https安全协议 ssl证书使用心得

Linux参考：http://www.freehao123.com/cloudflare-wosign-ssl/

本地windows环境搭建步骤如下：

域名本地为localhost

1.为服务器生成证书  tomcat.keystore

keytool -genkey -v -alias tomcat -keyalgRSA -keystore D:\home\tomcat.keystore -validity 36500

2.为客户端生成证书  mykey.p12

keytool -genkey -v -alias mykey -keyalg RSA-storetype PKCS12 -keystore D:\home\mykey.p12

3.让服务器信任客户端证书 mykey.cer

keytool -export -alias mykey -keystoreD:\home\mykey.p12 -storetype PKCS12 -storepass password -rfc -fileD:\home\mykey.cer

keytool -import -v -file D:\home\mykey.cer-keystore D:\home\tomcat.keystore

keytool -list -keystoreD:\home\tomcat.keystore

4.让客户端信任服务器证书tomcat.cer

keytool -keystore D:\home\tomcat.keystore-export -alias tomcat -file D:\home\tomcat.cer

 

5.配置Tomcat服务器

         <Connectorport="443"protocol="org.apache.coyote.http11.Http11NioProtocol"SSLEnabled="true"

               maxThreads="150"scheme="https" secure="true"

               sslProtocol="TLS"clientAuth="false"

                                   keystoreFile="D:\\home1\\tomcat.keystore"keystorePass="123321pw"/>

其他两个redirectPort改为相应的443

8080端口改为80端口后访问https://localhost:443才会跳到https://localhost/，否则会停留在ttps://localhost:443

不明所以

 

6.配置web.xml，设置只能通过https访问，不设置，即允许http和https两种方式访问

此配置可用于只限制某些板块使用https

         <login-config> 

             <!-- Authorization setting for SSL--> 

            <auth-method>CLIENT-CERT</auth-method> 

             <realm-name>Client Cert Users-onlyArea</realm-name> 

         </login-config> 

         <security-constraint> 

             <!-- Authorization setting for SSL--> 

             <web-resource-collection > 

                 <web-resource-name>SSL</web-resource-name> 

                 <url-pattern>/login/*</url-pattern> 

             </web-resource-collection> 

             <user-data-constraint> 

                <transport-guarantee>CONFIDENTIAL</transport-guarantee> 

             </user-data-constraint> 

         </security-constraint>