生成证书
keytool -genkeypair -alias [user] -keyalg [认证类型] -keystore [file]
常用参数介绍:
-
keytool -genkey:自动使用默认的算法生成公钥和私钥
-
-alias[名称]:给证书取个别名
-
-keyalg:制定密钥的算法,如果需要制定密钥的长度,可以再加上keysize参数,密钥长度默认为1024位,使用DSA算法时,密钥长度必须在512到1024之间,并且是64的整数倍
-
-keystore:参数可以指定密钥库的名称。密钥库其实是存放迷药和证书文件,密钥库对应的文件如果不存在会自动创建。
-
-validity:证书的有效日期,默认是90天
-
-keypass changeit:不添加证书密码
-
-storepass changeit:不添加存储证书的密码
进入到tomcat的conf路径下
cd /usr/local/conet/tomcat/conf
输入命令:
keytool -genkey -alias tomcat -keyalg RSA -validity 3600 -keystore .keystore Enter keystore password: #123456 Re-enter new password: What is your first and last name? [Unknown]: yue What is the name of your organizational unit? [Unknown]: yue What is the name of your organization? [Unknown]: CNCF What is the name of your City or Locality? [Unknown]: ShangHai What is the name of your State or Province? [Unknown]: SH What is the two-letter country code for this unit? [Unknown]: cn Is CN=yue, OU=yue, O=CNCF, L=ShangHai, ST=SH, C=cn correct? [no]: yes Enter key password for <tomcat> #123456 (RETURN if same as keystore password): Re-enter new password: Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /usr/local/conet/tomcat/conf/.keystore -destkeystore /usr/local/conet/tomcat/conf/.keystore -deststoretype pkcs12".
配置tomcat
定位到tomcat的安装目录,找到 /usr/local/conet/tomcat/conf 下的server.xml
文件
修改 server.xml
文件,配置https连接器;
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateKeystoreFile="conf/.keystore" type="RSA" certificateKeystorePassword="123456" /> </SSLHostConfig> </Connector>
浏览器访问8443端口的连接器时,会以加密的方式来访问web服务器,连接器收到浏览器的请求后,会向浏览器出示一份数字证书,浏览器再用数字证书里面的公钥来加密数据, certificateKeystoreFile="conf/.keystore"用来指明密钥库文件的所在路径,服务器从密钥库中提取证书时需要密码,certificateKeystorePassword="123456"指明密钥库的访问密码。(tomcat8及8以下的版本配置的是keystoreFile="conf/.keystore"和keystorePass="123456")
启动Tomcat测试