keyStore: my_https.jks
trustStore:my_https_trust.jks
1、创建keystore
keytool -genkeypair -alias my_https -keyalg RSA -validity 3650 -keystore my_https.jks -dname "CN=vom,OU=XXXX,O=example,L=KAWASAKI,ST=KANAGAWA,c=JP" -storepass password -keypass password
keytool -list -v -keystore my_https.jks这里需要注意的是CN必须写域名或者主机名(/etc/hosts文件中有相应记录),否则java访问会出错。
2、导出证书(公钥)
keytool -export -trustcacerts -alias my_https -keystore my_https.jks -file my.cer -storepass password
#openssl x509 -in my.cer -inform der -text -noout3、创建Truststore(客户端访问用)
keytool -import -trustcacerts -alias my_https -file my.cer -keystore my_https_trust.jks -storepass password
keytool -list -v -keystore my_https_trust.jkskeystore 记录的是你的 key 和证书,而 trust store 记录的是你信任的证书,一般是对方服务器的证书(当然也可能是 SSL 客户端证书)
4、配置Tomcat:
<Connector port="20001"
protocol="org.apache.coyote.http11.Http11Protocol"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
keystoreFile="/opt/my/trustStore/my_https.jks"
keystorePass="password"
connectionTimeout="20000"
redirectPort="20002" />