6d:59:de:43:9e:80:f8:84:b8:b1:66:f2:53:54:0d:33:9c:21:dd:59:a9:ce:1d:41:12:22:2c:91:41:5d:5f:73:b3:d9:27:e1:39:b9:cd:5f:38:a2:42:00:3d:6a:1e:51:32:e2:a9:80:5b:08:99:18:44:79:e3:68:c9:31:96:fb:48:ee:c9:da:63Exponent: 65537 (0x10001)Attributes:challengePassword :unable to print attributeSignature Algorithm: sha256WithRSAEncryption4c:2c:82:a6:df:ab:c8:25:4c:b6:14:62:81:68:6b:22:16:34:be:ae:87:aa:41:8c:77:1f:90:94:f1:bc:d4:22:97:8d:08:c9:e6:ec:b9:b1:20:98:73:dc:62:39:be:cb:f3:a9:21:06:61:e9:fa:db:c1:3e:78:b7:2e:0a:87:ab:f8:5b:1f:2a:70:58:9f:b0:e5:0c:35:02:d9:3b:8b:4d:2d:9d:ff:da:b7:69:df:89:e9:8a:e7:32:92:c7:3f:a7:f2:8d:59:eb:f5:a7:89:bb:3d:ad:7f:a1:fa:8c:ce:df:20:f2:30:29:b1:82:99:23:cf:f3:54:c2:b1:90:1e:6d:40:e3:a5:ae:62:21:73:76:12:10:55:de:3b:ef:fc:ad:9e:a5:5c:4a:b1:e8:93:9e:0b:be:3b:2d:cd:36:8a:f8:67:99:db:fc:b1:c8:25:f0:a5:27:6f:66:cc:25:07:f0:8f:7f:17:27:61:d2:eb:bc:de:d6:c1:bf:00:28:f4:7a:0b:bb:b0:e7:62:8e:dc:d9:00:66:d8:fb:91:5d:08:e4:a2:0b:f3:d5:4b:19:53:30:f7:0a:e1:9b:24:11:2f:7e:e1:7f:89:00:d3:73:8e:64:5e:8d:ce:7e:38:75:c7:a9:31:41:48:64:33:02:e6:9a:70:c7:17:5c:fd:a0:aa:3d

