測試環境
Windows 7
IE 11
Intellij IDEA 2017
JDK 1.8.0_25
Tomcat 6.0.36
httpcore 4.4.6
httpclient 4.5.3
keytool:證書生成工具,在JDK 1.4以后的版本中都包含了這一工具,它的位置為<JAVA_HOME>\bin\keytool.exe
單向認證
-
生成服務端keystore
C:\Users\Administrator>keytool -genkeypair -alias server -keyalg RSA -keysize 1024 -keypass changeit -keystore d:/server -storepass changeit 您的名字與姓氏是什么? [Unknown]: localhost 您的組織單位名稱是什么? [Unknown]: localhost 您的組織名稱是什么? [Unknown]: localhost 您所在的城市或區域名稱是什么? [Unknown]: hz 您所在的省/市/自治區名稱是什么? [Unknown]: zj 該單位的雙字母國家/地區代碼是什么? [Unknown]: cn CN=localhost, OU=localhost, O=localhost, L=hz, ST=zj, C=cn是否正確? [否]: y
注意:keypass 和 storepass 要保持一致 如上例中的changeit
-
導出服務端證書
C:\Users\Administrator>keytool -exportcert -alias server -file d:/server.cer -keystore d:/server -storepass changeit
-
將服務端證書導入到客戶端的環境中
C:\Users\Administrator>keytool -importcert -alias server -keystore %JAVA_HOME%\jre\lib\security\cacerts -storepass changeit -file d:/server.cer 所有者: CN=localhost, OU=localhost, O=localhost, L=hz, ST=zj, C=cn 發布者: CN=localhost, OU=localhost, O=localhost, L=hz, ST=zj, C=cn 序列號: 7ba673fa 有效期開始日期: Sun May 21 16:34:22 CST 2017, 截止日期: Sat Aug 19 16:34:22 CST 2017 證書指紋: MD5: F6:00:4B:9B:43:63:5A:26:20:4D:32:5B:70:FA:C4:71 SHA1: 25:EB:6A:06:FA:46:73:A7:AB:7E:C2:C3:A1:E2:3B:62:1C:A8:BF:24 SHA256: A2:DD:86:9F:22:69:2F:C2:D3:0C:36:93:6A:DB:E4:68:87:47:E1:10:C8: 4F:0C:9B:01:64:51:45:E6:BF:58:A4 簽名算法名稱: SHA256withRSA 版本: 3 擴展: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: E3 04 36 1E 00 1C 77 34 29 2C AE BF CC FC 28 F5 ..6...w4),....(. 0010: D8 17 1C 17 .... ] ] 是否信任此證書? [否]: y 證書已添加到密鑰庫中
這一步可以不用執行,只要代碼中設置不校驗證書即可,但是這樣不安全,不推薦。
-
配置Tomcat
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="D:/server" keystorePass="changeit"/>
-
測試
- 瀏覽器訪問 https://localhost (提示警告 選擇繼續瀏覽即可)
- httpclient測試訪問
import org.apache.http.client.methods.CloseableHttpResponse; import org.apache.http.client.methods.HttpGet; import org.apache.http.conn.ssl.SSLConnectionSocketFactory; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClients; import org.apache.http.ssl.SSLContextBuilder; import org.apache.http.ssl.TrustStrategy; import org.apache.http.util.EntityUtils; import javax.net.ssl.HostnameVerifier; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSession; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; /** * Created by leafsunday on 2017/5/20 . */ public class HttpsTest { public static void main(String args[]) throws Exception{ CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(createSSLConnSocketFactory()).build(); HttpGet httpGet = new HttpGet("https://localhost"); CloseableHttpResponse response = httpClient.execute(httpGet); String httpStr = EntityUtils.toString(response.getEntity(), "utf-8"); System.out.println(httpStr); } /** * 創建SSL安全連接 * * @return */ private static SSLConnectionSocketFactory createSSLConnSocketFactory() throws Exception { SSLContext sslContext = SSLContextBuilder.create() /* //設置不校驗服務端證書 不安全(不推薦) .loadTrustMaterial(null, new TrustStrategy() { public boolean isTrusted(X509Certificate[] chain, String authType) throws CertificateException { return true; } }) */ .build(); return new SSLConnectionSocketFactory(sslContext /* //設置不校驗hostname , new HostnameVerifier() { public boolean verify(String s, SSLSession sslSession) { return true; } } */ ); } }