Server需要:
- KeyStore: 其中保存服务端的私钥
- Trust KeyStore:其中保存客户端的授权证书
Client需要:
- KeyStore:其中保存客户端的私钥
- Trust KeyStore:其中保存服务端的授权证书
KeyStore获取方式:
- 第三方机构授予
- 使用Java自带的KeyTool命令生成.
证书:
- 使用keytool工具生成证书.
- 使用keytool工具导入客户端/服务端证书.
keytool命令
- 生成keystore: keytool -genkey -alias serverkey -keystore keyserver.keystore
- 导出证书: keytool -export -alias serverkey -keystore keyserver.keystore -file server.crt
- 将证书添加信任的keystore: keytool -import -alias serverkey -file server.crt -keystore tclient.keystore tclient.keystore
tomcat配置:
打开server.xml
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"
SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/>或者
<Connector
port="8443"
protocol="HTTP/1.1"
SSLEnabled="true"
enableLookups="false"
disableUploadTimeout="true"
scheme="https"
secure="true"
clientAuth="want"
sslProtocol="TLS"
keystoreFile="conf/.ssl/keystore.jks"
keyAlias="tomcat"
keystorePass="chiks"
truststoreFile="conf/.ssl/trustedstore.jks"
truststorePass="chiks"
/><Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>
来源:oschina
链接:https://my.oschina.net/u/2934716/blog/809647