i.Windows下APR安装过程

1.下载安装native

Windows下的APR安装和配置比较简单，可以直接下载Tomcat-native的二进制的版本包：

下载之后的目录结构为：

tcnative-1.dll这个库已经包含了APR，openssl的核心引擎，还有tomcat-native的代码，openssl.exe是集成的openssl的命令行工具；

x64位是64位的文件夹。

但是，值得注意的是，如果要想使用这个openssl.exe 进行发证，需要首先手动设置一个openssl.cnf，也可以去openssl的官网上下载一个来，需要先设置一下环境变量：

set OPENSSL_CONF=openssl.cnf

对于上述的下载，对于每一个tomcat可能对应的tomcat-native不同，一个最好的办法是，在tomcat的二进制介质中bin目录中，就有对应的：

解压之后，和上述的下载的一样，只不过版本和当前的tomcat是对应的；

在这一步中，你也可以选择下载源码，然后在VC中进行编译，可能openssl的编译需要安装perl的环境。

2.openssl生成密钥库和证书库

（生成服务器端密钥库）

D:\software\tomcat8032\bin>openssl.exe genrsa -out rsa-private-key.pem 1024

WARNING: can't open config file: /usr/local/ssl/openssl.cnf

Generating RSA private key, 1024 bit long modulus

.....++++++

...............................++++++

e is 65537 (0x10001)

（设置环境变量）

D:\software\tomcat8032\bin>set OPENSSL_CONF=openssl.cnf

（生成服务端证书库）

D:\software\tomcat8032\bin>openssl.exe req -new -x509 -nodes -sha1 -days 365 -key rsa-private-key.pem -out self-signed-cert.pem

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:cn

State or Province Name (full name) [Some-State]:beijing

Locality Name (eg, city) []:haidian

Organization Name (eg, company) [Internet Widgits Pty Ltd]:css

Organizational Unit Name (eg, section) []:guodian

Common Name (e.g. server FQDN or YOUR name) []:xixi

Email Address []:xixi@163.com

3.配置server.xml

     <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" 

               SSLEnabled="true"

               maxThreads="150" 

               scheme="https" 

               secure="true"

               clientAuth="false" 

               sslProtocol="TLSv1" 

               SSLCertificateKeyFile="D:\software\tomcat8032\conf\openssl\rsa-private-key.pem"

               SSLCertificateFile="D:\software\tomcat8032\conf\openssl\self-signed-cert.pem"/>

对于上述的配置，配置APR的protocol需要换成 Http11AprProtocol，其次，SSLCertificateKeyFile指的是openssl的服务器端的密钥库，SSLCertificateFile指的是服务器端的证书库（不带私钥，只有公钥）。

SSLCertificateFile

Name of the file that contains the server certificate. The format is PEM-encoded. In addition to the certificate, the file can also contain as optional elements DH parameters and/or an EC curve name for ephemeral keys, as generated by openssl dhparam and openssl ecparam, respectively. The output of the respective OpenSSL command can simply be concatenated to the certificate file. This feature needs APR/native version 1.1.34 or later.

SSLCertificateKeyFile

Name of the file that contains the server private key. The format is PEM-encoded. The default value is the value of "SSLCertificateFile" and in this case both certificate and private key have to be in this file (NOT RECOMMENDED).

4.启动

启动之后，发现：

访问之前，需要在浏览器端，将上述的

openssl pkcs12 -export -clcerts -in server/self-signed-cert.pem -inkey server/rsa-private-key.pem -out server/server.p12 导出为P12格式的证书文件，

这样浏览器可以导入

导入进来之后，浏览器可以进行访问：

来自为知笔记(Wiz)