在 tomcat 9 中使用 pkcs12 证书时出现错误

首先，正确创建 pkcs12 证书，如下所示

# this command will ask info & password
openssl req -x509 -newkey rsa:4096 -keyout myKey.pem -out cert.pem -days 365

openssl pkcs12 -export -out keyStore.p12 -inkey myKey.pem -in cert.pem

执行此命令后，您将拥有 3 个文件。我们关心

keyStore.p12

。

卡塔琳娜设置

添加整个文件

server.xml

<?xml version="1.0" encoding="UTF-8"?>
<Server port="8005" shutdown="SHUTDOWN">
  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

  <!-- Global JNDI resources
      Documentation at /docs/jndi-resources-howto.html
  -->
  <GlobalNamingResources>
    <!-- Editable user database that can also be used by
        UserDatabaseRealm to authenticate users
    -->
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>

  <Service name="Catalina">


    <Connector port="8080" protocol="HTTP/1.1"
              connectionTimeout="20000"
              redirectPort="8443"
              maxParameterCount="1000"
              />

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
              maxThreads="150" SSLEnabled="true"
              maxParameterCount="1000"
              keystoreFile="${keystore.file}"
              keystorePass="${keystore.pass}"
              keystoreType="PKCS12" clientAuth="false" sslProtocol="TLS"
              >
    </Connector>

    <Engine name="Catalina" defaultHost="localhost">

      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
              resourceName="UserDatabase"/>
      </Realm>

      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">

        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
              prefix="localhost_access_log" suffix=".txt"
              pattern="%h %l %u %t &quot;%r&quot; %s %b" />

      </Host>
    </Engine>
  </Service>
</Server>

在上面的文件中，我们有 2 个变量

keystore.file

（p12 文件的位置）和

keystore.pass

（您在创建证书时设置）。

使用泊坞窗

我相信

keyStore.p12

和

server.xml

位于您计算机上的同一文件夹中。转到该文件夹并运行以下命令。如果您的服务器不是在 8443 上启动而是在 8080 上启动，请选中

CATALINA_HOME

。就我而言，是

/usr/local/tomcat

docker run \
  -p 8081:8443 \
  -e CATALINA_OPTS="-Dkeystore.pass=<password_here> -Dkeystore.file=/certs/keystore.p12" \
  -v .\keyStore.p12:/certs/keystore.p12 \
  -v .\server.xml:/usr/local/tomcat/conf/server.xml \
  tomcat:9