• 时间:
  • 分类: JAVA
  • 字数: 2986
  • 阅读量: 2021
  • 耗时: 6 ms

证书生成步骤

服务端:

keytool -genkey -alias demoCRT -keypass 12345678 -keyalg RSA -keysize 1024 -validity 1000 -keystore C:\Users\Wang\Desktop\demo.keystore -storepass 12345678

客户端:

keytool -genkey -alias demoCRTClient -keypass 12345678 -keyalg RSA -keysize 1024 -validity 1000 -storetype PKCS12 -keystore C:\Users\Wang\Desktop\demoClient.p12 -storepass 12345678

让服务器信任客户端证书:

keytool -export -alias demoCRTClient  -keystore C:\Users\Wang\Desktop\demoClient.p12 -storetype PKCS12 -keypass 12345678 -file C:\Users\Wang\Desktop\demoClient.cer

将该文件导入到服务器的证书库,添加为一个信任证书:

keytool -import -v -file C:\Users\Wang\Desktop\demoClient.cer -keystore C:\Users\Wang\Desktop\demo.keystore -storepass 12345678

keytool 乱码

运行命令 chcp 936

导入tomcat

修改conf/server.xml 文件

<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
               keystoreFile="/证书所在路径/demo.keystore" keystorePass="12345678"
               truststoreFile="/证书所在路径/demo.keystore" truststorePass="12345678" />

注: 8443就可以了,访问要https://ip:8443/xxx ,这里为下一步做准备

设置http自动跳转为https访问

tomcat容器端口的节点修改redirectPort443

<Connector port="80" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" redirectPort="443" acceptCount="100"
               connectionTimeout="20000" disableUploadTimeout="true" URIEncoding="UTF-8" 
               compression="on" compressionMinSize="2048" 
               noCompressionUserAgents="gozilla, traviata" 
               compressableMimeType="text/html,text/xml"/>

ssl的修改为443

<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
               keystoreFile="/证书所在路径/demo.keystore" keystorePass="12345678"
               truststoreFile="/证书所在路径/demo.keystore" truststorePass="12345678" />

tomcat关闭的监听端口也要修改 443

<Connector port="8009" protocol="AJP/1.3" redirectPort="443" />

最后,修改conf/web.xml,在最后(<web-app> 节点内)添加以下内容

<login-config>  
    <!-- Authorization setting for SSL -->  
    <auth-method>CLIENT-CERT</auth-method>  
    <realm-name>Client Cert Users-only Area</realm-name>  
</login-config>  
<security-constraint>  
    <!-- Authorization setting for SSL -->  
    <web-resource-collection >  
        <web-resource-name >SSL</web-resource-name>  
        <url-pattern>/*</url-pattern>  
    </web-resource-collection>  
    <user-data-constraint>  
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>  
    </user-data-constraint>  
</security-constraint>

上述配置完成后,重启TOMCAT后即可以使用SSL。浏览器地址栏中可以直接输入地址 “http://” 会自动跳转成为 “https://”