|
|
|
|
|
# 用jdk生成ssl证书
|
|
|
|
|
|
|
|
|
|
|
|
- ## 使用keytool命令生成证书
|
|
|
|
|
|
|
|
|
|
|
|
打开CMD命令,cd到jdk的bin目录下,或者先到bin目录下,按住shift右键在此处打开命令窗口
|
|
|
|
|
|
|
|
|
|
|
|
keytool
|
|
|
|
|
|
|
|
|
|
|
|
-genkey
|
|
|
|
|
|
|
|
|
|
|
|
-alias tomcat(别名)
|
|
|
|
|
|
|
|
|
|
|
|
-keypass 123456(别名密码)
|
|
|
|
|
|
|
|
|
|
|
|
-keyalg RSA(算法)
|
|
|
|
|
|
|
|
|
|
|
|
-keysize 1024(密钥长度)
|
|
|
|
|
|
|
|
|
|
|
|
-validity 365(有效期,天单位)
|
|
|
|
|
|
|
|
|
|
|
|
-keystore D:/keys/tomcat.keystore(指定生成证书的位置和证书名称)
|
|
|
|
|
|
|
|
|
|
|
|
-storepass 123456(获取keystore信息的密码)
|
|
|
|
|
|
|
|
|
|
|
|
`keytool -genkey -alias tomcat -keypass 12345678 -keyalg RSA -keysize 1024 -validity 365 -keystore E:/keys/tomcat.keystore -storepass 12345678`
|
|
|
|
|
|
|
|
|
|
|
|
执行命令后会有6个问题,依次回答,第一个问题答案为证书的域名,其他的随意填写
|
|
|
|
|
|
|
|
|
|
|
|
- 为客户端生成证书, 以便让服务器来验证它
|
|
|
|
|
|
|
|
|
|
|
|
`keytool -genkey -alias client1 -keypass 12345678 -keyalg RSA -keysize 1024 -validity 365 -storetype PKCS12 -keystore E:/keys/client1.p12 -storepass 12345678`
|
|
|
|
|
|
|
|
|
|
|
|
- 由于不能直接将PKCS12格式的证书库导入,必须先把客户端证书导出为一个单独的CER文件,使用如下命令:
|
|
|
|
|
|
|
|
|
|
|
|
`keytool -export -alias client1 -keystore E:/keys/client1.p12 -storetype PKCS12 -keypass 12345678 -file E:/keys/client1.cer`
|
|
|
|
|
|
|
|
|
|
|
|
- 将该文件导入到服务器的证书库,添加为一个信任证书:
|
|
|
|
|
|
|
|
|
|
|
|
`keytool -import -v -file E:/keys/client1.cer -keystore E:/keys/tomcat.keystore -storepass 12345678`
|
|
|
|
|
|
|
|
|
|
|
|
- 由于是双向SSL认证,客户端也要验证服务器证书,因此,必须把服务器证书添加到浏览器的“受信任的根证书颁发机构”。由于不能直接将keystore格式的证书库导入,必须先把服务器证书导出为一个单独的CER文件,使用如下命令:
|
|
|
|
|
|
|
|
|
|
|
|
`keytool -keystore E:/keys/tomcat.keystore -export -alias tomcat -file E:/keys/server.cer`
|
|
|
|
|
|
|
|
|
|
|
|
- 双击server.cer文件,按照提示安装证书,将证书填入到“受信任的根证书颁发机构”。
|
|
|
|
|
|
|
|
|
|
|
|
# tomcat配置ssl证书
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
<Connector port="8443"
|
|
|
|
|
|
protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
|
|
|
|
|
|
maxThreads="150" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS"
|
|
|
|
|
|
keystoreFile="/home/work/apache-tomcat-9.0.16-test/apache-tomcat-9.0.16/conf/tomcat.keystore"
|
|
|
|
|
|
keystorePass="12345678"
|
|
|
|
|
|
truststoreFile="/home/work/apache-tomcat-9.0.16-test/apache-tomcat-9.0.16/conf/tomcat.keystore"
|
|
|
|
|
|
truststorePass="12345678" />
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
# 配置强转https
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
<security-constraint>
|
|
|
|
|
|
<web-resource-collection>
|
|
|
|
|
|
<web-resource-name>SSL</web-resource-name>
|
|
|
|
|
|
<url-pattern>/*</url-pattern>
|
|
|
|
|
|
</web-resource-collection>
|
|
|
|
|
|
<user-data-constraint>
|
|
|
|
|
|
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
|
|
|
|
|
|
</user-data-constraint>
|
|
|
|
|
|
</security-constraint>
|
|
|
|
|
|
```
|
|
|
|
|
|
|