可以看到csr其實就是身份信息，包括了公鑰，基本信息以及簽名。

生成自簽證書

使用Ca的私鑰對csr文件自簽名：

openssl x509 -req -in CaReq.csr -out CaCer.pem -signkey CaPriKey.pem -days 365

csr原信息：

使用如下命令查看證書明文：

openssl x509 -in CaCer.pem -noout -text

證書明文：

Certificate:Data:Version: 1 (0x0)Serial Number: 12547342102288706766 (0xae211d29d238acce)Signature Algorithm: sha1WithRSAEncryptionIssuer: C=CN, ST=ShanXi, L=XinZhou, O=LY, OU=LiYao, CN=Root CA/emailAddress=ca@xx.comValidityNot Before: May 2 14:13:49 2020 GMTNot After : May 2 14:13:49 2021 GMTSubject: C=CN, ST=ShanXi, L=XinZhou, O=LY, OU=LiYao, CN=Root CA/emailAddress=ca@xx.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (2048 bit)Modulus:00:d2:23:47:32:3d:57:89:e3:b9:d6:0d:2a:9e:36:0a:c2:4d:fd:3c:6c:73:cd:45:13:64:89:f9:74:16:d8:e5:86:81:64:04:25:f8:ce:d0:14:04:b1:b0:af:60:e3:65:f1:ec:25:87:d1:19:56:41:56:b4:09:1e:ac:94:84:80:cd:fd:8e:da:83:23:6a:ad:83:d1:e8:dd:4d:34:b1:88:1d:7e:fb:11:80:67:50:a9:5f:d2:af:fb:36:ef:60:48:ea:6a:8a:3f:e6:aa:c7:6c:c1:28:82:82:03:d7:20:67:02:6c:8d:31:dd:d6:10:eb:49:ba:13:76:c8:bf:a8:a8:fe:55:0f:2e:6d:9e:9b:0d:cf:30:8e:0c:4f:67:71:7b:ee:58:a7:46:52:ac:76:1c:af:24:b4:59:0d:18:9c:96:36:68:d1:4d:9d:de:df:6d:d5:25:cb:f0:09:9d:11:7a:08:87:6a:59:ab:fc:d0:c4:03:24:13:cc:6d:59:de:43:9e:80:f8:84:b8:b1:66:f2:53:54:0d:33:9c:21:dd:59:a9:ce:1d:41:12:22:2c:91:41:5d:5f:73:b3:d9:27:e1:39:b9:cd:5f:38:a2:42:00:3d:6a:1e:51:32:e2:a9:80:5b:08:99:18:44:79:e3:68:c9:31:96:fb:48:ee:c9:da:63Exponent: 65537 (0x10001)Signature Algorithm: sha1WithRSAEncryption18:b0:86:ed:76:c1:7e:07:78:44:27:c8:0d:16:cc:74:11:34:34:92:54:dd:2d:72:96:92:34:f2:47:0a:23:2d:3f:04:6f:27:bb:4f:87:f9:fc:de:e8:c1:39:32:0a:42:0e:64:f9:5b:ac:bc:e0:29:18:d6:d7:8e:68:7b:ce:e6:db:bd:02:d8:fc:1b:ff:87:b7:ff:ae:67:48:6e:64:5f:af:04:47:89:03:0d:09:20:d6:c8:f0:c0:8b:69:3d:8f:bc:98:34:1d:9b:e7:d7:13:d8:24:b8:d2:bc:bb:db:62:79:f8:81:e4:52:af:df:ba:fc:7b:03:e9:c8:39:0b:c4:ad:c3:5f:e8:f3:13:51:0e:d0:ba:a1:51:fb:23:4c:9b:cd:10:92:f4:bd:fe:8e:70:da:db:0d:3d:90:4c:88:e5:eb:78:cd:20:6d:a3:92:79:3e:19:db:f8:8f:b2:0a:37:8b:3f:20:ac:a7:e2:0e:34:76:f6:c3:07:af:36:f3:a3:2a:2d:62:98:ba:df:8f:76:ea:54:8e:c0:bf:6b:80:86:b7:a9:aa:44:92:47:94:a6:25:2c:7a:43:73:98:d3:81:04:e6:5c:77:59:20:ca:35:eb:d6:63:a9:3f:5f:3b:4e:ce:e8:34:ab:17:c2:a4:71:71:6d:58:2a:9e:ef:7e:37 -----BEGIN CERTIFICATE----- MIIDbjCCAlYCCQCuIR0p0jiszjANBgkqhkiG9w0BAQUFADB5MQswCQYDVQQGEwJD TjEPMA0GA1UECAwGU2hhblhpMRAwDgYDVQQHDAdYaW5aaG91MQswCQYDVQQKDAJM WTEOMAwGA1UECwwFTGlZYW8xEDAOBgNVBAMMB1Jvb3QgQ0ExGDAWBgkqhkiG9w0B CQEWCWNhQHh4LmNvbTAeFw0yMDA1MDIxNDEzNDlaFw0yMTA1MDIxNDEzNDlaMHkx CzAJBgNVBAYTAkNOMQ8wDQYDVQQIDAZTaGFuWGkxEDAOBgNVBAcMB1hpblpob3Ux CzAJBgNVBAoMAkxZMQ4wDAYDVQQLDAVMaVlhbzEQMA4GA1UEAwwHUm9vdCBDQTEY MBYGCSqGSIb3DQEJARYJY2FAeHguY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEA0iNHMj1XieO51g0qnjYKwk39PGxzzUUTZIn5dBbY5YaBZAQl+M7Q FASxsK9g42Xx7CWH0RlWQVa0CR6slISAzf2O2oMjaq2D0ejdTTSxiB1++xGAZ1Cp X9Kv+zbvYEjqaoo/5qrHbMEogoID1yBnAmyNMd3WEOtJuhN2yL+oqP5VDy5tnpsN zzCODE9ncXvuWKdGUqx2HK8ktFkNGJyWNmjRTZ3e323VJcvwCZ0RegiHalmr/NDE AyQTzG1Z3kOegPiEuLFm8lNUDTOcId1Zqc4dQRIiLJFBXV9zs9kn4Tm5zV84okIA PWoeUTLiqYBbCJkYRHnjaMkxlvtI7snaYwIDAQABMA0GCSqGSIb3DQEBBQUAA4IB AQAYsIbtdsF+B3hEJ8gNFsx0ETQ0klTdLXKWkjTyRwojLT8Ebye7T4f5/N7owTky CkIOZPlbrLzgKRjW145oe87m270C2Pwb/4e3/65nSG5kX68ER4kDDQkg1sjwwItp PY+8mDQdm+fXE9gkuNK8u9tiefiB5FKv37r8ewPpyDkLxK3DX+jzE1EO0LqhUfsj TJvNEJL0vf6OcNrbDT2QTIjl63jNIG2jknk+Gdv4j7IKN4s/IKyn4g40dvbDB682 86MqLWKYut+PdupUjsC/a4CGt6mqRJJHlKYlLHpDc5jTgQTmXHdZIMo169ZjqT9f O07O6DSrF8KkcXFtWCqe7343 -----END CERTIFICATE-----

