我正在開發一個我繼承的網站。該網站是在帶有嵌入式 Tomcat 服務器的 Spring Boot 中制作的。它使用 .jks 檔案進行 HTTPS。SSL 證書已過期,我正在嘗試從 Godaddy 收到的檔案中創建一個新的 .jks 檔案。有一份檔案說明了如何去做,但缺少一些東西。
These are the steps in document to create .jks file:
Security Settings
C:\trash\keyproc>openssl req -new -newkey rsa:2048 -nodes -keyout website_name_here.key -out website_name_here.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:XX
State or Province Name (full name) [Some-State]:XXXXX
Locality Name (eg, city) []:XXXX
Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXXXX
Organizational Unit Name (eg, section) []:Software Development
Common Name (e.g. server FQDN or YOUR name) []:website_name_here.co
Email Address []:xxxxx@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:pwd_here
An optional company name []:xxxxx
Two files are generated website_name_here.key & website_name_here.csr
Use website_name_here.csr generated to get certificate from Godaddy.
Get SSL cetrificate from Godaddy and extract to this folder.
#################### Java Version 17 was active from hereon #################################################################
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\trash\keyproc>keytool -importkeystore -deststorepass pwd_here -destkeystore website_name_here.jks -srckeystore website_name_here.p12 -srcstoretype PKCS12
Importing keystore website_name_here.p12 to website_name_here.jks...
Enter source keystore password:
Entry for alias website_name_here.co successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore website_name_here.jks -destkeystore website_name_here.jks -deststoretype pkcs12".
C:\trash\keyproc>
After this just import main CRT file not bundle file using keytool.
在上述步驟中,沒有提到 website_name_here.p12 檔案的來源。它可能是什么?
使用 .jks 檔案的代碼如下:
import lombok.SneakyThrows;
import org.apache.catalina.connector.Connector;
import org.apache.coyote.http11.Http11NioProtocol;
import org.apache.tomcat.util.descriptor.web.SecurityCollection;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
import org.springframework.boot.web.server.WebServerFactoryCustomizer;
import org.springframework.stereotype.Component;
import java.net.InetAddress;
import java.util.Optional;
//@Profile("dev")
@Component
public class TomcatEmbedServerCustomConfiguration implements WebServerFactoryCustomizer<TomcatServletWebServerFactory>
{
private static final Logger logger = LoggerFactory.getLogger(TomcatEmbedServerCustomConfiguration.class);
IWebApplicationServerSettingsRepository appSettinsRepository;
ApplicationHttpsSettingsEntityRepository applicationHttpsSettingsEntityRepository;
public TomcatEmbedServerCustomConfiguration(IWebApplicationServerSettingsRepository appSettinsRepository, ApplicationHttpsSettingsEntityRepository applicationHttpsSettingsEntityRepository)
{
this.appSettinsRepository = appSettinsRepository;
this.applicationHttpsSettingsEntityRepository = applicationHttpsSettingsEntityRepository;
}
@SneakyThrows
@Override
public void customize(TomcatServletWebServerFactory factory)
{
logger.info("Setting the Tomcat specific configurations. started");
try
{
Optional<WebApplicationServerSettingEntity> serverSettingEntity = appSettinsRepository.findById(1);
if (serverSettingEntity.isPresent())
{
factory.setPort(serverSettingEntity.get().getPort().getPORT());
factory.setAddress(InetAddress.getByName(serverSettingEntity.get().getHost()));
}
factory.setServerHeader("Server header of tomcat");
// HTTPS Settings - Begin
Optional<ApplicationHttpsSettingsEntity> applicationHttpsSettingsEntity = applicationHttpsSettingsEntityRepository.findById(1);
if(applicationHttpsSettingsEntity.isPresent())
{
logger.info("Setting HTTPS settings....");
if(applicationHttpsSettingsEntity.get().getUseHttps() !=0)
{
factory.addAdditionalTomcatConnectors(createSslConnector());
