d**k 发帖数: 1223 | 1 有几台jboss server, 跑了一阵子了,现在要开ssl。 在网上搜了一通,好像主要就
是一个certificate 的问题。每次碰到PKI 相关的事儿总是巨烦。我的问题是,如果我
已经有了一个certificate (从verisign 买的),用在别的box上,是不是我就只能在
去买一个?或者还可以就用这一个?如果不姓,要是回头我把jboss 转移到那个有
certificate的box上,是不是就可以了?另外,有没有什么免费的certificate? 谢谢
了! |
A**o 发帖数: 1550 | 2 一个cert对应一个域名,就这样。
如果是测试用的,随便自己签一个就可以了。
【在 d**k 的大作中提到】 : 有几台jboss server, 跑了一阵子了,现在要开ssl。 在网上搜了一通,好像主要就 : 是一个certificate 的问题。每次碰到PKI 相关的事儿总是巨烦。我的问题是,如果我 : 已经有了一个certificate (从verisign 买的),用在别的box上,是不是我就只能在 : 去买一个?或者还可以就用这一个?如果不姓,要是回头我把jboss 转移到那个有 : certificate的box上,是不是就可以了?另外,有没有什么免费的certificate? 谢谢 : 了!
|
d**k 发帖数: 1223 | 3 要是这样的话,貌似不用单买一个了。老大你能不能给点建议,比如说怎么自己签一个
?谢谢啦 |
A**o 发帖数: 1550 | 4 google,到处都是。
关键看你是用java的certificate,还是openssl的。
选好了,网上有的是一步一步手把手教你的。
最简单的就是用java的keytool了。
【在 d**k 的大作中提到】 : 要是这样的话,貌似不用单买一个了。老大你能不能给点建议,比如说怎么自己签一个 : ?谢谢啦
|
s******e 发帖数: 493 | 5 Can you tell me why you want certification? If you want to do it, which side
/, client, or server, or both?
For apps deployed to java web container, you may not need any certification
to use ssl. What you need to do is configure web.xml. There is an elememt
tag called transport-guarantee. You need to set that tag to either "
confidential" or "integrity" (last time I check the spec, they were the same
in the spec even they should not be)
Once you do so, the container will handle the rest. For exa |
k***r 发帖数: 4260 | 6 跟box没关系吧。和domain有关
【在 d**k 的大作中提到】 : 有几台jboss server, 跑了一阵子了,现在要开ssl。 在网上搜了一通,好像主要就 : 是一个certificate 的问题。每次碰到PKI 相关的事儿总是巨烦。我的问题是,如果我 : 已经有了一个certificate (从verisign 买的),用在别的box上,是不是我就只能在 : 去买一个?或者还可以就用这一个?如果不姓,要是回头我把jboss 转移到那个有 : certificate的box上,是不是就可以了?另外,有没有什么免费的certificate? 谢谢 : 了!
|
g*****g 发帖数: 34805 | 7 I doubt that, PKI always needs a keystore.
side
certification
same
types
【在 s******e 的大作中提到】 : Can you tell me why you want certification? If you want to do it, which side : /, client, or server, or both? : For apps deployed to java web container, you may not need any certification : to use ssl. What you need to do is configure web.xml. There is an elememt : tag called transport-guarantee. You need to set that tag to either " : confidential" or "integrity" (last time I check the spec, they were the same : in the spec even they should not be) : Once you do so, the container will handle the rest. For exa
|
s******e 发帖数: 493 | 8 To understand it, you have to know three things:
1. how does ssl negotiation process?
2. How does container handles the process?
3. what is the certificate? what is its relationship with PKI(asymetric or
symetric)
Java spec will be your best friend. |
g*****g 发帖数: 34805 | 9 You always need a keystore on server side, which contain
public and private keys. Server sends the public key (certificate)
to client first time the client connects. The client uses
the cert to encrypt the traffic and it can be only decrypted with
the keystore. This is assymetric (actually a random key is generated
to do symmetric entryption and the random key itself is encrypted
assymetrically)
Now the problem is the public key, a public key needs to be signed
by a trusted CA or your browser wi
【在 s******e 的大作中提到】 : To understand it, you have to know three things: : 1. how does ssl negotiation process? : 2. How does container handles the process? : 3. what is the certificate? what is its relationship with PKI(asymetric or : symetric) : Java spec will be your best friend.
|
s******e 发帖数: 493 | 10 Great. Let me put the missing parts to make the pic as a whole.
once the protocol changes to https, the ssl negotiation process starts. the
final agreement will be the highest security level accepted by both client
and server, then the server will send the public key to the client. The
client is good to go without any certificate. No broswer was implemented in
a way that it must check server certificate. So waht does certificate mean?
Certificate will help client to verify that key is exactly cr |
|
|
s******e 发帖数: 493 | 11 See, certificate is not mandatory for ssl |
A**o 发帖数: 1550 | 12 你说得很科普
【在 s******e 的大作中提到】 : See, certificate is not mandatory for ssl
|
d**k 发帖数: 1223 | 13 man! so glad to talk about this with so many DANIUs :-)
Actually in this case, I just need encrypt the data between client and
server. Either server or client authentication doesn't matter, at least for
now. And smectite, thanks a lot: your three things is a very good summary
for the understanding of SSL. But like goodbug's comment, I still doubt
only configure web.xml is enough: If server side has no ssl configured, even
web container change http to https, it still not gonna work. |
k***r 发帖数: 4260 | 14 if you want to avoid the ssl hassle in java, you can use a front-end
web server to handle ssl and only process http requests in java.
for
even
【在 d**k 的大作中提到】 : man! so glad to talk about this with so many DANIUs :-) : Actually in this case, I just need encrypt the data between client and : server. Either server or client authentication doesn't matter, at least for : now. And smectite, thanks a lot: your three things is a very good summary : for the understanding of SSL. But like goodbug's comment, I still doubt : only configure web.xml is enough: If server side has no ssl configured, even : web container change http to https, it still not gonna work.
|
s******e 发帖数: 493 | 15 SSL support is mandatory for any web container compatible to JSP spec.
The best approach: why just try it? |
A**o 发帖数: 1550 | 16 smectite的意思是说,你自己签一个没有certified的就可以了。
这样客户用的时候会有一个警告,说server的cert有问题,你是否信任改server。
如果客户不介意,比如说你这个是内部使用的,就可以了。
如果客户介意,说非要正规的不可,就另说了。
for
even
【在 d**k 的大作中提到】 : man! so glad to talk about this with so many DANIUs :-) : Actually in this case, I just need encrypt the data between client and : server. Either server or client authentication doesn't matter, at least for : now. And smectite, thanks a lot: your three things is a very good summary : for the understanding of SSL. But like goodbug's comment, I still doubt : only configure web.xml is enough: If server side has no ssl configured, even : web container change http to https, it still not gonna work.
|
d**k 发帖数: 1223 | 17 Thanks a lot for all your helps. I just tried self signed cert. and it works
pretty well although there are always a security warning. Another good
thing is: now I am sure that a certification IS based on domain name. I
think I don't have to buy a new cert. from Verisign if I bring up a jboss
server on that box which already has a certification. Thanks again. It's a
lot of fun working with you guys. |