公共部分(自制ssl密钥,使用centos系统生成证书):
1.通过centos服务器创建证书密钥文件server.key (验证使用A不生成密码)
A.生成不带密码的server.key
openssl genrsa -out server.key 2048
B.生成带密码的server.key
openssl genrsa -des3 -out server.key 2048
2.创建服务器证书的申请文件 server.csr
openssl req -new -key server.key -out server.csr
输入如下:
Enter pass phrase for root.key: ← 输入前面创建的密码
Country Name (2 letter code) [AU]:CN ← 国家代号,中国输入CN
State or Province Name (full name) [Some-State]:Changsha← 省的全名,拼音
Locality Name (eg, city) []:Changsha ← 市的全名,拼音
Organization Name (eg, company) [Internet Widgits Pty Ltd]:humiaomuyun ← 公司英文名
Organizational Unit Name (eg, section) []: ← 可以不输入
Common Name (eg, YOUR name) []: ← 此时不输入
Email Address []:xialvli@163.com ← 电子邮箱,可随意填
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: ← 可以不输入
An optional company name []: ← 可以不输入
3.生成证书文件server.crt和server.pkcs12
3.1 选择配置方式(验证使用B ip配置)
A. 单机环境,使用域名配置
echo "subjectAltName=DNS:server.esrichina.com" > cert_extensions
B.单机环境,使用ip配置
echo "subjectAltName=DNS:server.esrichina.com.com,IP:192.168.2.142" > cert_extensions
C.分布式部署,使用域名配置
echo "subjectAltName=DNS.1:server.esrichina.com,DNS.2:p1.esrichina.com,DNS.2:p2.esrichina.com"> cert_extensions
3.2 生成server.crt和server.pkcs12(需要输入密码,该密码在配置时有效)
openssl x509 -req -sha256 -in server.csr -signkey server.key -extfile cert_extensions -out server.crt -days 3650
openssl pkcs12 -inkey server.key -in server.crt -export -out server.pkcs12 -name server
Spring boot 配置https步骤(同时配置https和http):
1.application.properties文件配置
#证书的路径.
server.ssl.key-store=classpath.server.pkcs12
#证书密码,请修改为您自己证书的密码(在配置server.pkcs12证书是使用的密码)
server.ssl.key-store-password=123456
#秘钥库类型
server.ssl.keyStoreType=PKCS12
#http端口
http.port=8081
#https端口(默认端口为443)
server.port=8082
2.Spring boot项目导入server.pkcs12密钥文件
3.项目添加支持http 访问(在Application中配置)
@Value("${http.port}")
private Integer port;
private final static Logger logger = LoggerFactory.getLogger(Application.class);
// 配置http
private Connector createStandardConnector() {
Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
connector.setPort(port);
return connector;
}
@Bean
public ServletWebServerFactory servletContainer() {
TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory();
tomcat.addAdditionalTomcatConnectors(createStandardConnector()); // 添加http
return tomcat;
}
如图所示:
Nginx配置https步骤:
https默认开启端口443 (特别注意)
nginx配置https参考url:
https://blog.csdn.net/qq_22385935/article/details/91990876
查看已经开启的端口:firewall-cmd --list-ports
开启端口:
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --reload
重启防火墙:
firewall-cmd --reload
1.Nginx服务单独配置
vi /usr/local/pingos/conf/nginx.conf
listen 443 ssl;
ssl_certificate /usr/local/pingos/cert/server.crt;
ssl_certificate_key /usr/local/pingos/cert/server.key;
如下图:
2.Nginx+spring boot同时配置(此处注意:这里是直接在nginx中spring boot的https,通过反向代理配置; spring boot的启动端口为8081)
vi /usr/local/pingos/conf/nginx.conf
listen 443 ssl;
ssl_certificate /usr/local/pingos/cert/server.crt;
ssl_certificate_key /usr/local/pingos/cert/server.key;
location / {
proxy_pass http://127.0.0.1:8081/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
如图所示:
客户端(Windows端)证书操作:
1.证书安装(从服务器下载证书 service.crt)
结果显示:
查看证书信息:
2.证书删除