| 知乎專欄 | 多維度架構 | | | 微信號 netkiller-ebook | | | QQ群:128659835 請註明“讀者” |
keytool -genkey -alias www.netkiller.cn -keyalg RSA -keystore /www/netkiller.cn/www.netkiller.cn.keystore
導入證書(Windows)
keytool -selfcert -alias www.netkiller.cn -keystore www.netkiller.cn.keystore keytool -export -alias www.netkiller.cn -keystore www.netkiller.cn.keystore -storepass passw0rd -rfc -file www.netkiller.cn.cer
找到 Java 安裝路徑
[root@localhost ~]# alternatives --list libnssckbi.so.x86_64 auto /usr/lib64/pkcs11/p11-kit-trust.so python auto /usr/libexec/no-python cifs-idmap-plugin auto /usr/lib64/cifs-utils/cifs_idmap_sss.so ifup auto /usr/libexec/nm-ifup ld auto /usr/bin/ld.bfd python3 auto /usr/bin/python3.6 dockerd auto /usr/bin/dockerd-ce java manual /usr/lib/jvm/java-14-openjdk-14.0.2.12-1.rolling.el8.x86_64/bin/java jre_openjdk auto /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.x86_64/jre jre_14 auto /usr/lib/jvm/java-14-openjdk-14.0.2.12-1.rolling.el8.x86_64 jre_14_openjdk auto /usr/lib/jvm/jre-14-openjdk-14.0.2.12-1.rolling.el8.x86_64 javac auto /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.x86_64/bin/javac java_sdk_openjdk auto /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.x86_64 java_sdk_14 auto /usr/lib/jvm/java-14-openjdk-14.0.2.12-1.rolling.el8.x86_64 java_sdk_14_openjdk auto /usr/lib/jvm/java-14-openjdk-14.0.2.12-1.rolling.el8.x86_64 jre_1.8.0 auto /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.x86_64/jre jre_1.8.0_openjdk auto /usr/lib/jvm/jre-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.x86_64 java_sdk_1.8.0 auto /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.x86_64 java_sdk_1.8.0_openjdk auto /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.x86_64 mvn auto /usr/share/maven/bin/mvn
導入證書(JVM)
keytool -importcert -alias www.netkiller.cn -file www.netkiller.cn.cer -keystore /srv/java/jre/lib/security/cacerts
配置Tomcat HTTPS 連接埠 8443(由於JVM不能fork和setuid,所以無法向nginx,apache httpd 那樣設置 80 連接埠,除非你使用root用戶運行,但這樣做是不安全的。)
server.port=8443 server.ssl.enabled=true server.ssl.key-store=/www/netkiller.cn/www.netkiller.cn.keystore server.ssl.key-store-password=passw0rd server.ssl.key-store-type=JKS server.ssl.key-alias=www.netkiller.cn
keystore 檔案可以放到 classpath 中,首先將證書檔案放到 src/main/resources 目錄中,然後配置 application.properties 如下:
server.port=8443 server.ssl.enabled=true server.ssl.key-store=classpath:www.netkiller.cn.keystore server.ssl.key-store-password=passw0rd server.ssl.key-store-type=JKS server.ssl.key-alias=www.netkiller.cn
/srv/java/bin/java -server -Xms2048m -Xmx8192m -Djava.security.egd=file:/dev/./urandom -jar /www/netkiller.cn/www.netkiller.cn/www.netkiller.cn-0.0.1.war
String url = "https://www.netkiller.cn:8443/public/test/version.json";
ResponseEntity<RestResponse<String>> result = restTemplate.exchange(url, HttpMethod.GET, null, new ParameterizedTypeReference<RestResponse<String>>() {});
啟用 HTTP2 必須使用 Tomcat 9 以上, Springboot 2.1
創建證書
keytool -genkey -alias localhost -storetype PKCS12 -keyalg RSA -keysize 2048 -storepass passw0rd -keystore localhost.p12 -dname "CN=localhost, OU=netkiller, O=netkiller.cn, L=Guangdong, ST=Shenzhen, C=CN" keytool -selfcert -alias localhost -storepass passw0rd -keystore localhost.p12 keytool -export -alias localhost -keystore localhost.p12 -storepass passw0rd -rfc -file localhost.cer keytool -importcert -trustcacerts -alias localhost -file localhost.cer -storepass passw0rd -keystore /etc/pki/java/cacerts
如果你是自己安裝的JDK,需要找到cacerts安裝路徑
keytool -importcert -trustcacerts -alias localhost -file localhost.cer -storepass passw0rd -keystore /srv/java/jre/lib/security/cacerts
MacOS 添加方法,當提示你輸入密碼的時候,輸入:changeit
iMac:resources neo$ sudo keytool -importcert -trustcacerts -alias localhost -file localhost.cer -cacerts Password: 輸入密鑰庫口令: 所有者: CN=localhost, OU=netkiller, O=netkiller.cn, L=Guangdong, ST=Shenzhen, C=CN 發佈者: CN=localhost, OU=netkiller, O=netkiller.cn, L=Guangdong, ST=Shenzhen, C=CN 序列號: ffd28d78add2b56c 生效時間: Mon Sep 07 16:55:39 CST 2020, 失效時間: Sun Dec 06 16:55:39 CST 2020 證書指紋: SHA1: A0:DB:69:34:66:EA:16:A3:AF:65:31:F9:5D:6E:C0:70:CA:5F:0E:22 SHA256: 2C:04:B7:BB:28:25:B5:E6:7C:0F:73:4B:02:38:6E:04:80:42:E2:F7:61:5C:91:4D:A8:EA:5E:20:2E:82:4F:0C 簽名算法名稱: SHA256withRSA 主體公共密鑰算法: 2048 位 RSA 密鑰 版本: 3 擴展: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 4E 30 9A EC C1 9D FB C2 CC 55 B2 6D 0D F4 01 CE N0.......U.m.... 0010: 13 C6 62 38 ..b8 ] ] 是否信任此證書? [否]: Y 證書已添加到密鑰庫中 iMac:resources neo$ keytool -list -cacerts -alias localhost 輸入密鑰庫口令: localhost, 2020年9月8日, trustedCertEntry, 證書指紋 (SHA-256): 2C:04:B7:BB:28:25:B5:E6:7C:0F:73:4B:02:38:6E:04:80:42:E2:F7:61:5C:91:4D:A8:EA:5E:20:2E:82:4F:0C
配置啟用 http2
server:
port: 8443
servlet:
context-path: /
ssl:
enabled: true
key-store: classpath:ssl/localhost.p12
key-store-type: PKCS12
key-store-password: 123456
http2:
enabled: true
我的配置
spring.application.name=web server.port=8443 #server.servlet.context-path=/ server.ssl.enabled=true server.ssl.key-store=classpath:localhost.p12 server.ssl.key-store-type=PKCS12 server.ssl.key-store-password=123456 server.http2.enabled=true
使用 curl 訪問可以看到 HTTP/2 字樣,表示成功
neo@MacBook-Pro ~ % curl -i -k https://localhost:8443/ping HTTP/2 200 content-type: text/plain;charset=UTF-8 content-length: 4 date: Tue, 09 Apr 2019 08:41:29 GMT Pong%