公司目前服务器用的是Jetty 9.2.5.v20141112版本,有一天跟我说需要加上HTTPS,查找很多文档后才找到一个方法,将完整方法分享给大家。
Jetty 需要使用的Key文件为keystore,而各大服务商申请的Key文件一般为pem等文件。
一、申请Key证书
这个部分就省略不讲了,一般阿里云、腾讯云等等服务商都有免费的证书申请。
二、转换证书格式
1.将pfx格式证书转换为jks格式证书
windows打开CMD命令行窗口
keytool -importkeystore -srckeystore 你的证书.pfx -destkeystore 你的证书.jks -srcstoretype PKCS12 -deststoretype JKS
2.将jks格式证书转换为p12格式证书
通过JAVA代码进行转换
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.security.Key;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.util.Enumeration;
public class KeyZ {
// 证书格式
public static final String JKS = "JKS";
public static final String PKCS12 = "PKCS12";
// 证书和路径
public static final String INPUT_KEYSTORE_FILE = "e:/你的证书/your-name.jks";
public static final String KEYSTORE_PASSWORD = "你的证书密码";
public static final String OUTPUT_KEYSTORE_FILE = "e:/你的证书/你的证书.p12";
// 证书别名
public static final String CERT_ALIAS = "client"; /
** * @param args */
public static void main(String[] args) throws Exception{
KeyStore inputKeyStore = KeyStore.getInstance(JKS);
FileInputStream fis = new FileInputStream(INPUT_KEYSTORE_FILE);
char[] nPassword = KEYSTORE_PASSWORD.toCharArray();
inputKeyStore.load (fis, nPassword);
fis.close();
System.out.println("keystore type=" + inputKeyStore.getType());
KeyStore outputKeyStore = KeyStore.getInstance(PKCS12);
outputKeyStore.load(null, KEYSTORE_PASSWORD.toCharArray());
Enumeration enumStrs = inputKeyStore.aliases();
while (enumStrs.hasMoreElements()){
String keyAlias = enumStrs.nextElement();
System.out.println("alias=[" + keyAlias + "]");
if (inputKeyStore.isKeyEntry(keyAlias)) {
Key key = inputKeyStore.getKey(keyAlias, nPassword);
Certificate[] certChain = inputKeyStore.getCertificateChain(keyAlias);
outputKeyStore.setKeyEntry(CERT_ALIAS, key, KEYSTORE_PASSWORD.toCharArray(), certChain);
}
}
FileOutputStream out = new FileOutputStream(OUTPUT_KEYSTORE_FILE);
outputKeyStore.store(out, nPassword); out.close();
}
}
3.将p12证书格式转换为 keystore文件格式
打开CMD窗口
keytool -importkeystore -v -srckeystore 你的证书.p12 -srcstoretype pkcs12 -srcstorepass 你的证书密码 -destkeystore 你的证书.keystore -deststoretype jks -deststorepass 你的证书密码
三、Jetty配置
1.运行java -jar ..\jetty-distribution-9.2.5.v20141112\start.jar --add-to-start=https
java -jar ..\jetty-distribution-9.2.5.v20141112\start.jar --add-to-start=ssl
2.将证书放置在jetty的etc/cert中
3.打开start.ini
发现已经有https和SSL两个模块
# --------------------------------------- #Module: ssl
--module=ssl
### SSL Keystore Configuration
# define the port to use for secure redirection
jetty.secure.port=8999 #安全端口自己配置
## Setup a demonstration keystore and truststore
jetty.keystore=etc/cert/ 你的证书.keystore
jetty.truststore=etc/cert/你的证书.keystore
## Set the demonstration passwords.
## Note that OBF passwords are not secure, just protected from casual observation
## See http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html
jetty.keystore.password= 你的证书密码
jetty.keymanager.password= 你的证书密码
jetty.truststore.password= 你的证书密码
### Set the client auth behavior
## Set to true if client certificate authentication is required
# jetty.ssl.needClientAuth=true
## Set to true if client certificate authentication is desired
# jetty.ssl.wantClientAuth=true
## Parameters to control the number and priority of acceptors and selectors
# ssl.selectors=1
# ssl.acceptors=1
# ssl.selectorPriorityDelta=0
# ssl.acceptorPriorityDelta=0
# --------------------------------------- #Module: https
--module=https
## HTTPS Configuration
# HTTP port to listen on
https.port=8999 #端口与上面保持一致
# HTTPS idle timeout in milliseconds
https.timeout=30000
# HTTPS Socket.soLingerTime in seconds. (-1 to disable)
# https.soLingerTime=-1
至此,重启服务器,HTTPS就配置成功了,可以试试看用https端口是否能够成功访问