目录
转换证书文件
已有文件
– app.crt 客户端证书
– app.key 客户端证书的密钥文件
– ca.crt 根证书文件
将客户端证书和密钥转换为java可识别证书文件jks (已有 client.jks 文件时忽略此步)
- 将crt文件转为p12
> openssl pkcs12 -export -out cert.p12 -in app.crt -inkey app.key
Enter Export Password:
Verifying - Enter Export Password:
提示输入密码: 注意此时密码为网站软件app对应的密钥
- 将cert.p12文件转为java可识别的jks文件, 此文件为客户端证书
> keytool -importkeystore -srckeystore cert.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore client.jks
Importing keystore cert.p12 to client.jks...
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias 1 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
提示输入密码:此处建议三个密码都为app对应的密钥
导出Domain CA证书为 jks (已有 openapi_ca.jks 文件时忽略此步)
> keytool -import -file openapi_ca.crt -keystore openapi_ca.jks
Enter keystore password:
Re-enter new password:
...
Trust this certificate? [no]: yes
Certificate was added to keystore
提示: 此处Trust this certificate?
必须为 yes 或者 是, 否则删除文件重新生成
提示输入密码: 建议密码都是密钥
信任 ca 证书
注: 因一些奇怪的原因导致此条无法运行,故建议使用导出证书
> keytool -import -alias openapi_com -trustcacerts -keystore openapi_com.jks
> keytool -import -trustcacerts -keystore openapi_com.jks
此处密码为上一步生成文件时的密码, 建议所有密码为同一个
RestTemplate的使用案例及配置文件参考
# 请求ssl的域名
ucc.openapi.domain=https://www.openapi.com:13443/
# resources文件路径
ucc.openapi.application=cert/client.jks
ucc.openapi.domain-ca=cert/openapi_com.jks
# 密钥密码
ucc.openapi.passphrase=xxxxxxxxxxxxxxxxx
@Data
@Component
@ConfigurationProperties(value = "ucc.openapi")
public class UccDomainProperties {
private String domain;
private String crtFile;
private String keyFile;
private String passphrase;
private String application;
private String domainCa;
}
RestTemplate配置类
package org.example.untitled.config;
import lombok.extern.slf4j.Slf4j;
import org.apache.http.client.HttpClient;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.SSLContextBuilder;
import org.example.untitled.domin.vo.UccDomainProperties;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.web.client.RestTemplateBuilder;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.ClassPathResource;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.web.client.RestTemplate;
import java.security.KeyStore;
@Configuration
@Slf4j
public class RestTemplateConfiguration {
@Autowired
private UccDomainProperties properties;
@Bean
public RestTemplate restTemplate(RestTemplateBuilder builder) {
RestTemplate restTemplate = new RestTemplate();
KeyStore keyStore;
HttpComponentsClientHttpRequestFactory requestFactory = null;
try {
keyStore = KeyStore.getInstance("jks");
keyStore.load(new ClassPathResource(properties.getApplication()).getInputStream(), properties.getPassphrase().toCharArray());
SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(new SSLContextBuilder()
.loadTrustMaterial(null, new TrustSelfSignedStrategy())
.loadKeyMaterial(keyStore, properties.getPassphrase().toCharArray()).build(),
NoopHostnameVerifier.INSTANCE);
HttpClient httpClient = HttpClients.custom().setSSLSocketFactory(socketFactory)
.setMaxConnTotal(5)
.setMaxConnPerRoute(5)
.build();
requestFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
requestFactory.setReadTimeout(10000);
requestFactory.setConnectTimeout(10000);
restTemplate.setRequestFactory(requestFactory);
} catch (Exception exception) {
System.out.println("Exception Occured while creating restTemplate "+exception);
exception.printStackTrace();
}
return restTemplate;
}
}