目的:将已有的pfx证书转换为jks,供tomcat认证用
过程:
我们可以通过如下java代码将pfx证书转换为jks,代码如下:
package com.yangangus.util; import java.io.FileInputStream; import java.io.FileOutputStream; import java.io.IOException; import java.security.Key; import java.security.KeyStore; import java.security.cert.Certificate; import java.util.Enumeration; public class ConventPFXToJKS { public static final String PKCS12 = "PKCS12"; public static final String JKS = "JKS"; public static final String PFX_KEYSTORE_FILE = "D:\\temp\\certs\\wildcard_test_com.pfx";// pfx文件位置 public static final String PFX_PASSWORD = "pfx_password";// 导出为pfx文件的设的密码 public static final String JKS_KEYSTORE_FILE = "D:\\temp\\certs\\keystore.jks"; // jks文件位置 public static final String JKS_PASSWORD = "jks_password";// JKS的密码 public static void coverTokeyStore() { FileInputStream fis = null; FileOutputStream out = null; try { KeyStore inputKeyStore = KeyStore.getInstance("PKCS12"); fis = new FileInputStream(PFX_KEYSTORE_FILE); char[] pfxPassword = null; if ((PFX_PASSWORD == null) || PFX_PASSWORD.trim().equals("")) { pfxPassword = null; } else { pfxPassword = PFX_PASSWORD.toCharArray(); } char[] jksPassword = null; if ((JKS_PASSWORD == null) || JKS_PASSWORD.trim().equals("")) { jksPassword = null; } else { jksPassword = JKS_PASSWORD.toCharArray(); } inputKeyStore.load(fis, pfxPassword); fis.close(); KeyStore outputKeyStore = KeyStore.getInstance("JKS"); outputKeyStore.load(null, jksPassword); Enumeration enums = inputKeyStore.aliases(); while (enums.hasMoreElements()) { // we are readin just one // certificate. String keyAlias = (String) enums.nextElement(); System.out.println("alias=[" + keyAlias + "]"); if (inputKeyStore.isKeyEntry(keyAlias)) { Key key = inputKeyStore.getKey(keyAlias, pfxPassword); Certificate[] certChain = inputKeyStore.getCertificateChain(keyAlias); outputKeyStore.setKeyEntry(keyAlias, key, jksPassword, certChain); } } out = new FileOutputStream(JKS_KEYSTORE_FILE); outputKeyStore.store(out, jksPassword); out.close(); } catch (Exception e) { e.printStackTrace(); } finally { if (fis != null) { try { fis.close(); } catch (IOException e) { e.printStackTrace(); } } if (out != null) { try { out.close(); } catch (IOException e) { e.printStackTrace(); } } } } public static void main(String[] args) { // TODO Auto-generated method stub coverTokeyStore(); // pfx to jks } }
这样我们就获取到jks了,接下来我们可以用keytool来导出公钥(alias的值在上面java代码运行时会打印出来,替代certificatekey即可):
keytool -export -alias certificatekey -keystore keystore.jks -rfc -file keycert.cer
我们获得证书后,再将证书添加到truststore中,可以运行如下命令(alias的值在上面java代码运行时会打印出来,替代certificatekey即可,file后面的cer是我们上一步导出的公钥):
keytool -import -alias certificatekey -file keycert.cer -keystore trustkeystore.jks
在运行这个命令过程中会提示输入密码,即你truststore的密码。生成完成后,我们接下来就是配置tomcat。
修改配置tomcat的server.xml,类似如下,配置单向验证,另外ciphers如果不加入,可能类似firefox访问会有问题:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" keystorePass="jks_password" keystoreFile="/webapp/keystore.jks" truststoreFile="/webapp/trustkeystore.jks" truststorePass="trust_password"/>
配置完成后启动tomcat,用https访问就可以了!