1.Nginx
1.1 SSL 单向认证
openssl genrsa -des3 -out private.key 2048
openssl req -new -key private.key -out certificate.csr -passin pass:giraffe -subj "/C=CN/ST=ShangHai/L=ShangHai/O=MyCompany/OU=IT/CN=www.test.com/emailAddress=1183711908@qq.com"
openssl x509 -req -days 3650 -in certificate.csr -signkey private.key -passin pass:giraffe -out certificate.crt
openssl rsa -in private.key -passin pass:giraffe -out private_no_passphrase.key
openssl x509 -in certificate.crt -text -noout
openssl rsa -in private_no_passphrase.key -check
openssl req -text -noout -verify -in certificate.csr
http {
server {
listen 443 ssl;
ssl_certificate /etc/cert/certificate.crt;
ssl_certificate_key /etc/cert/private_no_passphrase.key;
ssl_session_timeout 30m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
}
}
1.2 SSL 双向认证
openssl genrsa -out root.key 2048
openssl req -new -out root.csr -key root.key -subj "/C=CN/CN=server.demo.com"
openssl x509 -req -in root.csr -out root.crt -signkey root.key -CAcreateserial -days 3650
openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key -subj "/C=CN/CN=server.demo.com"
openssl x509 -req -in server.csr -out server.crt -CA root.crt -CAkey root.key -CAcreateserial -days 3650
root.srl: CA签发证书的序列号记录文件,全名是 root.Serial 。
openssl genrsa -out client.key 2048
openssl req -new -out client.csr -key client.key -subj "/C=CN/CN=server.demo.com"
openssl x509 -req -in client.csr -out client.crt -CA root.crt -CAkey root.key -CAcreateserial -days 3650
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12 -password pass:'123456'
openssl x509 -in server.crt -text -noout
openssl x509 -in client.crt -text -noout
server {
listen 443 ssl;
server_name server.demo.com;
ssl on;
ssl_certificate /data/sslKey/server.crt;
ssl_certificate_key /data/sslKey/server.key;
ssl_client_certificate /data/sslKey/root.crt;
ssl_verify_client on;
location / {
proxy_pass http://127.0.0.1:8991/;
}
}
2. SSL对称加密
2.1 方式 1:keytool
keytool -genkeypair -keyalg RSA -keysize 2048 -keystore server.jks -alias server -validity 365 -keypass 123456 -storepass 123456 -dname "CN=localhost" -ext san=IP:192.168.1.9
keytool -export -alias server -keystore server.jks -storepass 123456 -file server.cer
keytool -genkeypair -keyalg RSA -keysize 2048 -keystore client.jks -alias client -validity 365 -keypass 123456 -storepass 123456 -dname "CN=localhost" -ext san=IP:192.168.1.9
keytool -export -alias client -keystore client.jks -storepass 123456 -file client.cer
keytool -import -trustcacerts -alias server -file server.cer -keystore client.jks -storepass 123456
keytool -import -trustcacerts -alias client -file client.cer -keystore server.jks -storepass 123456
keytool -importkeystore -srckeystore client.jks -destkeystore client.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass 123456 -deststorepass 123456 -srckeypass 123456 -destkeypass 123456 -srcalias client -destalias client -noprompt
keytool -importkeystore -srckeystore server.jks -destkeystore server.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass 123456 -deststorepass 123456 -srckeypass 123456 -destkeypass 123456 -srcalias server -destalias server -noprompt
keytool -list -v -keystore server.jks -storepass 123456
keytool -list -v -keystore client.jks -storepass 123456
2.2 方式 2:openSSL
openssl genpkey -aes256 -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out rootca.key -pass pass:'RootCaKey@2024'
openssl req -x509 -days 3650 -sha256 -key rootca.key -passin pass:'RootCaKey@2024' -out rootca.crt -subj "/C=CN/CN=demorootca.demo.com"
keytool -import -noprompt -trustcacerts -alias rootca -file rootca.crt -keystore rootca.p12 -storetype PKCS12 -storepass 'TrustStore@2024'
keytool -list -v -keystore rootca.p12 -storetype PKCS12 -storepass 'TrustStore@2024'
keytool -import -noprompt -trustcacerts -alias rootca -file rootca.crt -keystore rootca.jks -storetype JKS -storepass 'TrustStore@2024'
keytool -list -v -keystore rootca.jks -storetype JKS -storepass 'TrustStore@2024'
openssl genpkey -aes256 -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out server.key -pass pass:'ServerKey@2024'
openssl req -new -key server.key -passin pass:'ServerKey@2024' -out server.csr -subj "/C=CN/CN=server.demo.com"
openssl x509 -req -in server.csr -CA rootca.crt -CAkey rootca.key -passin pass:'RootCaKey@2024' -CAcreateserial -out server.crt -days 3650 -sha256
openssl verify -verbose -CAfile rootca.crt server.crt
