欢迎使用CSDN-markdown编辑器

一：产生根证书：
1. 创建根证私钥
openssl genrsa -des3 -out ca-key.pem 2048

1. 创建根证书请求文件
   openssl req -new -out ca-req.csr -key ca-key.pem -keyform PEM -subj “/O=GZEPORT/OU=SingleWindow/CN=SingleWindow”

2. 自签证书
   openssl x509 -req -in ca-req.csr -out ca-cert.cer -signkey ca-key.pem -CAcreateserial -days 3650

   1. 导出p12证书
      openssl pkcs12 -export -clcerts -in ca-cert.cer -inkey ca-key.pem -out ca.p12

二：产生服务器证书
1. 产生密钥
  openssl genrsa -des3 -out server-key.pem 2048

1. 创建服务器证书请求
   openssl req -new -out server-req.csr -key server-key.pem -keyform PEM -subj “/O=GZEPORT/OU=SingleWindow/CN=swdemo.gzeport.com”

2. 用CA证书签发证书
   openssl x509 -req -in server-req.csr -out server-cert.cer -signkey server-key.pem -CA ca-cert.cer -CAkey ca-key.pem -CAcreateserial -days 3650

3. 导出p12证书
   openssl pkcs12 -export -clcerts -in server-cert.cer -inkey server-key.pem -out server.p12

三：产生客户端证书
1. 产生密钥
openssl genrsa -des3 -out client-key.pem 2048

       2. 创建服务器证书请求        openssl req -new -out client-req.csr -key client-key.pem -keyform PEM -subj "/O=GZEPORT/OU=SingleWindow/CN=localhost"       3. 用CA证书签发证书        openssl x509 -req -in client-req.csr -out client-cert.cer -signkey client-key.pem -CA ca-cert.cer -CAkey ca-key.pem -CAcreateserial -days 3650      4. 导出p12证书       openssl pkcs12 -export -clcerts -in client-cert.cer -inkey client-key.pem -out client.p12      四：生成证书库，导入CA证书     1.  导入CA证书到信任库(用于tomcat)       keytool -import -v -trustcacerts -storepass 123456 -alias CA -file ca-cert.cer -keystore server.jks         2.  导入客户端证书到信任库(用于tomcat)           keytool -import -v -trustcacerts -storepass 123456 -alias GZCUSTOMS -file client-cert.cer -keystore server.jks  五: Tomcat 配置      配置文件：server.xml

       <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"                maxThreads="150" scheme="https" secure="true"                clientAuth="true" sslProtocol="TLS"                keystoreFile="server.p12 " keystorePass="123456" keystoreType="PKCS12"                truststoreFile="server.jks " truststorePass="123456" truststoreType="JKS"     /> 

六:服务程序端配置(Server端)
配置文件：web.xml

 <security-constraint>        <web-resource-collection>            <web-resource-name>SSL</web-resource-name>            <url-pattern>/*</url-pattern>        </web-resource-collection>        <user-data-constraint>            <transport-guarantee>CONFIDENTIAL</transport-guarantee>        </user-data-constraint>    </security-constraint>   

   七：测试程序

package com.gzeport.test;import org.apache.http.HttpRequest;import org.apache.http.HttpResponse;import org.apache.http.client.HttpClient;import org.apache.http.client.methods.HttpPost;import org.apache.http.conn.ssl.DefaultHostnameVerifier;import org.apache.http.conn.ssl.SSLConnectionSocketFactory;import org.apache.http.conn.ssl.TrustSelfSignedStrategy;import org.apache.http.entity.StringEntity;import org.apache.http.impl.client.HttpClients;import org.apache.http.util.EntityUtils;import org.apache.http.conn.ssl.SSLContexts;import javax.net.ssl.SSLContext;import java.io.File;import java.io.FileInputStream;import java.io.IOException;import java.math.BigInteger;import java.security.*;import java.security.cert.*;import java.security.cert.Certificate;import java.util.Date;import java.util.Set;/** * Created by Beeven on 8/12/2015. */public class HttpClientSSL {    public static void main(String[] args) throws Exception{        KeyStore clientKeyStore = KeyStore.getInstance("PKCS12");        clientKeyStore.load(new FileInputStream("D:\\DevTools\\Java\\openssl\\testca\\new\\client.p12"), "123456".toCharArray());        KeyStore trustKeyStore = KeyStore.getInstance("jks");        trustKeyStore.load(null);        CertificateFactory factory = CertificateFactory.getInstance("x509");        Certificate cacert = factory.generateCertificate(new FileInputStream("D:\\DevTools\\Java\\openssl\\testca\\new\\ca-cert.cer"));        trustKeyStore.setCertificateEntry("ca",cacert);        SSLContext sslContext = SSLContexts.custom()                .loadKeyMaterial(clientKeyStore,"123456".toCharArray())                .loadTrustMaterial(trustKeyStore,new TrustSelfSignedStrategy())                .build();        SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(                sslContext, new DefaultHostnameVerifier()        );        HttpClient client = HttpClients.custom()                .setSSLSocketFactory(sslsf)                .build();        HttpPost post = new HttpPost("https://localhost:8443/web/sendjson");        post.setHeader("Content-Type","application/json");        post.setEntity(new StringEntity("{\"Hello\":\"World!\"}"));        HttpResponse response = client.execute(post);        System.out.println(response.getStatusLine().getStatusCode()+":"+response.getStatusLine().getReasonPhrase());              String result = EntityUtils.toString(response.getEntity());        System.out.println(result);    }}