至此CA根證書已經生成，將使用該證書簽發網站證書。

生產Server私鑰：

openssl genrsa -out ServerPriKey.pem 1024

生成csr請求：

openssl req -new -out ServerReq.csr -key ServerPriKey.pem

這里填入的Common Name必須與網站的域名一致，本例為localhost。

使用CA證書簽發該csr：這里需要注意的是，必須為openssl的配置文件添加必要的配置信息，否則會報各種錯誤。

配置文件位置（Mac OS）:? /private/etc/ssl/openssl.cnf

示例：

[ req ] #default_bits = 2048 #default_md = sha256 #default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes[ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) 0.organizationName = Organization Name (eg, company) organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg, fully qualified host name) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64[ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20[ ca ] default_ca = CA_default[ CA_default ] dir = /Users/miracle/Key/CA new_certs_dir = $dir/newcerts certs = $dir/certs private_key = $dir/private/CaPriKey.pem certificate = $dir/certs/CaCer.pem database = $dir/index.txt serial = $dir/serial default_md = default policy = policy_match preserve = no default_days = 365 default_crl_dats = 30[ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional

這里的[ca]、[ca_default]以及[policy_match]均是后面添加的，如果不配置會報錯。注意根據實際情況調整目錄結構。如何生成serial文件：cat 00 >> serial。

參考：https://www.cnblogs.com/f-ck-need-u/p/6091027.html

接著，使用如下命令簽發csr：

openssl ca -in ServerReq.csr -out ServerCer.pem

如果配置文件沒有問題，會有如下確認信息：

Using configuration from /private/etc/ssl/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :ASN.1 12:'ShanXi' localityName :ASN.1 12:'XinZhou' organizationName :ASN.1 12:'LY' organizationalUnitName:ASN.1 12:'LiYao' commonName :ASN.1 12:'localhost' emailAddress :IA5STRING:'localhost@xx.com' Certificate is to be certified until May 2 15:28:39 2021 GMT (365 days) Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

