导入cert 和 key 到 keystore.jks

今天打算给tomcat 配置 ssl,发现直接将本站的 .crt 和 .key 直接配置在 tomcat 上浏览器会产生握手失败的问题,无论是那个 tls 版本都不能握手成功,找不到两端对应的的 cipher 算法,使用 openssl s_client -connect firegod.cn:8443 返回的错误如下:

140736929969088:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1362:SSL alert number 40

tomcat server.xml 配置如下,关闭了有漏洞的SSLv3版本:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
                maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
                clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
                SSLCertificateChainFile="/opt/nginx/ssl/intermediate.cer"  />




Step one: Convert x509 Cert and Key to a pkcs12 file

openssl pkcs12 -export -in server.crt -inkey server.key \ -out server.p12 -name [some-alias] \ -CAfile ca.crt -caname root

Note: Make sure you put a password on the p12 file – otherwise you’ll get a null reference exception when you try to import it. (In case anyone else had this headache). (Thanks jocull!)

Note 2: You might want to add the -chainoption to preserve the full certificate chain. (Thanks Mafuba)

Step two: Convert the pkcs12 file to a java keystore

keytool -importkeystore \ -deststorepass [changeit] -destkeypass [changeit] -destkeystore server.keystore \ -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass some-password \ -alias [some-alias]


OPTIONAL Step Zero, create self-signed certificate

openssl genrsa -out server.key 2048 openssl req -new -out server.csr -key server.key openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt