因为不同版本 Tomcat 配置上可能有所不同,所以这里只介绍最新的 8.5 版本。
因为我是测试环境,我可以借用 JDK自带工具keytool生成一个测试用的证书。
参考文档:
## 1、生成证书
[root@web01 tools]# $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore test.keystore
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]: abc
What is the name of your organization?
[Unknown]: xyz
What is the name of your City or Locality?
[Unknown]: ZH
What is the name of your State or Province?
[Unknown]: cq
What is the two-letter country code for this unit?
[Unknown]: cc
Is CN=localhost, OU=abc, O=xyz, L=ZH, ST=cq, C=cc correct?
[no]: y
Enter key password for <tomcat>
(RETURN if same as keystore password):
Re-enter new password:
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore test.keystore -destkeystore test.keystore -deststoretype pkcs12".
## 2、查看证书内容
[root@web01 tools]# $JAVA_HOME/bin/keytool -list -keystore test.keystore
Enter keystore password:
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
tomcat, Mar 12, 2021, PrivateKeyEntry,
Certificate fingerprint (SHA-256): C2:4C:52:D9:0B:22:7B:DC:DB:40:51:9D:AD:79:EA:50:08:89:A7:7E:B8:D0:3A:FC:7C:22:B0:29:2D:34:C3:26
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore test.keystore -destkeystore test.keystore -deststoretype pkcs12".
## 3、导出证书
[root@web01 tools]# $JAVA_HOME/bin/keytool -export -alias tomcat -file tomcat.crt -keystore test.keystore
Enter keystore password:
Certificate stored in file <tomcat.crt>
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore test.keystore -destkeystore test.keystore -deststoretype pkcs12".
[root@web01 tools]# ll
-rw-r--r-- 1 root root 2200 Mar 12 14:45 test.keystore
-rw-r--r-- 1 root root 849 Mar 12 14:50 tomcat.crt
## 4、查看证书信息
[root@web01 tools]# $JAVA_HOME/bin/keytool -printcert -file tomcat.crt
Owner: CN=localhost, OU=abc, O=xyz, L=ZH, ST=cq, C=cc
Issuer: CN=localhost, OU=abc, O=xyz, L=ZH, ST=cq, C=cc
Serial number: 3a9217f6
Valid from: Fri Mar 12 14:45:13 CST 2021 until: Thu Jun 10 14:45:13 CST 2021
Certificate fingerprints:
SHA1: 43:87:78:FD:83:B3:67:71:B8:BA:4A:BC:04:C7:11:BC:C9:E7:0F:DE
SHA256: C2:4C:52:D9:0B:22:7B:DC:DB:40:51:9D:AD:79:EA:50:08:89:A7:7E:B8:D0:3A:FC:7C:22:B0:29:2D:34:C3:26
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D3 0C 02 F1 67 15 60 97 71 5C 6D 93 AB 0F A3 85 ....g.`.qm.....
0010: F0 83 86 35 ...5
]
]
## 5、导入证书
[root@web01 tools]# $JAVA_HOME/bin/keytool -import -keystore test_crt -file tomcat.crt
Enter keystore password:
Re-enter new password:
Owner: CN=localhost, OU=abc, O=xyz, L=ZH, ST=cq, C=cc
Issuer: CN=localhost, OU=abc, O=xyz, L=ZH, ST=cq, C=cc
Serial number: 3a9217f6
Valid from: Fri Mar 12 14:45:13 CST 2021 until: Thu Jun 10 14:45:13 CST 2021
Certificate fingerprints:
SHA1: 43:87:78:FD:83:B3:67:71:B8:BA:4A:BC:04:C7:11:BC:C9:E7:0F:DE
SHA256: C2:4C:52:D9:0B:22:7B:DC:DB:40:51:9D:AD:79:EA:50:08:89:A7:7E:B8:D0:3A:FC:7C:22:B0:29:2D:34:C3:26
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D3 0C 02 F1 67 15 60 97 71 5C 6D 93 AB 0F A3 85 ....g.`.qm.....
