kuanhung c

 General speaking, when you want to apply SSL to web server, you will have below files in hand: private key for SSL certificate sign request  signed SSL certificate Root CA certificate  Intermediate CA certificate (optional) For importing a trusted certificate into JAVA keystore, I think create a new keystore and replace the original one seems like a good practice.  I believe you will know how to import Root CA and intermediate CA as trustcacerts into keystore. However, if you only import the signed SSL certificate without the private key, then the entry will treat as "TrustCertEntry" instead of a "PrivateKeyEntry". The tomcat server will start and listen to 443 but will refuse to serve connection. Therefore we need to use openssl to combine the signed SSL certificate and private key as PKCS12 format. Then import the PKCS12 format entry into the keystore. openssl pkcs12 -export -in FQDN.crt -inkey private-ssl.key -certfile  FQDN...

如果是由 EV (Extended Validation) CA 所簽發的 SSL Certificate, Chrome 會在 URL 列列出組織的名稱。像 GitHub 的這樣: 而一般 CA 所簽發的則沒有。像 FaceBook的: 就稽核管理的角度來看，EV CA有較嚴謹的限制: <quote wiki> Establish the legal identity as well as the operational and physical presence of website owner; Establish that the applicant is the domain name owner or has exclusive control over the domain name; and Confirm the identity and authority of the individuals acting for the website owner, and that documents pertaining to legal obligations are signed by an authorised officer. </wiki> 較有趣的一條是 EV CA不允許簽發 wildcared Extended Validation certificate。 REF: http://en.wikipedia.org/wiki/Extended_Validation_Certificate Guidelines for Extended Validation Certificates