SSL证书请求文件(CSR)生成指南 - Tomcat
 

重要注意事项 An Important Note Before You Start

在生成CSR文件时同时生成您的私钥,如果您丢了私钥或忘了私钥密码,则颁发证书给您后不能安装成功!您必须重新生成私钥和CSR文件,免费重新颁发新的证书。为了避免此情况的发生,请在生成CSR后一定要备份私钥文件和记住私钥密码,最好是在收到证书之前不要再动服务器。 
By far the most common problem users have when going through this process is related to private keys. If you lose or cannot access a private key, you cannot use the certificate we issue to you and will need to request a free reissue. To ensure this never happens, we advise that a backup of the private key file is made and that a note is made of the password that is used to protect the export of the private key.

您可以使用"keytool"来生成私钥和CSR文件,如果您的服务器上没有安装keytool,请先下载安装: 
The utility "keytool" that you use to generate the private key (keyEntry) and CSR comes with the Sun JDK toolkit. If you do not have JDK installed please download it from the following link:http://java.sun.com/J2SE/downloads.html,We recommend that the latest version be used, which is 1.5.0.

以下为生成 keystore 和 keyentry 指南,Tomcat 支持 JKS 和 PKCS#12 格式的 keystore,JKS 格式是标准的 “Java Keystore”格式,使用 keytool 命令产生;而 PKCS#12 格式则可以通过使用Openssl中的转换工具转换而成。本指南仅指keytool方式的JKS格式。 
The following sequence of commands will generate a keystore and keyEntry. Tomcat currently supports JKS and PKCS#12 format keystores. The JKS format is Java's standard "Java KeyStore" format, and is the format generated by the keytool command-line utility which is packaged in the JDK kit. The PKCS#12 format is a general format which can be converted using the Openssl toolkit. The following instructions make use of keytool only.

1. 生成 keystore 和 keyEntry, Generate a keystore and keyEntry

请使用以下命令,并参考下图: Please type the following command at the prompt:

keytool -genkey -alias [keyEntry_name] -keyalg RSA -keystore [keystore_name]

请注意:如果您不指定一个 keystore 名称(不使用参数 -keystore), 则 keystore 文件将保存在您的用户目录中(如:C:/Documents and Settings/your name/.keystore),文件名为:.keystore 
Note: If you do not specify a keystore (-keystore omitted from the command) name, the keystore will be saved to your local profile directory as a .keystore file (i.e C:/Documents and Settings/your name/.keystore)

系统会提示您输入 keystore 密码,缺省密码为:changeit,您可以指定一个新的密码,但请一定要记住。
When you execute this command you will be prompted for a keystore password. The default password used by Tomcat is "changeit" although you can specify a password of your choice.

接着,会提示“What is your fist and last name?”,请输入您要申请SSL证书的域名,而不是真的输入您的个人姓名,如果您需要为www.domain.com申请SSL证书就不能只输入domain.com。SSL证书是严格绑定域名的。
The term "First and last name" is X.509 speak for the name that distinguishes the certificate best, and ties it to your Organization. Enter your exact host and domain name that you wish to secure. Example: If you wish to secure www.mydomain.com, then you will need to enter the exact host (www) and domain name (mydomain.com) in this field. If you enter mydomain.com then the certificate issued to you will only work error free on https://mydomain.com. It will cause a certificate mismatch error when you or your users access the domain via https:// www.mydomain.com.

接着,输入您的部门名称、单位名称、所在城市、所在省份和国家缩写(中国填:CN,其他国家填其缩写),单位名称一定要与证明文件上的名称一致,部门名称(OU)可以不填。除国家缩写必须填CN外,其余都可以是英文或中文。 
Enter your country, state or province and locality or city. You should enter the company name as it appears on your official company registration documents. The organization unit is optional, we verify and authenticate the company name and not the organization unit. To skip the organization unit (OU) field please press enter on your keyboard.

最后,要求您输入私钥密码, 请一定要为 keystore 和 keyEntry 输入一样的密码,否则您重新启动Tomcat后会提示错误信息:java.security.UnrecoverableKeyException: Cannot recover key。同时,请一定要记住密码! 
Finally, you will be prompted for the keyEntry password, which is the password which protects the private key. Please specify the same password for the keystore and the keyEntry or else you will receive the following error message when you restart the Tomcat engine: java.security.UnrecoverableKeyException: Cannot recover key

2. 生成CSR, Generate the CSR

请使用以下命令,并参考下图: Please type the following command at the prompt:

keytool -certreq -alias [keyEntry name] -file request.csr -keystore [keystore name]

CSR文件(request.csr)会保存在 JDK/bin 目录,这样就完成了公钥和私钥对的生成,私钥(keyEntry)保存在JDK/bin目录中,公钥则需要发给WoTrust签名后颁发证书。CSR文件为文本文件,如下图示。 
The CSR will be saved to your JDK/bin directory. You have now created a public/private key pair. The private key (KeyEntry) is stored inside the keystore in the JDK/bin directory and is used for decryption. The public portion is sent to WoTrust in the form of a Certificate Signing Request (request.csr), and will be used by your users to encrypt the data they send to your site. The Certificate Signing Request (CSR) looks something like this:

3. 备份私钥文件 Backup your private key

请备份您的keystore文件并记下私钥密码。最好是把私钥文件备份到软盘或光盘中。 
Please backup your keystore file and make a note of the password. A good choice is to create a copy of this file onto a diskette or other removeable media.

4. 测试CSR和把CSR发给WoTrust, Start the certificate request process

生成CSR后,建议您自己测试一下生成的CSR文件是否正确,请点击 这里 测试您的CSR文件。请把测试成功的CSR文件发给WoTrust即可。请一定不要再动您的服务器,等待证书的颁发。
To submit the CSR to WoTrust for processing you should start the certificate enrollment process

SSL证书请求文件(CSR)生成指南 - Tomcat的更多相关文章

  1. 自己制作ssl证书:自己签发免费ssl证书,为nginx生成自签名ssl证书

    这里说下Linux 系统怎么通过openssl命令生成 证书. 首先执行如下命令生成一个key openssl genrsa -des3 -out ssl.key 1024 然后他会要求你输入这个ke ...

  2. linux系统自签发免费ssl证书,为nginx生成自签名ssl证书

    首先执行如下命令生成一个key openssl genrsa -des3 -out ssl.key 1024 然后他会要求你输入这个key文件的密码.不推荐输入.因为以后要给nginx使用.每次rel ...

  3. openssl 自己制作ssl证书:自己签发免费ssl证书,为nginx生成自签名ssl证书

    server { listen 80; listen 443 ssl; server_name ~^((cloud)|(demo-cloud)|(demo2-cloud)|(approval1))(( ...

  4. 用XCA(X Certificate and key management)可视化程序管理SSL 证书(2)--生成SSL证书请求

    在上个章节中,我们提到了怎样安装XCA(X Certificate and key management)程序.这个章节我们開始正式介绍怎样用XCA生成证书请求.假设大家用过java的话.肯定知道jd ...

  5. 全民https时代,Let's Encrypt免费SSL证书的申请及使用(Tomcat版)

    近几年,在浏览器厂商的强力推动下,HTTPS的使用率大增.据统计,Firefox加载的网页中启用HTTPS的占比为67%,谷歌搜索结果中HTTPS站点占比已达50%,HTTPS网站已获得浏览器和搜索引 ...

  6. iOS本机生成证书请求文件流程

    第一步:苹果机上打开“Finder”,选择“应用程序”,双击打开“实用工具” 第二步:在“实用工具”中,选“择钥匙串访问”,双击打开 第三步: “钥匙串访问”打开,看到如下页面 第四步:选择菜单中“钥 ...

  7. 国密SSL证书免费试用申请指南

    沃通提供国密SSL证书免费申请试用服务,一次申请可同时签发SM2/RSA双算法证书,试用周期1个月,用于测试国密SM2 SSL证书的运行效果和SM2/RSA双证书部署效果. 试用产品:SM2/RSA双 ...

  8. ssl证书生成与验证

    要做这件事情的起因在于,代码的升级包放在一个https的服务器上,我们的设备要实现升级,则是通过wget 获取https上的升级包,并且要实现验证证书的功能,这样可以防止设备被恶意篡改升级成其他文件包 ...

  9. nginx ssl证书安装配置

    原理图: - 客户端生成一个随机数 random-client,传到服务器端(Say Hello) - 服务器端生成一个随机数 random-server,和着公钥,一起回馈给客户端(I got it ...

随机推荐

  1. SQL Server索引 (原理、存储)聚集索引、非聚集索引、堆 <第一篇>

    一.存储结构 在SQL Server中,有许多不同的可用排列规则选项. 二进制:按字符的数字表示形式排序(ASCII码中,用数字32表示空格,用68表示字母"D").因为所有内容都 ...

  2. DBCP、C3P0、Proxool 、 BoneCP开源连接池的比《转》

     简介   使用评价  项目主页  DBCP DBCP是一个依赖Jakarta commons-pool对象池机制的数据库连接池.DBCP可以直接的在应用程序用使用 可以设置最大和最小连接,连接等待时 ...

  3. Java中正则Matcher类的matches()、lookAt()和find()的区别<转>

    在Matcher类中有matches.lookingAt和find都是匹配目标的方法,但容易混淆,整理它们的区别如下: matches:整个匹配,只有整个字符序列完全匹配成功,才返回True,否则返回 ...

  4. Switch用法

    package com.cz.test; public class SwitchExample1 { /** * @param args */ public static void main(Stri ...

  5. DDL和DML的定义和区别

    DML(Data Manipulation Language)数据操纵语言: 适用范围:对数据库中的数据进行一些简单操作,如insert,delete,update,select等. DDL(Data ...

  6. unique-substrings-in-wraparound-string(好)

    https://leetcode.com/problems/unique-substrings-in-wraparound-string/ 好,我自己做出来的.多总结规律,多思考. package c ...

  7. iOS开发之 Xcode 5 下让你的应用在不同状态(debug, release)有不同的图标

    http://nickcheng.com/post/unique-icons-for-your-app-in-different-state-in-xcode5-debug-release 应用在发布 ...

  8. HashMap遍历

    package com.jackey.topic; import java.util.ArrayList;import java.util.HashMap;import java.util.Itera ...

  9. 使用Python获取Linux系统的各种信息

    哪个Python版本? 当我提及Python,所指的就是CPython 2(准确的是2.7).我会显式提醒那些相同的代码在CPython 3 (3.3)上是不工作的,以及提供一份解释不同之处的备选代码 ...

  10. panels能否包含views_block ////// panels -- content pane 参数传递

    是可以的包含block,不管是手动在block后台创建的,还是通过views创建的block,都可以在Panel add content的时候添加. ------------ panels 和 con ...