服务器信息如下:
| 操作系统 | 说明 |
| server-one | 服务器1 |
| server-two | 服务器2 |
-genkey 表示要创建一个新的密钥。
-alias 表示 keystore 的别名。
-keyalg 表示使用的加密算法是 RSA ,一种非对称加密算法。
-keysize 表示密钥的长度。
-keystore 表示生成的密钥存放位置。
-validity 表示密钥的有效时间,单位为天。-keypass 私钥访问密码:123456
-storepass keystone文件访问密码:123456
keytool -list -keystore /home/keytool/trustKeys.p12 -storetype pkcs12 -vkeytool -delete -alias server-one -keystore /home/keytool/trustKeys.p12说明:keytool -delete -alias 删除证书的别名 -keystore 信任库
keytool -genkey -alias trustkeys -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore /home/keytool/trustKeys.p12 -validity 36500keytool -genkey -alias server-one -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore /home/keytool/server-one.p12 -validity 36500keytool -keystore /home/keytool/server-one.p12 -export -alias server-one -file /home/keytool -import -alias server-two -v -file /home/ -keystore /home/keytool/trustKeys.p12openssl pkcs12 -in /home/keytool/server-one.p12 -nodes -nocerts -out /home/keytool/server-one.keyopenssl x509 -inform der -in /home/ -out /home/keytool/server-one.pemkeytool -genkey -alias trustkeys -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore /home/keytool/trustKeys.p12 -validity 36500keytool -genkey -alias server-two -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore /home/keytool/server-two.p12 -validity 36500keytool -keystore /home/keytool/server-two.p12 -export -alias server-one -file /home/keytool -import -alias server-one -v -file /home/ -keystore /home/keytool/trustKeys.p12openssl pkcs12 -in /home/keytool/server-two.p12 -nodes -nocerts -out /home/keytool/server-two.keyopenssl x509 -inform der -in /home/ -out /home/keytool/server-two.pem#开启ssl
abled=true
#配置的值 need双向验证 none不验证客户端 want会验证,但不强制验证,即验证失败也可以成功建立连接
server.ssl.client-auth=need
#协议
#server.ssl.protocol=TLS
#服务通信证书
server.ssl.key-store=classpath:ssl/server-one.p12
#密钥密码
#server.ssl.key-password=123456
#证书密码
server.ssl.key-store-password=123456
#证书格式
server.ssl.key-store-type=PKCS12
#证书别名
server.ssl.keyAlias=server-one#信任库文件
ust-store=classpath:ice-ca/trustKeys.p12
#信任库密码
ust-store-password=123456
#信任库类型
ust-store-type=PKCS12#开启ssl
abled=true
#配置的值 need双向验证 none不验证客户端 want会验证,但不强制验证,即验证失败也可以成功建立连接
server.ssl.client-auth=need
#协议
#server.ssl.protocol=TLS
#服务通信证书
server.ssl.key-store=classpath:ssl/server-two.p12
#密钥密码
#server.ssl.key-password=123456
#证书密码
server.ssl.key-store-password=123456
#证书格式
server.ssl.key-store-type=PKCS12
#证书别名
server.ssl.keyAlias=server-two#信任库文件
ust-store=classpath:ice-ca/trustKeys.p12
#信任库密码
ust-store-password=123456
#信任库类型
ust-store-type=PKCS12<resources><resource><directory>src/main/java</directory><includes><include>**/*.xml</include><include>ssl/server-one.p12</include><include>ice-ca/trustKeys.p12</include></includes></resource><resource><directory>src/main/resources</directory></resource>
</resources>
<dependency><groupId>org.apache.httpcomponents</groupId><artifactId>httpclient</artifactId><version>4.5.13</version></dependency>slf4j.Slf4j;
import org.ssl.NoopHostnameVerifier;
import org.ssl.SSLConnectionSocketFactory;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.springframework.beans.factory.annotation.Value;
import t.annotation.Bean;
import t.annotation.Configuration;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.web.client.RestTemplate;import javax.ssl.*;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.security.*;
import CertificateException;
import java.time.Duration;/*** HTTPS通信双向认证工具类** @author xiwh*/
@Configuration
@Slf4j
