自签名证书实现java服务＜＞nginxHTTPS双向认证

生成证书

C&＃61;"CN"
ST&＃61;"Zhejiang"
L&＃61;"HanZhou"
O&＃61;"Alibaba"
OU&＃61;"Nginx"
CN&＃61;"11.22.33.44"
CN_CLIENT&＃61;"MicroService"
emailAddress&＃61;"abc&＃64;edf.com"
PASSWD&＃61;"password"
JKS_PASSWD&＃61;"password"rm -rf temp
mkdir temp
cd temp/
mkdir -p demoCA/newcerts
touch demoCA/index.txt
touch demoCA/serial
echo 01 >> demoCA/serial# 生成自签名根证书 ca key
openssl genrsa -aes128 -passout pass:${PASSWD} -out ca.key 2048
# ca crt(pem) der
openssl req -new -passin pass:${PASSWD} -x509 -key ca.key -out ca.crt -days 3650 -subj "/C&＃61;${C}/ST&＃61;${ST}/L&＃61;${L}/O&＃61;${O}/OU&＃61;${OU}/CN&＃61;${CN}/emailAddress&＃61;${emailAddress}"
openssl x509 -in ca.crt -outform DER -out ca.der
openssl x509 -inform der -in ca.der -out ca.pem# server key
# openssl genrsa -aes128 -passout pass:${PASSWD} -out serverKey.pem 2048
openssl genrsa -out serverx.key 2048
# server req
#openssl req -new -passin pass:${PASSWD} -key serverKey.pem -out serverReq.pem -subj "/C&＃61;${C}/ST&＃61;${ST}/L&＃61;${L}/O&＃61;${O}/OU&＃61;${OU}/CN&＃61;${CN}/emailAddress&＃61;${emailAddress}"
openssl req -new -key serverx.key -out serverReq.pem -subj "/C&＃61;${C}/ST&＃61;${ST}/L&＃61;${L}/O&＃61;${O}/OU&＃61;${OU}/CN&＃61;${CN}/emailAddress&＃61;${emailAddress}"
# server cert
openssl ca -md sha256 -key ${PASSWD} -batch -keyfile ca.key -cert ca.crt -in serverReq.pem -out serverCrt.pem -days 3650
rm serverReq.pem # client key
openssl genrsa -aes128 -passout pass:${PASSWD} -out clientKey.pem 2048
# client req
openssl req -new -passin pass:${PASSWD} -key clientKey.pem -out clientReq.pem -subj "/C&＃61;${C}/ST&＃61;${ST}/L&＃61;${L}/O&＃61;${O}/OU&＃61;${OU}/CN&＃61;${CN_CLIENT}/emailAddress&＃61;${emailAddress}"
# client cert
openssl ca -md sha256 -key ${PASSWD} -batch -keyfile ca.key -cert ca.crt -in clientReq.pem -out clientCert.pem -days 3650
rm clientReq.pem # 所有证书&＃xff0c;私钥等都可以是 pem, 也可以是 der 格式, 可以转化
# openssl x509 -in ca.crt -outform DER -out ca.der # pem -> der
# openssl x509 -inform der -in ca.der -out ca.pem # der -> pem# 假如要取消某个证书openssl
# openssl ca -keyfile ca.key -cert ca.crt -revoke clientCert.pem# jks
# keyStore for client 客户端会给自己的公钥证书给服务端&＃xff0c;服务端判断这个证书是不是自己的信任链上的
openssl pkcs12 -export -out slb_sslclient.p12 -in clientCert.pem -inkey clientKey.pem
keytool -importkeystore -srckeystore slb_sslclient.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore keystore.jks# trustStore for client 服务端给自己的公钥证书给客户端&＃xff0c;客户端判断这个证书是不是自己的信用链上的
keytool -import -trustcacerts -file ca.crt -keystore truststore.jks -storepass ${JKS_PASSWD}

nginx配置

# HTTPS server#server {listen 8443 ssl;server_name localhost;ssl_certificate ./nginx/conf/ssl/servercrt.pem;ssl_certificate_key ./nginx/conf/ssl/servercrt.key;ssl_client_certificate ./nginx/conf/ssl/ca.crt;ssl_verify_client on;ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256";ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m;ssl_protocols TLSv1.2;location / {# 校验证书DN&＃xff0c;防止根证书的其他证书也通过认证if ($ssl_client_s_dn !~ "CN&＃61;xxx,OU&＃61;xxx,O&＃61;xxx,C&＃61;CN") {return 403;}proxy_pass https//elasticsearch;} }upstream elasticsearch {server 11.22.33.44:9200;}

java配置

try {String keystorePassPlain &＃61; PwdUtils.decryptSecretInfo(keystorePass);KeyStore keyStore &＃61; KeyStore.getInstance("jks");kis &＃61; new FileInputStream(new File(PathUtil.getAbsolutePath(keystorePath).orElse(StringUtils.EMPTY) &＃43; File.separator &＃43; "keystore.jks"));keyStore.load(kis, keystorePassPlain.toCharArray());String truststorePassPlain &＃61; PwdUtils.decryptSecretInfo(truststorePass);KeyStore trustStore &＃61; KeyStore.getInstance("jks");tis &＃61; new FileInputStream(new File(PathUtil.getAbsolutePath(keystorePath).orElse(StringUtils.EMPTY) &＃43; File.separator &＃43; "truststore.jks"));trustStore.load(tis, truststorePassPlain.toCharArray());SSLContextBuilder sslbuild &＃61; SSLContexts.custom().loadTrustMaterial(trustStore, (x509Certificates, s) -> {for (X509Certificate x509Certificate : x509Certificates) {x509Certificate.checkValidity();}return false;}).loadKeyMaterial(keyStore, keystorePassPlain.toCharArray()).useProtocol("TLSv1.2");SSLContext sslcontext &＃61; sslbuild.build();this.builder.setHttpClientConfigCallback((httpClientBuilder) -> {return httpClientBuilder.setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE).setSSLContext(sslcontext);});} catch (Exception var13) {LOG.error("setSSLContext failed.", var13);} finally {try {if (tis !&＃61; null) {tis.close();}if (kis !&＃61; null) {kis.close();}} catch (IOException e) {tis &＃61; null;kis &＃61; null;LOG.error("close fileInputStreams error: ", e);}}


p12证书导入证书到浏览器

根证书&＃xff0c;放入 受信任的根证书颁发机构

P12证书包含了客户端私钥和证书&＃xff0c;等价于keystore.jks&＃xff0c;放入个人

如果使用根证书&＃43;中间证书&＃xff0c;需要在trustStore中添加整个信用链&＃xff08;包括根证书&＃43;中间证书&＃xff09;&＃xff0c;nginx 上前后复制粘贴放在一个文件里面就行

vi /etc/hosts

Maven有可能会把证书文件做编码处理&＃xff0c;加上这个可以避免