一.  建立tomcat證書

使用JDK自帶的keytool工具來生成證書：

1. 開啟cmd，啟動keytool

2. 在命令列中輸入以下命令:

keytool -genkeypair -alias "tomcat" -keyalg "RSA" -keystore "c:\tomcat.keystore"  

完成後在磁碟生成tomcat.keystore檔案

二. 配置tomcat伺服器

 定位到tomcat伺服器的安裝目錄, 找到conf下的server.xml檔案

找到如下已經被註釋的程式碼：

1 <!--
2     <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
3                maxThreads="150" scheme="https" secure="true"
4                clientAuth="false" sslProtocol="TLS" />
5     -->
 

去掉註釋，修改為：

1 <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"  
2               maxThreads="150" scheme="https" secure="true"  
3               clientAuth="false" sslProtocol="TLS"   
4        keystoreFile="c:\tomcat.keystore"  
5        keystorePass="123456" />  

 強制https訪問配置如下：在 tomcat /conf/web.xml 中的 </welcome-file-list> 後面加上以下內容

    <login-config>  
            <!-- Authorization setting for SSL -->  
            <auth-method>CLIENT-CERT</auth-method>  
            <realm-name>Client Cert Users-only Area</realm-name>  
    </login-config>  
    <security-constraint>  
            <!-- Authorization setting for
 
 SSL -->  
            <web-resource-collection >  
                <web-resource-name >SSL</web-resource-name>  
                <url-pattern>/*</url-pattern>  
            </web-resource-collection>  
            <user-data-constraint>  
                <transport-guarantee>CONFIDENTIAL</transport-guarantee>  
            </user-data-constraint>  
    </security-constraint>  

三. 啟動tomcat伺服器

在IE瀏覽器中輸入: https://localhost

選擇高階繼續瀏覽此網站

Expand

keytool

Manages a keystore (database) of cryptographic keys, X.509 certificate chains, and trusted certificates.

Description

The keytool command is a key and certificate management utility. It enables users to administer their own public/private key pairs and associated certificates for use in self-authentication (where the user authenticates himself or herself to other users and services) or data integrity and authentication services, using digital signatures. The keytool command also enables users to cache the public keys (in the form of certificates) of their communicating peers.

A certificate is a digitally signed statement from one entity (person, company, and so on.), that says that the public key (and some other information) of some other entity has a particular value. (See Certificate.) When data is digitally signed, the signature can be verified to check the data integrity and authenticity. Integrity means that the data has not been modified or tampered with, and authenticity means the data comes from whoever claims to have created and signed it.

The keytool command also enables users to administer secret keys and passphrases used in symmetric encryption and decryption (DES).

The keytool command stores the keys and certificates in a keystore. See KeyStore aliases.

--https://docs.oracle.com/javase/8/docs/technotes/tools/windows/keytool.html