0010: F0 83 86 35 ...5
]
]
Trust this certificate? [no]: y
Certificate was added to keystore
## 查看证书信息
[root@web01 tools]# $JAVA_HOME/bin/keytool -list -keystore test_crt
Enter keystore password:
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
mykey, Mar 12, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): C2:4C:52:D9:0B:22:7B:DC:DB:40:51:9D:AD:79:EA:50:08:89:A7:7E:B8:D0:3A:FC:7C:22:B0:29:2D:34:C3:26
[root@web01 tools]# ll
-rw-r--r-- 1 root root 911 Mar 12 15:01 test_crt
-rw-r--r-- 1 root root 2200 Mar 12 14:45 test.keystore
-rw-r--r-- 1 root root 849 Mar 12 14:50 tomcat.crt
## 6、删除证书
[root@web01 tools]# $JAVA_HOME/bin/keytool -delete -keystore test_crt -alias mykey
Enter keystore password:
[root@web01 tools]# ll
-rw-r--r-- 1 root root 32 Mar 12 15:04 test_crt
-rw-r--r-- 1 root root 2200 Mar 12 14:45 test.keystore
-rw-r--r-- 1 root root 849 Mar 12 14:50 tomcat.crt
## 7、修改证书密码
[root@web01 tools]# $JAVA_HOME/bin/keytool -keypasswd -alias tomcat -keystore test.keystore
Enter keystore password:
New key password for <tomcat>:
Re-enter new key password for <tomcat>:
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore test.keystore -destkeystore test.keystore -deststoretype pkcs12".
开启 HTTPS 访问
生成证书
[root@web01 conf]# $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]: abc
What is the name of your organization?
[Unknown]: xyz
What is the name of your City or Locality?
[Unknown]: zh
What is the name of your State or Province?
[Unknown]: cq
What is the two-letter country code for this unit?
[Unknown]: aa
Is CN=localhost, OU=abc, O=xyz, L=zh, ST=cq, C=aa correct?
[no]: y
Enter key password for <tomcat>
(RETURN if same as keystore password):
Re-enter new password:
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /root/.keystore -destkeystore /root/.keystore -deststoretype pkcs12".
打开 conf 下的 server.xml,从中找到如下注释信息。
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation. The default
SSLImplementation will depend on the presence of the APR/native
library and the useOpenSSL attribute of the
AprLifecycleListener.
Either JSSE or OpenSSL style configuration may be used regardless of
the SSLImplementation selected. JSSE style configuration is used below.
--><!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
去掉 Connector 的注释,修改 SSLHostConfig 为如下格式(PS:旧版本的 Tomcat 是直接配置在 Connector 属性上的,该写法以后将被弃用)。如果是更复杂的需求,则需要根据实际情况并参考官方文档来进行配置,这里不做深入研究。
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/域名的 jks 文件"
certificateKeystorePassword="jks 文件密码"
certificateKeyAlias="jks 别名,一般为申请的证书域名"
type="RSA" />
</SSLHostConfig></Connector>
参数说明:
-
certificateKeystoreFile 指定 jks 文件所在,相对路径则是相对于 $CATALINA_BASE,一般为 Tomcat 所在目录。
-
certificateKeystorePassword jks 文件密码。
-
certificateKeyAlias jks 别名,一般为申请的证书域名,可通过 jdk 的 keytool –list –keystore jks文件 –storepass jks文件密码命令查看 jks 别名。
至此配置后,则能通过 HTTPS 访问了(默认端口为 8443),但同时也可以通过 HTTP 访问(默认端口为 8080)。
强制 HTTPS 访问
为了让网站强制使用 HTTPS,需要修改 Tomcat conf 目录下 web.xml,在文件末尾(一般情况)的 </web-app> 结束标签前添加如下代码。
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name></login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint></security-constraint>
该配置是我网上搜寻来的,用是可以用的,只是尚未完全理解。
其中 login-config 好像是配置 Tomcat users 登录认证方式为客户端证书认证,这个一般很少用到,具体如何认证没研究过,只是似乎和 HTTPS 没啥关系,疑似无用配置;security-constraint 是配置所有url请求为 HTTPS,这个配置才是主要的。
配置完后,通过 HTTP 访问的请求自动会重定向到 HTTPS。
需要注意的是,如果在部署项目时,如果项目的 web.xml 配置了 security-constraint 相关参数,则可能会覆盖掉在 Tomcat 的 web.xml 里配置的信息,导致该项目部分地址可通过HTTP访问。
HTTPS 默认端口
一般访问网站,不管是 HTTP 还是 HTTPS ,都不需要加端口号的,因为 HTTP 默认是 80,HTTPS 默认是 443,而在 Tomcat 中则是 8080 和 8443,为了访问方便、简洁,则需要修改 conf 下的 server.xml,将里面的 8080 都改成 80,8443 都改成 443 即可。