What Is the Difference Between the Cer and the Pfx Format When Backing Up Digital Certicicates
You can download and install an issued certificate on a Tomcat server. Tomcat servers support two types of certificates: PFX certificates and JKS certificates. You can download a PFX certificate or a JKS certificate based on your Tomcat version. This topic describes how to install a PFX certificate on a Tomcat server.
Prerequisites
- Port 443 is enabled for your Tomcat server. Port 443 is the default port for HTTPS services.
- The OpenSSL tool is installed.
- The certificate that you want to install on your Tomcat server is downloaded to your computer. For more information about how to download a certificate, see Download a certificate to your computer.
Notice
- If you do not set CSR Generation to Automatic when you apply for a certificate, the certificate package that you download does not include the TXT password file. In this case, you must download a CRT certificate for servers of the Other type and then use the OpenSSL tool to convert the certificate to the PFX format.
- If you have certificates that are not in the PFX format, you can use the OpenSSL tool to convert your certificates to the PFX format.
- You are logged on to your Tomcat server.
Background information
This topic provides an example on how to install a PFX certificate on a Tomcat 7 server that runs a Linux operating system.
Procedure
- Decompress the downloaded certificate package.
The following files are obtained:
- Certificate Authority (CA) certificate file domain name.pfx.
Note In this example, the certificate name is domain name.
- Password file pfx-password.txt.
Note A new password is generated each time you download a certificate. The password is valid only for the downloaded certificate. If you want to update a certificate, you must also update the password.
- Certificate Authority (CA) certificate file domain name.pfx.
- Create the cert directory in the installation directory of Tomcat and copy the CA certificate and password files that you obtained to the cert directory.
Note The installation directory varies based on the environment of your server. You can run the
sudo find / -name *tomcat*
command to query the installation directory. - Modify and save the configuration file server.xml. The configuration file is stored in Tomcat installation directory/conf/server.xml.
You can use one of the following methods to specify SSL implementation:
Notice If you use Method 1 and modify the configuration of an SSL connector, the Tomcat server automatically selects SSL implementation. If you use Method 1 but cannot complete the subsequent configuration, the environment of your server may not support automatic selection of SSL implementation. In this case, you can use Method 2 to manually specify SSL implementation based on your environment.
- Method 1: The Tomcat server automatically selects SSL implementation. Modify the properties of an SSL connector based on the following code:
<Connector port="443" # Change the port based on your business requirements. Port 443 is the default port for HTTPS services. If you use a different port, you must access your website by using https://domain name:port . protocol="HTTP/1.1" SSLEnabled="true" scheme="https" secure="true" keystoreFile="Tomcat installation directory/cert/domain name.pfx" # Add the absolute path of the certificate before the certificate name. Replace domain name with the name of your certificate file. keystoreType="PKCS12" keystorePass="Certificate password" # Enter the content in the pfx-password.txt file. clientAuth="false" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"/>
- Method 2: Manually specify SSL implementation.
Remove the comments of the following code in the server.xml file and specify JSSE-based SSL implementation:
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="Tomcat installation directory/cert/domain name.pfx" keystorePass="Certificate password" clientAuth="false" sslProtocol="TLS"/>
- Method 1: The Tomcat server automatically selects SSL implementation. Modify the properties of an SSL connector based on the following code:
- Optional: Configure the web.xml file to forcibly redirect HTTP requests to HTTPS requests.
Append the following content to the </welcome-file-list> file:
<login-config> <!-- Authorization setting for SSL --> <auth-method>CLIENT-CERT</auth-method> <realm-name>Client Cert Users-only Area</realm-name> </login-config> <security-constraint> <!-- Authorization setting for SSL --> <web-resource-collection > <web-resource-name >SSL</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
- Restart your Tomcat server.
- Run the following command to stop your Tomcat server:
- Run the following command to start your Tomcat server:
What to do next
After you complete the preceding operations, you can access the domain name that is bound to the certificate to check whether the certificate is installed.
https://domain name.com # Replace domain name with the domain name that is bound to the certificate.
If a green lock icon appears in the address bar, the certificate is installed.
If your website cannot be accessed over HTTPS, check whether port 443 is enabled for your Tomcat server.
Thank you! We've received your feedback.
What Is the Difference Between the Cer and the Pfx Format When Backing Up Digital Certicicates
Source: https://www.alibabacloud.com/help/doc-detail/98576.htm
0 Response to "What Is the Difference Between the Cer and the Pfx Format When Backing Up Digital Certicicates"
Post a Comment