重要注意事項(xiàng) ?An Important Note Before You Start

在生成CSR文件時(shí)同時(shí)生成您的私鑰，如果您丟了私鑰或忘了私鑰密碼，則頒發(fā)證書(shū)給您后不能安裝成功！您必須重新生成私鑰和CSR文件，免費(fèi)重新頒發(fā)新的證書(shū)。為了避免此情況的發(fā)生，請(qǐng)?jiān)谏蒀SR后一定要備份私鑰文件和記住私鑰密碼，最好是在收到證書(shū)之前不要再動(dòng)服務(wù)器。?
By far the most common problem users have when going through this process is related to private keys. If you lose or cannot access a private key, you cannot use the certificate we issue to you and will need to request a free reissue. To ensure this never happens, we advise that a backup of the private key file is made and that a note is made of the password that is used to protect the export of the private key.

您可以使用"keytool"來(lái)生成私鑰和CSR文件，如果您的服務(wù)器上沒(méi)有安裝keytool,請(qǐng)先下載安裝：?
The utility "keytool" that you use to generate the private key (keyEntry) and CSR comes with the Sun JDK toolkit. If you do not have JDK installed please download it from the following link: http://java.sun.com/J2SE/downloads.html ,We recommend that the latest version be used, which is 1.5.0.

以下為生成 keystore 和 keyentry 指南，Tomcat 支持 JKS 和 PKCS#12 格式的 keystore，JKS 格式是標(biāo)準(zhǔn)的 “Java Keystore”格式，使用 keytool 命令產(chǎn)生；而 PKCS#12 格式則可以通過(guò)使用Openssl中的轉(zhuǎn)換工具轉(zhuǎn)換而成。本指南僅指keytool方式的JKS格式。?
The following sequence of commands will generate a keystore and keyEntry. Tomcat currently supports JKS and PKCS#12 format keystores. The JKS format is Java's standard "Java KeyStore" format, and is the format generated by the keytool command-line utility which is packaged in the JDK kit. The PKCS#12 format is a general format which can be converted using the Openssl toolkit. The following instructions make use of keytool only.

1. 生成 keystore 和 keyEntry， Generate a keystore and keyEntry

請(qǐng)使用以下命令，并參考下圖： Please type the following command at the prompt:

keytool? -genkey -alias [keyEntry_name] -keyalg RSA -keystore [keystore_name]

請(qǐng)注意：如果您不指定一個(gè) keystore 名稱(chēng)(不使用參數(shù) -keystore)， 則 keystore 文件將保存在您的用戶目錄中(如：C:/Documents and Settings/your name/.keystore)，文件名為：.keystore?
Note: If you do not specify a keystore (-keystore omitted from the command) name, the keystore will be saved to your local profile directory as a .keystore file (i.e C:/Documents and Settings/your name/.keystore)

系統(tǒng)會(huì)提示您輸入 keystore 密碼，缺省密碼為：changeit，您可以指定一個(gè)新的密碼，但請(qǐng)一定要記住。
When you execute this command you will be prompted for a keystore password. The default password used by Tomcat is "changeit" although you can specify a password of your choice.

接著，會(huì)提示“What is your fist and last name?”，請(qǐng)輸入您要申請(qǐng)SSL證書(shū)的域名，而不是真的輸入您的個(gè)人姓名，如果您需要為www.domain.com申請(qǐng)SSL證書(shū)就不能只輸入domain.com。SSL證書(shū)是嚴(yán)格綁定域名的。
The term "First and last name" is X.509 speak for the name that distinguishes the certificate best, and ties it to your Organization. Enter your exact host and domain name that you wish to secure. Example: If you wish to secure www.mydomain.com, then you will need to enter the exact host (www) and domain name (mydomain.com) in this field. If you enter mydomain.com then the certificate issued to you will only work error free on https://mydomain.com. It will cause a certificate mismatch error when you or your users access the domain via https:// www.mydomain.com.

接著，輸入您的部門(mén)名稱(chēng)、單位名稱(chēng)、所在城市、所在省份和國(guó)家縮寫(xiě)(中國(guó)填：CN，其他國(guó)家填其縮寫(xiě))，單位名稱(chēng)一定要與證明文件上的名稱(chēng)一致，部門(mén)名稱(chēng)(OU)可以不填。除國(guó)家縮寫(xiě)必須填CN外，其余都可以是英文或中文。?
Enter your country, state or province and locality or city. You should enter the company name as it appears on your official company registration documents. The organization unit is optional, we verify and authenticate the company name and not the organization unit. To skip the organization unit (OU) field please press enter on your keyboard.

最后，要求您輸入私鑰密碼， 請(qǐng)一定要為 keystore 和 keyEntry 輸入一樣的密碼，否則您重新啟動(dòng)Tomcat后會(huì)提示錯(cuò)誤信息：java.security.UnrecoverableKeyException: Cannot recover key。同時(shí)，請(qǐng)一定要記住密碼！?
Finally, you will be prompted for the keyEntry password, which is the password which protects the private key. Please specify the same password for the keystore and the keyEntry or else you will receive the following error message when you restart the Tomcat engine: java.security.UnrecoverableKeyException: Cannot recover key

2. 生成CSR， Generate the CSR

請(qǐng)使用以下命令，并參考下圖： Please type the following command at the prompt:

keytool ?-certreq -alias [keyEntry name] -file request.csr -keystore [keystore name]

CSR文件(request.csr)會(huì)保存在 JDK/bin 目錄，這樣就完成了公鑰和私鑰對(duì)的生成，私鑰(keyEntry)保存在JDK/bin目錄中，公鑰則需要發(fā)給WoTrust簽名后頒發(fā)證書(shū)。CSR文件為文本文件，如下圖示。?
The CSR will be saved to your JDK/bin directory. You have now created a public/private key pair. The private key (KeyEntry) is stored inside the keystore in the JDK/bin directory and is used for decryption. The public portion is sent to WoTrust in the form of a Certificate Signing Request (request.csr), and will be used by your users to encrypt the data they send to your site. The Certificate Signing Request (CSR) looks something like this:

3. 備份私鑰文件 Backup your private key

請(qǐng)備份您的keystore文件并記下私鑰密碼。最好是把私鑰文件備份到軟盤(pán)或光盤(pán)中。?
Please backup your keystore file and make a note of the password. A good choice is to create a copy of this file onto a diskette or other removeable media.

4. 測(cè)試CSR和把CSR發(fā)給WoTrust , Start the certificate request process

生成CSR后，建議您自己測(cè)試一下生成的CSR文件是否正確，請(qǐng)點(diǎn)擊? 這里 ?測(cè)試您的CSR文件。請(qǐng)把測(cè)試成功的CSR文件發(fā)給WoTrust即可。請(qǐng)一定不要再動(dòng)您的服務(wù)器，等待證書(shū)的頒發(fā)。
To submit the CSR to WoTrust for processing you should start the certificate enrollment process