1.介绍
以java程序作为客户端,原理是一样的,也需要客户端请求时携带客户端证书和秘钥,并且客户端需要保存根证书,用来验证服务端证书的可靠性,所以首先需要安装根证书。
2.根证书安装
1)生成truststore库文件进行访问-原生方式
根证书可以使用jdk的keytool工具安装,方式有很多种,这里只选用库文件的模式。
首先,把根证书ca.crt复制一份,重命名为ca.cer,然后把这个文件复制到jdk的jre\lib\security目录下,在这个目录中进行根证书的安装:
运行命令
keytool -keystore javaclient.truststore -keypass 123456 -storepass 123456 -alias DemoCA -import -trustcacerts -file ca.cer
生成成功以后,这个生成的证书即为我们java安全认证中,可以信任的证书。
3.Java后台代码
package org.qy.ca.client;
import lombok.extern.slf4j.Slf4j;
import org.apache.http.HttpEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.SSLContexts;
import org.apache.http.util.EntityUtils;
import javax.net.ssl.SSLContext;
import java.io.File;
import java.io.FileInputStream;
import java.io.InputStream;
import java.security.KeyStore;
/**
* @Description: des
* @Author: 方宇康
* @CreateDate: 2020/5/18 9:58
* @Version: 1.0.0.1
* @Company: 联通智网科技有限公司
*/
@Slf4j
public class HttpsKeyStoreConnect
{
/**
* 客户端证书路径,用了本地绝对路径,需要修改
*/
private final static String PFX_PATH = "E:\\个人晋升\\CA证书\\client.p12";
/**
* 客户端证书密码及密钥库密码
*/
private final static String PFX_PWD = "123456";
/**
* 方法实现说明
*
* @param url
* @return
* @exception
* @date 2020/5/18 10:11
*/
public static String sslRequestGet(String url) throws Exception
{
KeyStore keyStore = KeyStore.getInstance("PKCS12");
InputStream inputStream = new FileInputStream(new File(PFX_PATH));
log.info("HttpsKeyStoreConnect|sslRequestGet|", inputStream);
try
{
// 这里就指的是KeyStore库的密码
keyStore.load(inputStream, PFX_PWD.toCharArray());
}
finally {
inputStream.close();
}
SSLContext sslcontext = SSLContexts.custom().loadKeyMaterial(keyStore, PFX_PWD.toCharArray()).build();
SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslcontext
// supportedProtocols ,这里可以按需要设置
, new String[] { "TLSv1", "SSLv3", "TLSv1.1", "TLSv1.2"}
// supportedCipherSuites
, null
, SSLConnectionSocketFactory.getDefaultHostnameVerifier());
CloseableHttpClient httpclient = HttpClients.custom().setSSLSocketFactory(sslConnectionSocketFactory).build();
try
{
HttpGet httpget = new HttpGet(url);
CloseableHttpResponse response = httpclient.execute(httpget);
try
{
HttpEntity entity = response.getEntity();
// 返回结果
String jsonStr = EntityUtils.toString(response.getEntity(), "UTF-8");
EntityUtils.consume(entity);
return jsonStr;
}
finally {
response.close();
}
}
finally {
httpclient.close();
}
}
public static void main(String[] args) throws Exception
{
log.info("HttpsKeyStoreConnect|main|访问双向认证Tomcat服务请求出参:={}", sslRequestGet("https://www.qy-bb.club"));
}
}
运行主方法:
正常访问到了Tomcat服务!!!
参考资源: