一、构建证书
1、生成TrustStore(信任库)-----trustKeys.p12
##keytool -genkeypair -alias [alias] -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore [名称] -validity [过期天数]
keytool -genkeypair -alias trustkeys -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore trustKeys.p12 -validity 36500
2、生成user客户端密钥
keytool -genkeypair -alias user -storetype PKCS12 -validity 3650 -keyalg RSA -dname "CN=jwt,OU=jtw,O=jtw,L=zuricn,S=zurich,C=CH" -keypass 11111111 -storepass 11111111 -keystore user.p12
3、导出生成user客户端密钥的公钥
keytool -keystore user.p12 -export -alias user -file user.cer
4、导入user客户端密钥的公钥
keytool -import -alias user -v -file user.cer -keystore trustKeys.p12
//删除(无需这步,操作出错时可以使用)
keytool -delete -alias user -keystore trustKeys.p12
二、构建Springboot项目
1、将http端口重定向https端口(这里操作可在网上找出,我这里也贴出来。这里我直接使用的是80与443端口)
@Configuration
public class Tomcatredirect {
/**
* http重定向到https
* @return
*/
@Bean
public TomcatServletWebServerFactory servletContainer() {
TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory() {
@Override
protected void postProcessContext(Context context) {
SecurityConstraint constraint = new SecurityConstraint();
constraint.setUserConstraint("CONFIDENTIAL");
SecurityCollection collection = new SecurityCollection();
collection.addPattern("/*");
constraint.addCollection(collection);
context.addConstraint(constraint);
}
};
tomcat.addAdditionalTomcatConnectors(httpConnector());
return tomcat;
}
@Bean
public Connector httpConnector() {
Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
connector.setScheme("http");
//Connector监听的http的端口号
connector.setPort(80);
connector.setSecure(false);
//监听到http的端口号后转向到的https的端口号
connector.setRedirectPort(443);
return connector;
}
}
2.将trustKeys.p12拷贝到zs文件夹下
3.设置yml
#http 接口(服务端口)
http:
port: 80
server:
port: 443
ssl:
#引用证书
key-store: classpath:zs/trustKeys.p12
#是否启用SSL证书
enabled: true
#密钥库密码(jks密码)
key-store-password: 11111111
#密钥库类型(JKS类型)
key-store-type: PKCS12
client-auth: need
# 持有ssl证书的信任存储库
trust-store: classpath:zs/trustKeys.p12
# 持有ssl证书存储库的密码
trust-store-password: 11111111
# 持有ssl证书存储类型
trust-store-type: PKCS12
4.接口获取证书内容
@RestController
@RequestMapping("skull")
public class SkullController {
@GetMapping("/user")
public Object queryUser(HttpServletRequest request) throws UnknownHostException {
String username = "";
X509Certificate[] certs = (X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate");
if(certs != null) {
X509Certificate gaX509Cert = certs[0];
String dn = gaX509Cert.getSubjectDN().toString();
System.out.println("个人证书信息:" + dn);
String[] dnArray = dn.split(",");
for (String dnItem : dnArray) {
String[] dnInfo = dnItem.split("=");
String key = dnInfo[0];
String value = dnInfo[1];
if("cn".equalsIgnoreCase(key.trim())) {
username = value;
break;
}
}
System.out.println("用户名:" + username);
}
return username;
}
}
三、浏览器导入证书
导入证书(user.p12)方式可以在网上搜索