ssl - 如何使用 SSL 证书在 Tomcat 7 上配置 Https？

Question

我想在我的 Tomcat 服务器上配置 https。我获得了 FreeSSL 证书。但我不知道继续的步骤。

1. I got an email from FreeSSL provider with the text of the SSL certificate
2. I copied this text into file with extension .p7b
3. I added this certificate to new keystore
4. In server.xml I inserted path to this keystore and the pass as in:

<Connector
  SSLEnabled='true'
   keystoreFile="/path/to/certificates/keystore"
    keystorePass="password"
  maxSpareThreads='75'
  port='8443'
  proxyPort='443'
  algorithm='SunX509'
  enableLookups='false'
  secure='true'
  maxThreads='150'
  connectionTimeout='20000'
  disableUploadTimeout='true'
  scheme='https'
  minSpareThreads='5'
  maxHttpHeaderSize='8192'
  sslProtocol='SSL'
  acceptCount='200'
  clientAuth='false'
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
 ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,
                        TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
                        TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
                        SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
                        SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
/>

但是在这一步之后我得到了下一个错误:

Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)

在 FireFox 上

A secure connection cannot be established because this site uses an unsupported protocol. Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

在 Chrome 上

编辑: 当我请求 SSLCertificate 时，我创建了 cert.csr 和 keystore.keystore。但现在我不使用它们了。这可能是问题所在吗？

编辑 2:

正如评论中所写，我找到了初始 keystore 并将新证书放入其中。在此之后我在 firefox 上遇到错误:

Secure Connection Failed

The connection to domain.com:8443 was interrupted while the page was loading. The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.

Answer 1

这是我为 Tomcat 7 设置 SSL 的一种方式

希望对你有帮助

$Tomcat\bin>keytool -genkey -v -alias ***your alias*** 
-keyalg RSA -validity ***how many days*** 
-keystore ***your keystore file path*** keystore 
-dname "CN=***www.yourdomain.com***, 
OU=***Your Organizational Unit***, O=***Your Organization***, 
L=***Your City***, ST=***Your State***, C=***Your Country correct***" 
-storepass ***your keystore password*** -keypass ***your key password***

---

并且在server.xml

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" 
           keystoreFile="***your keystore file path***"
           keystorePass="***your keystore password***" />