|
獲取SSL證書有兩種方式 - 自己通過keytool生成
- 通過證書授權(quán)機(jī)構(gòu)購買
這里作為演示,采用keytool生成 輸入下面的命令���,根據(jù)提示輸入信息 keytool -genkey -alias tomcat -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore keystore.p12 -validity 3650
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]:
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
會(huì)生成一個(gè)PKCS12格式的叫做keystore.p12的證書����,之后啟動(dòng)Spring Boot時(shí)會(huì)引用這個(gè)證書 Spring Boot 中開啟HTTPS默認(rèn)情況下Spring Boot內(nèi)嵌的Tomcat服務(wù)器會(huì)在8080端口啟動(dòng)HTTP服務(wù),Spring Boot允許在application.properties中配置HTTP或HTTPS���,但是不可同時(shí)配置����,如果兩個(gè)都啟動(dòng)���,至少有一個(gè)要以編程的方式配置�,Spring Boot官方文檔建議在application.properties中配置HTTPS����,因?yàn)镠TTPS比HTTP更復(fù)雜一些,可以參考spring-boot-sample-tomcat-multi-connectors的實(shí)例 在application.properties中配置HTTPS server.port: 8443
server.ssl.key-store: classpath:keystore.p12
server.ssl.key-store-password: mypassword
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias: tomcat
這就夠了 將HTTP請(qǐng)求重定向到HTTPS(可選)讓我們的應(yīng)用支持HTTP是個(gè)好想法��,但是需要重定向到HTTPS��,上面說了不能同時(shí)在application.properties中同時(shí)配置兩個(gè)connector���,所以要以編程的方式配置HTTP connector��,然后重定向到HTTPS connector 這需要在配置類中配置一個(gè)TomcatEmbeddedServletContainerFactory bean�����,代碼如下 import org.apache.catalina.Context;
import org.apache.catalina.connector.Connector;
import org.apache.tomcat.util.descriptor.web.SecurityCollection;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.CommandLineRunner;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.context.embedded.EmbeddedServletContainerFactory;
import org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainerFactory;
import org.springframework.context.annotation.Bean;
@SpringBootApplication
public class ServerMain implements CommandLineRunner{
@Bean
public EmbeddedServletContainerFactory servletContainer() {
TomcatEmbeddedServletContainerFactory tomcat = new TomcatEmbeddedServletContainerFactory() {
@Override
protected void postProcessContext(Context context) {
//Due to CONFIDENTIAL and /*, this will cause Tomcat to redirect every request to HTTPS.
//You can configure multiple patterns and multiple constraints if you need more control over what is and is not redirected.
SecurityConstraint constraint = new SecurityConstraint();
constraint.setUserConstraint("CONFIDENTIAL");
SecurityCollection collection = new SecurityCollection();
collection.addPattern("/*");
constraint.addCollection(collection);
context.addConstraint(constraint);
}
};
tomcat.addAdditionalTomcatConnectors(httpConnector());
return tomcat;
}
@Bean
public Connector httpConnector() {
Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
//Set the scheme that will be assigned to requests received through this connector
//@param scheme The new scheme
connector.setScheme("http");
//Set the port number on which we listen for requests.
// @param port The new port number
connector.setPort(80);
//Set the secure connection flag that will be assigned to requests received through this connector.
//@param secure The new secure connection flag
//if connector.setSecure(true),the http use the http and https use the https;else if connector.setSecure(false),the http redirect to https;
connector.setSecure(false);
//redirectPort The redirect port number (non-SSL to SSL)
connector.setRedirectPort(443);
return connector;
}
public static void main(String[] args) throws Exception {
SpringApplication.run(ServerMain.class, args);
}
@Override
public void run(String... arg0) throws Exception {
// TODO Auto-generated method stub
}
}
新開了公眾號(hào)����,歡迎關(guān)注,主要分享一些讀書筆記
生成安全證書- 打開cmd(前提是已經(jīng)配置了java環(huán)境變量)��,輸入以下命令
keytool -genkey -alias tomcat
- 回車����,按照提示輸入密碼和機(jī)構(gòu)相關(guān)信息
將證書.keystore從個(gè)人目錄(個(gè)人目錄一般為:C:\Users\你的用戶名)拷貝到工程根目錄下
在配置文件(/src/main/resources/application.properties)中添加如下信息#默認(rèn)為443�����,可以修改為自己需要的端口
server.port=8443
spring.thymeleaf.cache=false
server.ssl.key-store=.keystore
#生成證書時(shí)填寫的tomcat密碼(生成證書時(shí)最后一步輸入的密碼)
server.ssl.key-password=123456789
server.ssl.key-store-type=JKS
server.ssl.key-alias=tomcat
啟動(dòng)服務(wù)器���,如果有以下內(nèi)容�,表示配置成功
瀏覽器訪問(本人使用360訪問不到�,不知道什么原因。使用IE可以訪問)
1��、到阿里云下載證書頁面下載證書 
2���、根據(jù)頁面內(nèi)容�����,可以使用2種證書:PFX JKS 把對(duì)應(yīng)證書放到src/main/resources目錄下 在application.properties文件中加入配置 PFX: server.ssl.key-store: classpath:666.pfx
server.ssl.key-store-password: 證書密碼
server.ssl.keyStoreType: PKCS12 JKS: server.ssl.key-store: classpath:666.jks
server.ssl.key-store-password: 證書密碼 設(shè)置后即可使用HTTPS訪問 3���、一個(gè)問題:原來使用http的時(shí)候�����,端口號(hào)設(shè)置為80�����,然后可以通過(域名)和(域名:80)2種方式訪問���;但是改成https之后,就不能了 這是因?yàn)閔ttps使用的是SSL��,SSL的默認(rèn)端口是443���,所以不能直接用域名訪問 所以只需要配置 server.port=443 就可以用域名訪問了
|
