Spring_Boot_Https_证书.md

Spring Boot Https 证书

创建目录和文件

mkdir -p CA/{certs,crl,newcerts,private}
touch CA/index.txt
touch CA/certs.db
touch openssl.cnf
echo 00 > CA/serial

设置配置

openssl.cnf

[ req ]
distinguished_name=req_distinguished_name
req_extensions=v3_req

[ req_distinguished_name ]
countryName=Country Name (2 letter code)
countryName_default=CN
stateOrProvinceName=State or Province Name (full name)
stateOrProvinceName_default=ZheJiang
localityName=Locality Name (eg, city)
localityName_default=HangZhou
organizationalUnitName=Organizational Unit Name (eg, section)
organizationalUnitName_default=Domain Control Validated
commonName=Internet Widgits Ltd
commonName_default=DigiCert APP Manager Root CA
commonName_max=64

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = 192.168.0.110
DNS.2 = 192.168.0.111
# section for the "default_ca" option
[ca]
default_ca=my_ca_default

# default section for "ca" command options
[my_ca_default]
new_certs_dir=./CA/certs
database=./CA/certs.db
default_md = sha256
policy=my_ca_policy
serial        = ./CA/serial
default_days  = 365

# section for DN field validation and order
[my_ca_policy]
commonName             = supplied
countryName            = optional
stateOrProvinceName    = optional
localityName           = optional
organizationName       = optional
organizationalUnitName = optional
emailAddress           = optional

注意

[ alt_names ]
DNS.1 = 192.168.0.110
DNS.2 = 192.168.0.111

这里配置需要部署的域名或 IP 地址列表。

创建 CA

生成ca.key并自签署

openssl req -new -x509 -days 3650 -keyout ca.key -out ca.crt -config openssl.cnf

创建服务器证书

生成server.key(名字不重要)

openssl genrsa -out server.key 2048

生成证书签名请求

openssl req -new -key server.key -out server.csr -config openssl.cnf

Common Name 这个写主要域名就好了(注意：这个域名也要在openssl.cnf的DNS.x里)

使用自签署的CA，签署server.scr

openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -extensions v3_req -config openssl.cnf

创建 Spring Boot 所需证书

导出 pckcs12格式

openssl pkcs12 -export -in server.crt -inkey server.key -out server.pkcs12

导出 jks 格式

keytool -importkeystore -srckeystore server.pkcs12 -destkeystore server.jks -srcstoretype pkcs12

Spring Boot 配置

# 证书
server.port=443
server.ssl.key-store=classpath:server.pkcs12
server.ssl.key-store-password=123456
server.ssl.key-store-type=PKCS12
server.ssl.key-alias=1

SpringBootApplication

@Bean
    public TomcatServletWebServerFactory servletContainer() {
        TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory() {
            @Override
            protected void postProcessContext(Context context) {
                SecurityConstraint constraint = new SecurityConstraint();
                constraint.setUserConstraint("CONFIDENTIAL");
                SecurityCollection collection = new SecurityCollection();
                collection.addPattern("/*");
                constraint.addCollection(collection);
                context.addConstraint(constraint);
            }
        };
        tomcat.addAdditionalTomcatConnectors(httpConnector());
        return tomcat;
    }

    @Bean
    public Connector httpConnector() {
        Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
        connector.setScheme("http");
        connector.setPort(9090);
        connector.setSecure(false);
        connector.setRedirectPort(8443);
        return connector;
    }