godday生成ssl域名證書

1. 生成crs文件

openssl req -new  -newkey rsa:2048 -nodes -keyout test.key -out test.csr

Common Name設置爲域名

2. 配置ssl，在godday上填充csr後，下載對應的證書：

cat id.crt gd_bundle-g2-g1.crt > test.crt

3.配置nginx ssl

server
    {
        listen 443 ssl;
        #listen [::]:80;
        server_name www.test.com;
        index index.html index.htm index.php default.html default.htm default.php;
        root  /home/wwwroot/dist;

        include rewrite/other.conf;
        #error_page   404   /404.html;

        ssl_certificate /usr/local/nginx/conf/cert/test.com/test.crt;
        ssl_certificate_key /usr/local/nginx/conf/cert/test.com/test.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE;
        ssl_prefer_server_ciphers on;

        # Deny access to PHP files in specific directory
        #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

        include enable-php.conf;

        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        location ~ /.well-known {
            allow all;
        }

        location ~ /\.
        {
            deny all;
        }
        error_log /home/wwwlogs/www.test.com.error.log;
        access_log  /home/wwwlogs/www.test.com.access.log;
    }

 server {
    listen 80;
    server_name www.test.com;
    root  /home/wwwlogs/dist;
    rewrite ^(.*)$  https://$host$1 permanent;
 }

4.生成tomcat文件

keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore

keytool -importkeystore -srckeystore tomcat.keystore -destkeystore tomcat.keystore -deststoretype pkcs12


keytool -certreq -keyalg RSA -alias tomcat -file csr.csr -keystore tomcat.keystore

keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file gd_bundle-g2-g1.crt
 
keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gdig2.crt
 
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file xxxxx.crt

gdig2路徑下載：https://certs.godaddy.com/repository/

5.設置http跳轉，在web.xml末尾添加：

<security-constraint>
    <!-- Authorization setting for SSL -->
    <web-resource-collection >
        <web-resource-name >SSL</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>