1、证书格式转换,在tomcat安装目录创建ssl目录,并将阿里云下载的证书全部拷贝该目录中。(如果是系统创建的CSR,请直接到第2步)
[root@lb01 ~]# mkdir /server/tomcat-8080/ssl
[root@lb01 ~]# cd /server/tomcat-8080/ssl
[root@lb01 ~]# 上传对应证书
[root@lb01 ssl]# unzip 1524377920931.zip
# 执行如下命令完成PFX格式转换命令,此处要设置PFX证书密码,请牢记
[root@lb01 ssl]# openssl pkcs12 -export -out 1524377920931.pfx -inkey 1524377920931.key -in 1524377920931.pem
2.修改tomcat安装目录中conf/server.xml
[root@lb01 ~]# vim /server/tomcat-8080/conf/server.xml
<!--1.修改Host name为nginx.bjstack.com -->
<Host name="tomcat.oldxu.com" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<!--2.修改redirectPort="8443"为redirectPort="443"-->
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
<!--3.增加如下内容-->
<Connector port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150"
SSLEnabled="true"
scheme="https"
secure="true"
keystoreFile="ssl/1524377920931.pfx"
keystoreType="PKCS12"
keystorePass="123456"
clientAuth="false"
SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"/>
3.重启Tomcat服务
[root@lb01 ~]# /server/apache-tomcat-9.0.11/bin/shutdown.sh
[root@lb01 ~]# /server/apache-tomcat-9.0.11/bin/startup.sh
[root@lb01 ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 29331/java
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 29331/java
tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN 29331/java
tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN 29331/java
4.使用浏览器访问https://IP可访问, 如果是http://IP则会访问失败
