GoDaddy SSL证书安装在tomcat中...没有证书与私钥匹配 [英] GoDaddy SSL Certificate installation in tomcat... No certificate matches private key
问题描述
生成Tomcat密钥库
Generate the Tomcat KeyStore
keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore
tomcat.keystore
生成证书密钥库
keytool -genkey -alias tomcatCert -keyalg RSA -keystore tomcat.keystore
生成密钥
keytool -certreq -alias tomcat -file csr.txt -keystore tomcat.keystore -storepass pa$$word
合并证书
cat mydomain.crt gd_bundle-g2-g1.crt > combinedcerts
创建P12密钥库
keytool -importkeystore -srckeystore tomcat.keystore -destkeystore tomcatkey.p12 -deststoretype PKCS12 -storepass pa$$word
生成PEM
openssl pkcs12 -in tomcatkey.p12 -out tomcatkey.pem -nodes
将剩余的CRT文件导出到密钥库...
Exporting remaining CRT files to keystore...
openssl pkcs12 -export -chain -CAfile gd_bundle-g2-g1.crt -in combinedcerts -inkey tomcatkey.pem -out new.tomcat.keystore -name tomcat -passout pass:pa$$word
在最后一步中,我得到以下错误:"没有证书与私钥匹配"
And in this last step I'm getting the following error: "No certificate matches private key"
几年前同样的步骤,服务器是相同的...只有JDK是8u131 vs 8u45.
This same steps worked a couple of years ago, server is the same... only JDK is 8u131 vs 8u45 from before.
有人可以指导我做错什么吗?谢谢!
Can someone guide me on what I might be doing wrong? Thank you!
推荐答案
生成Tomcat密钥库
Generate the Tomcat KeyStore
keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore
tomcat.keystore
不.此步骤可以很好地创建密钥库文件,但更重要的是,它可以创建RSA类型的密钥对.
No. This step creates the keystore file all right, but more importantly it creates the keypair, of type RSA.
生成证书密钥库
Generate the Certificate KeyStore
keytool -genkey -alias tomcatCert -keyalg RSA -keystore tomcat.keystore
不.无论如何,此步骤都不会生成证书密钥库".除了在 same 密钥库中的另一个别名下创建另一个密钥对外,它什么都不做,并且别名在整个过程的其余部分中保持未使用状态.通过检查,它与上一步相同,除了别名更改(毫无意义)和丢失的密钥大小(使它无用)之外.省略.
No. This step does not 'generate the certificate keystore', whatever that is supposed to be. It does nothing except create another keypair, under another alias, in the same keystore, and the alias remains unused throughout the rest of the procedure. It is identical by inspection to the previous step, with the exception of the alias change, which is pointless, and the missing key size, which make make it useless. Omit.
生成密钥
keytool -certreq -alias tomcat -file csr.txt -keystore tomcat.keystore -storepass pa$$word
您已经在第一步中生成了密钥.此步骤将生成证书签名请求(CSR).
You already generated the keys in the first step. This step generates the Certificate Signing Request (CSR).
合并证书
cat mydomain.crt gd_bundle-g2-g1.crt > combinedcerts
这里缺少一个步骤,您在其中提交了CSR并将其签名.大概此过程的结果是mydomain.crt和Godaddy捆绑文件.
There's a step missing here, where you submitted the CSR and got it signed. Presumably the results of this process were mydomain.crt and the Godaddy bundle file.
创建P12密钥库
Create P12 keystore
keytool -importkeystore -srckeystore tomcat.keystore -destkeystore tomcatkey.p12 -deststoretype PKCS12 -storepass pa$$word
为什么?如果需要P12密钥库,则可以在第1步及其后使用-storetype PKCS12.而且这里缺少一个步骤,您可以在其中将级联的证书重新导入到原始密钥库中.
Why? You could have used -storetype PKCS12 at step 1 and following, if you wanted a P12 keystore. And there is a step missing here, where you import the concatenated certificates back into the original keystore.
生成PEM
Generate PEM
openssl pkcs12 -in tomcatkey.p12 -out tomcatkey.pem -nodes
为什么?
将剩余的CRT文件导出到密钥库...
Exporting remaining CRT files to keystore...
openssl pkcs12 -export -chain -CAfile gd_bundle-g2-g1.crt -in combinedcerts -inkey tomcatkey.pem -out new.tomcat.keystore -name tomcat -passout pass:pa$$word
为什么?
我不知道您为什么要执行这些OpenSSL步骤. Tomcat已经可以处理tomcat.keystore或tomcat.p12了.
I don't know why you're doing these OpenSSL steps. Tomcat can already handle either tomcat.keystore or tomcat.p12 as they already are.
在最后一步中,我收到以下错误:没有证书与私钥匹配"
And in this last step I'm getting the following error: "No certificate matches private key"
我不知道您为什么要执行大多数这些步骤.您永远不会使用tomcatCert别名,而是通过一个又三个毫无意义的步骤来放置一个已经完全足够的tomcat.keystore文件.
I don't know why you're doing most of these steps. You're never using the tomcatCert alias, and you're putting an already perfectly adequate tomcat.keystore file through not one but three further pointless steps.
几年前同样的步骤,服务器是相同的...只有JDK是8u131 vs 8u45.
This same steps worked a couple of years ago, server is the same... only JDK is 8u131 vs 8u45 from before.
我对此表示怀疑.它们被贴错标签,多余,不完整且完全不连贯.更有可能的是,有人无助地四处张望,直到某事奏效,然后写下他们所记得的尽可能多的东西.完全不需要使用OpenSSL工具.您只需要:
I doubt it. They are mislabelled, redundant, incomplete, and totally incoherent. More probably somebody just flailed around helplessly until something worked and then wrote down as much as they could remember. There is no need to use the OpenSSL tool at all. All you need is:
- 生成密钥对:
keytool -genkey. - 生成CSR:
keytool -certreq. - 获取CSR签名.
- 连接证书,首先连接新签署的证书,然后再捆绑.
- 使用与(1)和(2)相同的别名将连接的文件导入到相同的密钥库中.
- Generate the keypair:
keytool -genkey. - Generate the CSR:
keytool -certreq. - Get the CSR signed.
- Concatenate the certificates, your newly signed certificate first, then the bundle.
- Import the concatenated file into the same keystore using the same alias as at (1) and (2).
这篇关于GoDaddy SSL证书安装在tomcat中...没有证书与私钥匹配的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
