keyStore: my_https.jks
trustStore:my_https_trust.jks

1、创建keystore

keytool -genkeypair -alias my_https -keyalg RSA -validity 3650  -keystore my_https.jks -dname "CN=vom,OU=XXXX,O=example,L=KAWASAKI,ST=KANAGAWA,c=JP" -storepass password -keypass password
keytool -list -v -keystore my_https.jks

这里需要注意的是CN必须写域名或者主机名(/etc/hosts文件中有相应记录),否则java访问会出错。

2、导出证书(公钥)

keytool -export -trustcacerts -alias my_https -keystore my_https.jks -file my.cer -storepass password
#openssl x509 -in my.cer -inform der -text -noout

3、创建Truststore(客户端访问用)

keytool -import -trustcacerts -alias my_https -file my.cer -keystore my_https_trust.jks -storepass password
keytool -list -v -keystore my_https_trust.jks

keystore 记录的是你的 key 和证书,而 trust store 记录的是你信任的证书,一般是对方服务器的证书(当然也可能是 SSL 客户端证书)

4、配置Tomcat:

<Connector  port="20001" 
            protocol="org.apache.coyote.http11.Http11Protocol" 
            SSLEnabled="true"   
            scheme="https" 
            secure="true"   
            clientAuth="false" 
            sslProtocol="TLS"   
            keystoreFile="/opt/my/trustStore/my_https.jks" 
            keystorePass="password"
            connectionTimeout="20000" 
            redirectPort="20002" />