当前位置: 首页 > 技术支持 > 知识库

Tomcat 安装SSL教程

发布日期: 2019-05-28 10:39:28 阅读量: 作者: 合信SSL证书

第一步:整理证书并上传到服务器

  • 如果证书请求文件(CSR)由我们提供,您将获得以下文件:
[table “5” not found /]
  • 如果证书请求文件(CSR)由自己提供,您将获得原始证书,我们需要进行证书格式合并与转换。合并与转换查看教程:《 证书格式转换教程 》
  • 最后我们上传 Tomcat 所需 .jks 证书文件到服务器

第二步:配置 Tomcat 环境

单域名证书安装方法

目的
让 http://ssl.51mubanji.com


支持 https://ssl.51mubanji.com


 访问
  1. 首先我们需要一张支持 ssl.51mubanji.com


     域名的证书。我们以 Comodo DV SSL 为例给大家演示一下单域名证书的安装方式,所有品牌证书方式安装一致没有任何区别。我们确定本证书支持ssl.51mubanji.com

     
证书显示效果证书显示效果
  1. 首先我们用编辑器打开 Tomcat 配置文件: server.xml
  2. 查看我们 ssl.51mubanji.com


     
    虚拟主机设置
Tomcat 证书安装步骤
  1. 我们在    前添加以下内容:
 port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" keystoreFile="D:\SSL\www.SSL.City.jks" keystorePass="openSCT" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,  TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" />
[table “10” not found /]
Tomcat 证书安装步骤
效果
按照以上配置完成后重启 Tomcat 服务我们就可以使用 https://www.ssl.city 访问
证书显示效果

通配符证书安装方法

目的
让 http://ssl.51mubanji.com支持 https://ssl.51mubanji.com 访问
让 http://ssl.51mubanji.com支持 https://ssl.51mubanji.com 访问
让 http://ssl.51mubanji.com支持 https://ssl.51mubanji.com访问
  1. 首先我们需要一张支持ssl.51mubanji.com


     域名的证书。我们以 Comodo DV Wildcard SSL 为例给大家演示一下通配符证书的安装方式,所有品牌证书方式安装一致没有任何区别。我们确定本证书支持ssl.51mubanji.com

     
证书显示效果证书显示效果
  1. 首先我们用编辑器打开 Tomcat 配置文件: server.xml查看我们 ssl.51mubanji.com/V / ssl.51mubanji.com 虚拟主机设置
Tomcat 证书安装步骤
  1. 我们在    前添加以下内容:
 port="443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" maxThreads="150" SSLEnabled="true"  defaultSSLHostConfigName="ssltest1.ssl.city" >
	 hostName="ssltest1.ssl.city" >
		 certificateKeystoreFile="D:/SSL/Wildcard.SSL.City.jks" certificateKeystorePassword="openSCT" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,  TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" type="RSA" />       
	
	 hostName="ssltest2.ssl.city" >
		 certificateKeystoreFile="D:/SSL/Wildcard.SSL.City.jks" certificateKeystorePassword="openSCT" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,  TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" type="RSA" />       
	
	 hostName="ssltest3.ssl.city" >
		 certificateKeystoreFile="D:/SSL/Wildcard.SSL.City.jks" certificateKeystorePassword="openSCT" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,  TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" type="RSA" />       
	
文件说明 文件名称
32位系统安装包 Win32OpenSSL_Light-1_1_1a.exe
64位系统安装包 Win64OpenSSL_Light-1_1_1a.exe
Tomcat 证书安装步骤
效果
按照以上配置完成后重启 Tomcat 服务我们就可以使用 https://ssltest1.ssl.city & https://ssltest2.ssl.city &https://ssltest3.ssl.city 访问
证书显示效果
证书显示效果
证书显示效果

多域名证书安装方法

目的
让 http://ssl.51mubanji.com支持 https://ssl.51mubanji.com 访问
让 http://ssl.51mubanji.com 支持 https://ssl.51mubanji.com访问
让 http://ssl.51mubanji.com支持 https://ssl.51mubanji.com访问
  1. 首先我们需要一张支持 https://ssl.51mubanji.com


     
    & https://ssl.51mubanji.com


    t & https://ssl.51mubanji.com


    g 域名的证书。我们以 Comodo Positive Multi-Domain SSL 为例给大家演示一下多域名证书的安装方式,所有品牌证书方式安装一致没有任何区别。我们确定本证书支持 https://ssl.51mubanji.com


    &
    https://ssl.51mubanji.com


     
    & https://ssl.51mubanji.com

     
证书显示效果证书显示效果
  1. 首先我们用编辑器打开 Tomcat 配置文件: server.xml
  2. 查看我们ssl.51mubanji.com


     
    / ssl.51mubanji.com


     / ssl.51mubanji.com


     
    虚拟主机设置
Tomcat 证书安装步骤
  1. 我们在    前添加以下内容:
 port="443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" maxThreads="150" SSLEnabled="true"  defaultSSLHostConfigName="www.opensct.com" >
	 hostName="www.opensct.com" >
		 certificateKeystoreFile="D:/SSL/SANs.SSL.City.jks" certificateKeystorePassword="openSCT" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,  TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" type="RSA" />       
	
	 hostName="www.opensct.net" >
		 certificateKeystoreFile="D:/SSL/SANs.SSL.City.jks" certificateKeystorePassword="openSCT" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,  TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" type="RSA" />       
	
	 hostName="www.opensct.org" >
		 certificateKeystoreFile="D:/SSL/SANs.SSL.City.jks" certificateKeystorePassword="openSCT" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,  TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" type="RSA" />       
	
文件说明 文件名称
32位系统安装包 Win32OpenSSL_Light-1_1_1a.exe
64位系统安装包 Win64OpenSSL_Light-1_1_1a.exe
Tomcat 证书安装步骤
效果
按照以上配置完成后重启 Tomcat 服务我们就可以使用 https://ssl.51mubanji.com & https://ssl.51mubanji.com & https://ssl.51mubanji.com 访问
证书显示效果
证书显示效果
证书显示效果

第三步:优化 SSL 设置

证书安装成功后会有以下三种显示方式

  1. 正常显示效果:EV 版证书显示效果

证书显示效果

  1. 正常显示效果:OV/DV 版证书显示效果

证书显示效果

  1. 非正常显示效果:

证书显示效果

  • 出现第三种方式是因为网站页面带有非https的链接。我们需要将网站中所有非https的链接改成相对路径或者https的链接。
  • 我们可以使用谷歌浏览器开发者工具查看网站哪些为非https资源

证书显示效果

证书显示效果

  • 我们只需要将网页源代码中的 http://ssl.51mubanji.com


    /Avatar.png
     改为 https://ssl.51mubanji.com


    /Avatar.png
     或者直接使用相对路径 /Avatar.png

证书显示效果

  • 我们网站就恢复正常显示效果

证书显示效果

第四步:强制重定向 HTTPS

目的
访问 http://ssl.51mubanji.com


自动跳转到 https://ssl.51mubanji.com

 
  1. 首先我们用编辑器打开 Tomcat 配置文件: web.xml
  2. 我们在  前添加以下内容:

	CLIENT-CERT
	Client Cert Users-only Area


	 >
		 >SSL
		/*
	
	
		CONFIDENTIAL
	
Tomcat 证书安装步骤

上一篇: Nginx 安装 SSL 教程
下一篇: IIS 6.0 安装 SSL 教程
在线咨询
点击在线咨询
QQ客服
137013177
电话咨询
免费热线:153-7531-4637
关注微信
返回顶部