1.首先要确认是双向认证还是单向认证,如果是只需要对服务端的单向认证,则只需要用到根证书,应该就是这里的ca.crt。如果是双向认证,三个都需要用到。如果是java代码作为客户端连接
2.单向认证是客户端根据ca根证书验证服务端提供的服务端证书和私钥
public static String httpGET(String url, String pemPath, String keypath) {
// 加载证书
try {
SSLConnectionSocketFactory sslsf =getSocketFactoryPEM(pemPath, keypath);
httpClient = HttpClients.custom().setSSLSocketFactory(sslsf).build();
} catch (Exception e) {
logger.error(e);
}
String result = null;
HttpGet httpGet = new HttpGet(url);
// 得指明使用UTF-8编码,否则到API服务器XML的中文不能被成功识别
// httpGet.addHeader("Content-Type", "text/xml");
// 根据默认超时限制初始化requestConfig
requestConfig = RequestConfig.custom().setSocketTimeout(socketTimeout).setConnectTimeout(connectTimeout).build();
// 设置请求器的配置
httpGet.setConfig(requestConfig);
try {
HttpResponse response = null;
try {
response = httpClient.execute(httpGet);
} catch (IOException e) {
e.printStackTrace();
}
HttpEntity entity = response.getEntity();
try {
result = EntityUtils.toString(entity, "UTF-8");
} catch (IOException e) {
e.printStackTrace();
logger.error(e);
}
} finally {
httpGet.abort();
}
return result;
}
protected static SSLConnectionSocketFactory getSocketFactoryPEM(String pemPath,String keypath) throws Exception {
byte[] pem = fileToBytes(pemPath);
byte[] pemKey = fileToBytes(keypath);
byte[] certBytes = parseDERFromPEM(pem, "-----BEGIN CERTIFICATE-----", "-----END CERTIFICATE-----");
byte[] keyBytes = parseDERFromPEM(pemKey, "-----BEGIN PRIVATE KEY-----", "-----END PRIVATE KEY-----");
X509Certificate cert = generateCertificateFromDER(certBytes);
RSAPrivateKey key = generatePrivateKeyFromDER(keyBytes);
KeyStore keystore = KeyStore.getInstance("JKS");
keystore.load(null);
keystore.setCertificateEntry("cert-alias", cert);
keystore.setKeyEntry("key-alias", key, "123".toCharArray(), new Certificate[] {cert});
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(keystore, "123".toCharArray());
KeyManager[] km = kmf.getKeyManagers();
SSLContext context = SSLContext.getInstance("TLS");
context.init(km, null, null);
SSLConnectionSocketFactory sslsf =
new SSLConnectionSocketFactory(context,null, null,
SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
return sslsf;
}
public static byte[] parseDERFromPEM(byte[] pem, String beginDelimiter, String endDelimiter) {
String data = new String(pem);
String[] tokens = data.split(beginDelimiter);
tokens = tokens[1].split(endDelimiter);
return DatatypeConverter.parseBase64Binary(tokens[0]);
}
public static RSAPrivateKey generatePrivateKeyFromDER(byte[] keyBytes) throws InvalidKeySpecException, NoSuchAlgorithmException {
PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(keyBytes);
KeyFactory factory = KeyFactory.getInstance("RSA");
return (RSAPrivateKey)factory.generatePrivate(spec);
}
public static X509Certificate generateCertificateFromDER(byte[] certBytes) throws CertificateException {
CertificateFactory factory = CertificateFactory.getInstance("X.509");
return (X509Certificate)factory.generateCertificate(new ByteArrayInputStream(certBytes));
}
public static byte[] fileToBytes(String filePath) {
byte[] buffer = null;
File file = new File(filePath);
FileInputStream fis = null;
ByteArrayOutputStream bos = null;
try {
fis = new FileInputStream(file);
bos = new ByteArrayOutputStream();
byte[] b = new byte[1024];
int n;
while ((n = fis.read(b)) != -1) {
bos.write(b, 0, n);
}
buffer = bos.toByteArray();
} catch (FileNotFoundException ex) {
ex.printStackTrace();
} catch (IOException ex) {
ex.printStackTrace();
} finally {
try {
if (null != bos) {
bos.close();
}
} catch (IOException ex) {
} finally{
try {
if(null!=fis){
fis.close();
}
} catch (IOException ex) {
ex.printStackTrace();
}
}
}
return buffer;
}