1:服务器生成证书秘钥库;
keytool -genkeypair -v -alias SERVER -keyalg RSA -storetype PKCS12 -keystore ./server.keystore
2:客户端生成证书(P12)
keytool -genkeypair -v -alias CLIENT -keyalg RSA -storetype PKCS12 -keystore ./client.p12
3:导出客户端证书(将p12文件导出为一个.cer文件,方便导入到服务器证书秘钥库)
keytool -exportcert -alias CLIENT -keystore ./client.p12 -storetype PKCS12 -rfc -file ./client.cer
4:服务器信任客户端证书(将客户端证书client.cer导入到服务器证书秘钥库server.keystore)
keytool -importcert -v -file ./client.cer -keystore ./server.keystore
5:在服务器证书秘钥库中导出服务器证书
keytool -keystore ./server.keystore -export -file ./server.cer
6:配置tomcat9中配置文件tomcat\conf\server.xml(添加命令)
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="200" SSLEnabled="true" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="E:\fireDOWN\tomcat9\conf\Certificate\server.keystore" keystorePass="123456"
truststoreFile ="E:\fireDOWN\tomcat9\conf\Certificate\server.keystore" truststorePass="123456"
/>
clientAuth="true"双向访问;默认为false单向;
keystoreFile="E:\fireDOWN\tomcat9\conf\Certificate\server.keystore"指定服务器证书位置;
truststoreFile="E:\fireDOWN\tomcat9\conf\Certificate\server.keystore'指定服务器信任证书库;
7:安装产生的服务器证书server.cer到“受信任的根证书颁发机构”
8:按照生成的客户端证书client.p12到“个人”
9:访问服务https://localhost:8443;