Server需要:
- KeyStore: 其中保存服務端的私鑰
- Trust KeyStore:其中保存客戶端的授權證書
Client需要:
- KeyStore:其中保存客戶端的私鑰
- Trust KeyStore:其中保存服務端的授權證書
KeyStore獲取方式:
- 第三方機構授予
- 使用Java自帶的KeyTool命令生成.
證書:
- 使用keytool工具生成證書.
- 使用keytool工具導入客戶端/服務端證書.
keytool命令
- 生成keystore: keytool -genkey -alias serverkey -keystore keyserver.keystore
- 導出證書: keytool -export -alias serverkey -keystore keyserver.keystore -file server.crt
- 將證書添加信任的keystore: keytool -import -alias serverkey -file server.crt -keystore tclient.keystore tclient.keystore
tomcat配置:
打開server.xml
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"
SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/>
或者
<Connector
port="8443"
protocol="HTTP/1.1"
SSLEnabled="true"
enableLookups="false"
disableUploadTimeout="true"
scheme="https"
secure="true"
clientAuth="want"
sslProtocol="TLS"
keystoreFile="conf/.ssl/keystore.jks"
keyAlias="tomcat"
keystorePass="chiks"
truststoreFile="conf/.ssl/trustedstore.jks"
truststorePass="chiks"
/>
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>