openssl pkcs12 -export -inkey server.key -passin pass:'ServerKey@2024' -in server.crt -chain -CAfile rootca.crt -out server.p12 -password pass:'ServerKeyStore@2024'
keytool -list -v -keystore server.p12 -storepass 'ServerKeyStore@2024'
keytool -importkeystore -destkeystore server.jks -srckeystore server.p12 -deststoretype pkcs12 -storepass 'ServerKeyStore@2024'
keytool -list -v -keystore server.jks -storetype JKS -storepass 'ServerKeyStore@2024'
openssl genpkey -aes256 -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out client.key -pass pass:'ClientKey@2024'
openssl req -new -key client.key -passin pass:'ClientKey@2024' -out client.csr -subj "/C=CN/CN=client.demo.com"
openssl x509 -req -in client.csr -CA rootca.crt -CAkey rootca.key -passin pass:'RootCaKey@2024' -CAcreateserial -out client.crt -days 3650 -sha256
openssl verify -verbose -CAfile rootca.crt client.crt
openssl pkcs12 -export -inkey client.key -passin pass:'ClientKey@2024' -in client.crt -chain -CAfile rootca.crt -out client.p12 -password pass:'ClientKeyStore@2024'
keytool -list -v -keystore client.p12 -storepass 'ClientKeyStore@2024'
keytool -importkeystore -destkeystore client.jks -srckeystore client.p12 -deststoretype pkcs12 -storepass 'ClientKeyStore@2024'
keytool -list -v -keystore client.jks -storetype JKS -storepass 'ClientKeyStore@2024'
2.3 springBoot 集成
2.3.1 服务端配置
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk18on</artifactId>
<version>1.78.1</version>
</dependency>
@SpringBootApplication
public class ServerApplication {
public static void main(String[] args) {
SpringApplication.run(ServerApplication.class, args);
}
//添加
static {
Security.addProvider(new BouncyCastleProvider());
}
}
server:
ssl:
enabled: true
client-auth: need
key-store: classpath:cert/server.jks
key-store-password: 123456
key-alias: server
trust-store: classpath:cert/server.jks
trust-store-password: 123456
server:
ssl:
enabled: true
key-store: classpath:cert/server.p12
key-store-password: 'ServerKeyStore@2024'
key-store-type: PKCS12
key-store-provider: BC
enabled-protocols: TLSv1.2,TLSv1.3
trust-store: classpath:cert/rootca.jks
trust-store-password: 'TrustStore@2024'
trust-store-type: JKS
trust-store-provider: SUN
client-auth: need
2.3.2客户端配置
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>2.0.50</version>
</dependency>
/**
* 获取TLS/SSL套节字工厂
* @return
*/
private static SSLConnectionSocketFactory getSslConnectionSocketFactory() {
ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
java.net.URL resourceUrl = classLoader.getResource("cert/client.jks");
try (InputStream keyInput = new FileInputStream(resourceUrl.getPath())) {
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(keyInput, "123456".toCharArray());
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, "123456".toCharArray());
// 创建一个空的 TrustManager,绕过java jre 证书信任库认证
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(
java.security.cert.X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(
java.security.cert.X509Certificate[] certs, String authType) {
}
}
};
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManagerFactory.getKeyManagers(), trustAllCerts, new java.security.SecureRandom());
// 创建 SSL 连接套接字工厂
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(
sslContext,
NoopHostnameVerifier.INSTANCE // 注意:在生产环境中,你应该使用更安全的 HostnameVerifier
);
return sslsf;
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
/**
* 测试HTTPS POST请求
*/
@Test
void httpsRequest() {
try {
// 加载 JKS 文件
SSLConnectionSocketFactory sslsf = getSslConnectionSocketFactory();
// 创建 HttpClient 实例
CloseableHttpClient httpClient = HttpClients.custom()
.setSSLSocketFactory(sslsf)
.build();
// 创建 HttpPost 实例
HttpPost httpPost = new HttpPost("https://127.0.0.1:8081/api/user/post");
// 设置请求体(这里以 JSON 为例)
UserVO userVO = new UserVO();
userVO.setUsername("123456");
StringEntity entity = new StringEntity(JSON.toJSONString(userVO), "UTF-8");
entity.setContentType("application/json");
httpPost.setEntity(entity);
// 发送请求并获取响应
try (CloseableHttpResponse response = httpClient.execute(httpPost)) {
HttpEntity responseEntity = response.getEntity();
System.out.println(EntityUtils.toString(responseEntity));
}
} catch (IOException e) {
e.printStackTrace();
}
}
验证请求
curl -k --cert-type P12 --cert client.p12:'ClientKeyStore@2024' --location --request GET 'https://127.0.0.1:8081/api/user/get'