1.使用keytool导出成PKCS12格式:
keytool -importkeystore -srckeystore server.jks -destkeystore server.p12 -srcstoretype jks -deststoretype pkcs12
输入目标密钥库口令:
再次输入新口令:
输入源密钥库口令:
已成功导入别名 ca_root 的条目。
已完成导入命令: 1 个条目成功导入, 0 个条目失败或取消
2.生成pem证书(包含了key,server证书和ca证书):
生成key 加密的pem证书
$ openssl pkcs12 -in server.p12 -out server.pem
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:Verifying -
Enter PEM pass phrase:
生成key 非加密的pem证书
$ openssl pkcs12 -nodes -in server.p12 -out server.pem
Enter Import Password:
MAC verified OK
单独导出key:
生成加密的key
$ openssl pkcs12 -in server.p12 -nocerts -out server.key
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
生成非加密的key
$ openssl pkcs12 -in server.p12 -nocerts -nodes -out server.key
Enter Import Password:
MAC verified OK
单独导出server证书:
$ openssl pkcs12 -in server.p12 -nokeys -clcerts -out server.crt
Enter Import Password:
MAC verified OK
单独导出ca证书:
$ openssl pkcs12 -in server.p12 -nokeys -cacerts -out ca.crt
Enter Import Password:
MAC verified OK
Nginx服务器配置
server {
listen 443 ssl;
server_name www.yourdomain.net;
access_log /path_to_log/access.log;
error_log /path_to_log/error.log;
ssl_certificate /path_to_certificate/server.crt;
ssl_certificate_key /path_to_key/new/server.key;
ssl_session_timeout 1m;
ssl_protocols SSLv2 SSLv3 TLSv1.2;
#ssl_ciphers HIGH:!aNULL:!MD5;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256:AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
ssl_prefer_server_ciphers on;
***
}