public class RestTemplateConfig {@Value("${server.ssl.key-store-type}")String clientKeyType;@Value("${server.ssl.key-store}")String clientPath;@Value("${server.ssl.key-store-password}")String clientPass;@Value("${ust-store-type}")String trustKeyType;@Value("${ust-store}")String trustPath;@Value("${ust-store-password}")String trustPass;@Beanpublic RestTemplate restTemplate() {RestTemplate restTemplate = null;try {HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory();// 客户端证书类型KeyStore clientStore = Instance(clientKeyType);// 加载客户端证书,即自己的私钥InputStream keyStream = getClass().getClassLoader().getResourceAsStream(clientPath);clientStore.load(keyStream, CharArray());// 创建密钥管理工厂实例KeyManagerFactory keyManagerFactory = DefaultAlgorithm());// 初始化客户端密钥库keyManagerFactory.init(clientStore, CharArray());KeyManager[] keyManagers = KeyManagers();// 创建信任库管理工厂实例TrustManagerFactory trustManagerFactory = DefaultAlgorithm());KeyStore trustStore = Instance(trustKeyType);InputStream trustStream = getClass().getClassLoader().getResourceAsStream(trustPath);// 加载信任证书trustStore.load(trustStream, CharArray());// 初始化信任库trustManagerFactory.init(trustStore);//双向校验 校验服务端证书是否在信任库TrustManager[] trustManagers = TrustManagers();// 建立TLS连接SSLContext sslContext = Instance("TLS");// 初始化SSLContextsslContext.init(keyManagers, trustManagers, new SecureRandom());// INSTANCE 忽略域名检查SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE);// 创建httpClient对象CloseableHttpClient httpclient = HttpClients.custom().setSSLSocketFactory(sslConnectionSocketFactory).setSSLHostnameVerifier(new NoopHostnameVerifier()).build();requestFactory.setHttpClient(httpclient);requestFactory.setConnectTimeout((int) Duration.ofSeconds(15).toMillis());restTemplate = new RestTemplate(requestFactory);} catch (KeyManagementException | FileNotFoundException | NoSuchAlgorithmException e) {e.printStackTrace();} catch (KeyStoreException | CertificateException | UnrecoverableKeyException | IOException e) {e.printStackTrace();}return restTemplate;}}
@Testpublic void testHttps() {String url = "127.0.0.1:8077/httpsTest";ResponseEntity<String> forEntity = ForEntity(url, String.class);System.out.String());} /*** https测试方法** @return*/@ApiOperation("https测试方法")@GetMapping("/httpsTest")public Result httpsTest() {log.info("服务器server-two响应成功!");return Result.SUCCESS();}<200,{"code":1,"success":true,"msg":"操作成功","data":null}>server {#监听前端访问端口listen 9028 ssl;#服务器地址server_name 47.104.239.238;charset utf-8;client_max_body_size 20M;#双向认证 开启校验客户端#ssl_verify_client on;#server公钥 或 阿里云证书 一般是crt文件ssl_certificate /home/keytool/server.pem;#server私钥 或 阿里云证书 一般是key文件ssl_certificate_key /home/keytool/server.key;#双向认证 客户端公钥#ssl_client_certificate /home/keytool/server.pem;#支持ssl协议版本ssl_protocols TLSv1 TLSv1.1 TLSv1.2;#配置服务器可使用的加密算法ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;# 指定服务器密码算法在优先于客户端密码算法时,使用 SSLv3 和 TLS 协议ssl_prefer_server_ciphers on;ssl_session_timeout 5m;#前端请求后端接口location /prod-api/ {proxy_pass 47.104.239.238:8077/;proxy_set_header Host $proxy_host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Nginx-Proxt true;proxy_set_header HTTP_X_FORWORDED_FOR $remote_addr;proxy_ssl_certificate /home/keytool/server.pem;proxy_ssl_certificate_key /home/keytool/server.key;proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 SSLv2 SSLv3 ;proxy_ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;proxy_ssl_session_reuse off;proxy_ssl_server_name on;proxy_redirect off;}#前端包目录location / {root /mnt/project/sinotmemc/dist;try_files $uri $uri/ /index.html;index index.html index.htm;}error_page 500 502 503 504 /50x.html;location = /50x.html {root html;}}
参考:
spring boot 使用RestTemplate通过证书认证访问https实现SSL请求_踩到最基点的博客-CSDN博客
转载请注明出处:BestEternity亲笔。
本文发布于:2024-02-01 05:34:33,感谢您对本站的认可!
本文链接:https://www.4u4v.net/it/170673687234263.html
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系,我们将在24小时内删除。
| 留言与评论(共有 0 条评论) |
