目的:將已有的pfx證書轉換為jks,供tomcat認證用
過程:
我們可以通過如下java代碼將pfx證書轉換為jks,代碼如下:
package com.yangangus.util; import java.io.FileInputStream; import java.io.FileOutputStream; import java.io.IOException; import java.security.Key; import java.security.KeyStore; import java.security.cert.Certificate; import java.util.Enumeration; public class ConventPFXToJKS { public static final String PKCS12 = "PKCS12"; public static final String JKS = "JKS"; public static final String PFX_KEYSTORE_FILE = "D:\\temp\\certs\\wildcard_test_com.pfx";// pfx文件位置 public static final String PFX_PASSWORD = "pfx_password";// 導出為pfx文件的設的密碼 public static final String JKS_KEYSTORE_FILE = "D:\\temp\\certs\\keystore.jks"; // jks文件位置 public static final String JKS_PASSWORD = "jks_password";// JKS的密碼 public static void coverTokeyStore() { FileInputStream fis = null; FileOutputStream out = null; try { KeyStore inputKeyStore = KeyStore.getInstance("PKCS12"); fis = new FileInputStream(PFX_KEYSTORE_FILE); char[] pfxPassword = null; if ((PFX_PASSWORD == null) || PFX_PASSWORD.trim().equals("")) { pfxPassword = null; } else { pfxPassword = PFX_PASSWORD.toCharArray(); } char[] jksPassword = null; if ((JKS_PASSWORD == null) || JKS_PASSWORD.trim().equals("")) { jksPassword = null; } else { jksPassword = JKS_PASSWORD.toCharArray(); } inputKeyStore.load(fis, pfxPassword); fis.close(); KeyStore outputKeyStore = KeyStore.getInstance("JKS"); outputKeyStore.load(null, jksPassword); Enumeration enums = inputKeyStore.aliases(); while (enums.hasMoreElements()) { // we are readin just one // certificate. String keyAlias = (String) enums.nextElement(); System.out.println("alias=[" + keyAlias + "]"); if (inputKeyStore.isKeyEntry(keyAlias)) { Key key = inputKeyStore.getKey(keyAlias, pfxPassword); Certificate[] certChain = inputKeyStore.getCertificateChain(keyAlias); outputKeyStore.setKeyEntry(keyAlias, key, jksPassword, certChain); } } out = new FileOutputStream(JKS_KEYSTORE_FILE); outputKeyStore.store(out, jksPassword); out.close(); } catch (Exception e) { e.printStackTrace(); } finally { if (fis != null) { try { fis.close(); } catch (IOException e) { e.printStackTrace(); } } if (out != null) { try { out.close(); } catch (IOException e) { e.printStackTrace(); } } } } public static void main(String[] args) { // TODO Auto-generated method stub coverTokeyStore(); // pfx to jks } }
這樣我們就獲取到jks了,接下來我們可以用keytool來導出公鑰(alias的值在上面java代碼運行時會打印出來,替代certificatekey即可):
keytool -export -alias certificatekey -keystore keystore.jks -rfc -file keycert.cer
我們獲得證書后,再將證書添加到truststore中,可以運行如下命令(alias的值在上面java代碼運行時會打印出來,替代certificatekey即可,file后面的cer是我們上一步導出的公鑰):
keytool -import -alias certificatekey -file keycert.cer -keystore trustkeystore.jks
在運行這個命令過程中會提示輸入密碼,即你truststore的密碼。生成完成后,我們接下來就是配置tomcat。
修改配置tomcat的server.xml,類似如下,配置單向驗證,另外ciphers如果不加入,可能類似firefox訪問會有問題:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" keystorePass="jks_password" keystoreFile="/webapp/keystore.jks" truststoreFile="/webapp/trustkeystore.jks" truststorePass="trust_password"/>
配置完成后啟動tomcat,用https訪問就可以了!