tomcat配置https的方法以及带有证书请求的实例

生成tomcat服务端的证书

如系统中没有配置jdk环境变量，需要在\jdk\bin的目录下执行CMD

如在系统中配置了jdk环境变量，直接运行CMD

运行以下语句

keytool -genkey -v -alias tomcat -keyalg RSA -keystore D:\https\key\tomcat.keystore -validity 36500

“-alias tomcat ”为证书别名

“D:\https\key\tomcat.keystore”为生成证书的地址与证书名

“-validity 36500”有效期36000天



其中“您的名字与姓氏是什么”这个是tomcat部署的主机或域名，如本机测试可填写localhost。

如为上图中所写需修改host文件



2. 为客户端生成证书

运行以下语句

keytool -genkey -v -alias client -keyalg RSA -storetype PKCS12 -keystore D:\https\key\client.p12 -validity 36500

“-alias client”为客户端别名

“D:\https\key\client.p12”生成的存储地址

“-validity 36500”证书有效期36500天



3. 服务端信任证书

首先生成CER客户证书

keytool -export -alias client -keystore D:\https\key\client.p12 -storetype PKCS12 -storepass ams2000 -rfc -file D:\https\key\clientforserver.cer

“D:\https\key\client.p12”为上文中生成的client.p12地址

“-storepass ams2000”客户端密码

“-file D:\https\key\clientforserver.cer”生成CER文件的路径



运行以下语句

keytool -import -v -file D:\https\key\clientforserver.cer -keystore D:\https\key\tomcat.keystore

输入密码，输入“y”



检查信任结果

keytool -list -keystore D:\https\key\tomcat.keystore



信任成功

4. 列表内容生成可用的客户端证书

keytool -keystore D:\https\key\tomcat.keystore -export -alias tomcat -file D:\https\key\CA.cer

5. 安装证书

现得到如下四个证书文件



双击运行**client.p12**

一直点击下一步，直到显示



查看证书说明导入成功



双击运行**CA.cer**

一直下一步 到如下步骤时修改，直至安装成功



6.修改tomcat参数发布服务

在tomcat/bin/server.xml中修改

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="D:\https\key\tomcat.keystore"
keystorePass="ams2000"
truststoreFile="D:\https\key\tomcat.keystore"
truststorePass="ams2000"
/>

运行tomcat，本例子需要修改host文件



访问如下地址



配置成功

6. 以下为待有证书的访问实例

import org.apache.commons.io.IOUtils;
import org.apache.http.HttpEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
import org.apache.http.conn.ssl.TrustStrategy;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.SSLContexts;
import org.apache.http.util.EntityUtils;

import javax.net.ssl.SSLContext;
import java.io.File;
import java.io.FileInputStream;
import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;

/*
* Created with Intellij IDEA
* USER: 焦一平
* Date: 2016/5/8
* Time: 1:10
* To change this template use File | Settings | File Template
*/
public class SSLDemo {
public static void main(String[] args) throws Exception {
KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(new FileInputStream(new File("C:\\Users\\Administrator\\Desktop\\jiaoyiping.p12")), "123456".toCharArray());
SSLContext sslcontext = SSLContexts.custom()
//忽略掉对服务器端证书的校验
.loadTrustMaterial(new TrustStrategy() {
@Override
public boolean isTrusted(X509Certificate[] chain, String authType) throws CertificateException {
return true;
}
})

//加载服务端提供的truststore(如果服务器提供truststore的话就不用忽略对服务器端证书的校验了)
//.loadTrustMaterial(new File("D:\\truststore.jks"), "123456".toCharArray(),
//        new TrustSelfSignedStrategy())
.loadKeyMaterial(keyStore, "cmcc".toCharArray())
.build();
SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(
sslcontext,
new String[]{"TLSv1"},
null,
SSLConnectionSocketFactory.getDefaultHostnameVerifier());
CloseableHttpClient httpclient = HttpClients.custom()
.setSSLSocketFactory(sslConnectionSocketFactory)
.build();

try {

HttpGet httpget = new HttpGet("https://10.2.5.116/PnsReceiver/ReceiveMessage");

System.out.println("Executing request " + httpget.getRequestLine());

CloseableHttpResponse response = httpclient.execute(httpget);
try {
HttpEntity entity = response.getEntity();
System.out.println(response.getStatusLine());
System.out.println(IOUtils.toString(entity.getContent()));
EntityUtils.consume(entity);
} finally {
response.close();
}
} finally {
httpclient.close();
}
}
}