factory.addContextCustomizers(context ->
{
logger.info("Setting HTTPS settings....setting...");
SecurityConstraint securityConstraint = new SecurityConstraint();
securityConstraint.setUserConstraint("CONFIDENTIAL");
SecurityCollection collection = new SecurityCollection();
collection.addPattern("/*");
securityConstraint.addCollection(collection);
context.addConstraint(securityConstraint);
logger.info("Setting HTTPS settings....setting...Done");
});
}
logger.info("Setting HTTPS settings....End");
}
// HTTPS Settings - end
logger.info("Tomcat Server Configuration Host=[" factory.getAddress() "] Port=[" factory.getPort() "]");
logger.info("Setting the Tomcat specific configurations. ended");
}
catch (Exception e)
{
logger.error(e.getMessage());
throw e;
}
}
// HTTPS Settings - Begin
private Connector createSslConnector() {
Optional<ApplicationHttpsSettingsEntity> applicationHttpsSettingsEntity = applicationHttpsSettingsEntityRepository.findById(1);
if(applicationHttpsSettingsEntity.isPresent())
{
logger.info("Creating SSL Connector...");
Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
Http11NioProtocol protocol = (Http11NioProtocol) connector.getProtocolHandler();
// File keystore = new ClassPathResource("website_name.jks").getFile();
// File truststore = new ClassPathResource("keystore").getFile();
connector.setScheme("https");
connector.setSecure(applicationHttpsSettingsEntity.get().getUseHttps() != 0);
connector.setPort(applicationHttpsSettingsEntity.get().getBroadcaster().getPORT());
protocol.setSSLEnabled(applicationHttpsSettingsEntity.get().getUseHttps() != 0);
// protocol.setKeystoreFile("file:///c://trash//website_name_here.jks");
protocol.setKeystoreFile(applicationHttpsSettingsEntity.get().getKeyStore());
// protocol.setKeystorePass("pwd_here");
protocol.setKeystorePass(applicationHttpsSettingsEntity.get().getKeyStorePassword());
// protocol.setTruststoreFile(truststore.getAbsolutePath());
// protocol.setTruststorePass("changeit");
protocol.setKeyAlias(applicationHttpsSettingsEntity.get().getKeyAlias());
logger.info("Creating SSL Connector...Done");
return connector;
}
return null;
}
// HTTPS Settings - End
}
和
@Configuration
//@Profile("production")
public class SecurityConfig
{
// HTTPS Settings - Begin
@Bean
public TomcatServletWebServerFactory httpsRedirectConfig()
{
return new TomcatServletWebServerFactory()
{
@Override
protected void postProcessContext(Context context)
{
SecurityConstraint securityConstraint = new SecurityConstraint();
securityConstraint.setUserConstraint("CONFIDENTIAL");
SecurityCollection collection = new SecurityCollection();
collection.addPattern("/*");
securityConstraint.addCollection(collection);
context.addConstraint(securityConstraint);
}
};
}
// HTTPS Settings - End
}
uj5u.com熱心網友回復:
設定像 Tomcat 這樣的 Java SSL/TLS(包括 HTTPS)服務器的正確程序之一是:
openssl req -new -newkey ...在 PEM 中創建密鑰和 CSR將 CSR 發送到證書頒發機構,即 CA(此處為 GoDaddy)并提供您擁有或控制指定域的證明,以及(取決于 CA)付款,并取回服務器(葉)證書以及一個或多個鏈證書( s)(通常標記為中間)和可能/可能是根證書,通常在 PEM 中;如果不是,您必須在繼續之前轉換為 PEM
(你缺少的一步)
openssl pkcs12 -export -in cert1PEM -inkey keyPEM [-certfile cert2PEM] [-friendlyname somename] -out p12filecert1PEM必須至少包含服務器證書,并且可能包含其他(鏈/中間和可選的根)證書;如果它不包含后者,則那些必須在-certfile cert2PEM.-friendlyname somename是可選的,但您顯示的輸出keytool暗示它已被使用(包括 keytool 的 Java 將其顯示為別名)keytool -importkeystore -srckeystore p12file -destkeystore jksfile ...但我不相信你的評論“Java 17 處于活動狀態”,除非 .jks 檔案已經存在,它不應該存在。Java 9 以上,包括 17,默認創建新的密鑰庫檔案為 PKCS12,而不是 JKS,并且不會產生該警告。Java 8 的最新更新將。(也就是說,j8 的所有更新都默認輸出到 JKS,最近的更新在這樣做時會給出警告。)
在任何情況下,步驟 4 都是過時且不必要的。自 2015 年 8u60 以來的所有 Java 版本默認都可以讀取 PKCS12(由步驟 3 生成),根本不需要 JKS 檔案。即使是較舊的版本(回到 2000 年左右)也可以讀取 PKCS12,只需對配置進行輕微更改,我會推薦這正是因為 JKS 是“專有的”(正如警告現在所說)而且很弱(警告沒有說)。
轉載請註明出處,本文鏈接:https://www.uj5u.com/qianduan/530083.html
