1.1.4 证书导出成浏览器支持的.p12格式
C:\\OpenSSL\\bin>openssl pkcs12 -export -clcerts -in ca/ca-cert.pem -inkey ca/ca-key.pem -out ca/ca.p12
密码:changeit
1.2 生成server证书
1.2.1 创建私钥
C:\\OpenSSL\\bin>openssl genrsa -out server/server-key.pem 1024
1.2.2 创建证书请求
C:\\OpenSSL\\bin>openssl req -new -out server/server-req.csr -key server/server-key.pem -----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:zhejiang Locality Name (eg, city) []:hangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:skyvision Organizational Unit Name (eg, section) []:test
Common Name (eg, YOUR name) []:192.168.1.246 注释:一定要写服务器所在的ip地址 Email Address []:sky
1.2.3 自签署证书
C:\\OpenSSL\\bin>openssl x509 -req -in server/server-req.csr -out server/server-cert.pem -signkey server/server-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650
3
1.2.4 将证书导成支持的.p12格式
C:\\OpenSSL\\bin>openssl pkcs12 -export -clcerts -in server/server-cert.pem -inkey server/server-key.pem -out server/server.p12 密码:changeit
1.3 生成client证书
1.3.1 创建私钥
C:\\OpenSSL\\bin>openssl genrsa -out client/client-key.pem 1024
1.3.2 创建证书请求
C:\\OpenSSL\\bin>openssl req -new -out client/client-req.csr -key client/client-key.pem -----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:zhejiang Locality Name (eg, city) []:hangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:skyvision Organizational Unit Name (eg, section) []:test Common Name (eg, YOUR name) []:sky
Email Address []:sky 注释:就是登入中心的用户(本来用户名应该是Common Name,但是中山公安的不知道为什么使用的Email Address,其他版本没有测试) Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:tsing
4
1.3.3 自签署证书
C:\\OpenSSL\\bin>openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkey client/client-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650
1.3.4 将证书导成浏览器支持的.p12格式
C:\\OpenSSL\\bin>openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12 密码:changeit
1.4 根据CA证书生成JKS文件
C:\\Java\\jdk1.5.0_09\\bin > keytool -keystore C:\\openssl\\bin\\jks\\truststore.jks -keypass 222222 -storepass 222222 -alias ca -import -trustcacerts -file C:\\openssl\\bin\\ca\\ca-cert.pem
1.5 配置tomcat ssl
修改conf/server.xml ,keystorefile, truststorefile设置为正确的相关路径 xml 代码 :
clientAuth=\sslProtocol=\keystoreFile=\keystorePass=\ keystoreType=\ truststoreFile=\ truststorePass=\ 1.6 验证ssl配置 启动tomcat,在浏览器中访问https://ip:8443,如果配置正确的话在第三方签发的证书地址 栏会变绿,自制的证书会拦截(打死都要进去),会提示你不安全字样。 5 图1 2 2.1 Okhttp端调整 第三方签发证书 第三方签发证书直接使用https://...访问即可。 newRequest.Builder().url(url).build(); 2.2 自制证书 将okhttp设置成信任所有证书 java代码: OkHttpClient.Builder builder = new OkHttpClient.Builder(); builder.hostnameVerifier(new TrustAllHostnameVerifier()) .sslSocketFactory(createSSLSocketFactory(),new TrustAllManager()); //安全套接层工厂,HTTPS相关,用于创建SSLSocket private static SSLSocketFactorycreateSSLSocketFactory() { SSLSocketFactorysSLSocketFactory = null; try { SSLContextsc = SSLContext.getInstance(\sc.init(null, new TrustManager[]{new TrustAllManager()}, newSecureRandom()); sSLSocketFactory = sc.getSocketFactory(); } catch (Exception e) { } 6 returnsSLSocketFactory; } private static class TrustAllManager implements X509TrustManager { @Override public void checkClientTrusted(X509Certificate[] chain, String authType) throwsCertificateException { } @Override public void checkServerTrusted(X509Certificate[] chain, String authType) throwsCertificateException { } @Override public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; } } private static class TrustAllHostnameVerifier implements HostnameVerifier { @Override publicboolean verify(String paramString, SSLSessionparamSSLSession) { } return true; } 2.2.1 访问 newRequest.Builder().url(“https://....”).build(); 访问成功。 7