則說明簽發成功。

查看Server證書：

Certificate:Data:Version: 1 (0x0)Serial Number: 0 (0x0)Signature Algorithm: sha1WithRSAEncryptionIssuer: C=CN, ST=ShanXi, L=XinZhou, O=LY, OU=LiYao, CN=Root CA/emailAddress=ca@xx.comValidityNot Before: May 2 15:28:39 2020 GMTNot After : May 2 15:28:39 2021 GMTSubject: C=CN, ST=ShanXi, O=LY, OU=LiYao, CN=localhost/emailAddress=localhost@xx.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (1024 bit)Modulus:00:a3:6e:d7:1e:33:56:48:f1:d4:51:30:3a:e4:5e:94:cf:c5:c1:5e:b8:c3:eb:aa:f6:85:43:f6:9a:ad:3f:ec:d7:c7:a4:cf:65:06:83:d5:08:19:0c:0a:f4:14:ff:24:ea:a4:66:62:80:d3:36:ae:f2:51:f2:66:fc:3b:9e:f6:ae:8d:06:52:ef:d2:d9:b3:ec:8c:36:57:f0:7f:82:9d:aa:df:7d:67:91:c7:ce:de:3b:41:96:0d:e7:ae:eb:50:f7:35:30:8d:30:9a:5e:b6:1d:d8:1e:7a:b4:6b:6e:68:cb:51:21:11:b1:60:00:9f:b7:f9:a8:62:20:73:33:78:d1Exponent: 65537 (0x10001)Signature Algorithm: sha1WithRSAEncryption2a:d4:20:79:ad:d6:c6:06:a7:ad:0b:dd:b4:42:c4:3c:70:78:7d:85:da:ce:c9:8d:f4:58:df:fc:1b:9c:48:a6:b1:27:75:02:3c:8c:6c:98:df:32:1b:75:e0:25:ba:fa:4d:47:02:1b:a0:3e:0f:30:3e:aa:95:d6:5a:47:53:cb:ae:a7:99:a5:e1:12:5a:33:4e:f7:a8:1b:33:4c:59:54:43:d2:f4:b3:80:f1:ea:f4:5e:03:a1:05:64:b6:dc:3e:57:0e:1b:cd:ae:de:c2:eb:02:70:19:ea:49:3d:8f:d5:33:85:38:30:85:34:b6:a0:ef:ea:5d:3e:e8:1d:be:b4:7e:65:1e:90:51:cf:e0:60:68:08:b4:35:e9:6d:ce:bb:60:23:17:38:ac:5a:80:ad:27:7b:9a:0a:cf:5d:84:47:e3:70:59:95:7e:6c:3f:61:74:82:a3:f9:a8:c8:5e:c5:7b:7f:0f:15:af:b8:4f:b5:84:74:ae:7e:93:ea:ee:d5:20:9b:47:35:29:d7:86:2d:29:ce:34:99:de:55:15:bf:aa:f3:f3:b3:dd:15:1f:43:2e:e8:5e:7c:d2:23:1b:e5:3c:a2:3e:d2:d1:f3:be:4b:d6:08:a5:e1:98:97:70:98:49:76:81:f5:f6:43:3c:92:50:7d:e1:a3:b3:ca:ea:e8 -----BEGIN CERTIFICATE----- MIIC2TCCAcECAQAwDQYJKoZIhvcNAQEFBQAweTELMAkGA1UEBhMCQ04xDzANBgNV BAgMBlNoYW5YaTEQMA4GA1UEBwwHWGluWmhvdTELMAkGA1UECgwCTFkxDjAMBgNV BAsMBUxpWWFvMRAwDgYDVQQDDAdSb290IENBMRgwFgYJKoZIhvcNAQkBFgljYUB4 eC5jb20wHhcNMjAwNTAyMTUyODM5WhcNMjEwNTAyMTUyODM5WjBwMQswCQYDVQQG EwJDTjEPMA0GA1UECAwGU2hhblhpMQswCQYDVQQKDAJMWTEOMAwGA1UECwwFTGlZ YW8xEjAQBgNVBAMMCWxvY2FsaG9zdDEfMB0GCSqGSIb3DQEJARYQbG9jYWxob3N0 QHh4LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo27XHjNWSPHUUTA6 5F6Uz8XBXrjD66r2hUP2mq0/7NfHpM9lBoPVCBkMCvQU/yTqpGZigNM2rvJR8mb8 O572ro0GUu/S2bPsjDZX8H+CnarffWeRx87eO0GWDeeu61D3NTCNMJpeth3YHnq0 a25oy1EhEbFgAJ+3+ahiIHMzeNECAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAKtQg ea3WxganrQvdtELEPHB4fYXazsmN9Fjf/BucSKaxJ3UCPIxsmN8yG3XgJbr6TUcC G6A+DzA+qpXWWkdTy66nmaXhElozTveoGzNMWVRD0vSzgPHq9F4DoQVkttw+Vw4b za7ewusCcBnqST2P1TOFODCFNLag7+pdPugdvrR+ZR6QUc/gYGgItDXpbc67YCMX OKxagK0ne5oKz12ER+NwWZV+bD9hdIKj+ajIXsV7fw8Vr7hPtYR0rn6T6u7VIJtH NSnXhi0pzjSZ3lUVv6rz87PdFR9DLuhefNIjG+U8oj7S0fO+S9YIpeGYl3CYSXaB 9fZDPJJQfeGjs8rq6A== -----END CERTIFICATE-----

其中的Issuer就是證書的簽發機構，即我們之前創建的Root CA。

配置tomcat：

這里以Tomcat9為例：

然后將javaweb項目的war包部署至Tomcat，訪問鏈接：

始終報NET::ERR_CERT_INVALID錯誤，原因待排查。。。

總結

以上是生活随笔為你收集整理的【Https（二】】实战 openssl 配置 tomcat的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。

上一篇： commons-httpclient 和
下一篇：获取后端接口请求中的参数(@PathVa