Tomcat does not support https access by default, (at least what I downloaded)
If you need to open it, modify the %TOMCAT_HOME%/conf/server.xml file and add the following configuration:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="C:\\code\\tomcat.keystore" keystorePass="qweasdzxc"
truststoreFile="C:\\code\\tomcat.keystore" truststorePass="qweasdzxc"
/>
Where port is the port number for https access, which can be set.
Whether clientAuth enables client authentication, if true, the client is required to hold the certificate key to access the server, that is, two-way authentication;
keystoreFile is the path of the server certificate store file, and keystorePass is the password of the certificate store;
truststoreFile is the trusted certificate store file path, truststorePass is the password;
Therefore, in order to be able to use https for requests, it is necessary to create new client and server certificates and store them in the certificate library file. Fortunately, jdk provides a tool keytool for generating certificates.
Introduction to keytool command attributes:
Here because I have configured the environment variables, I can use the keytool command in the root directory. The following describes how to generate the certificate.
1. Generate a server certificate
In the command, test is the alias of the generated one-day certificate, the RSA algorithm name keystore is the file path, and the file will be generated. The validity period of the 36500-bit certificate is in days.
After executing the command, you need to set a password, which is the password.
The name and surname need to enter the address of your server, here I set it to be local.
The following unit name, organization name, etc. can be left blank.
Confirm the entered content, and finally enter the secret key password of the generated server certificate. I entered the same password as the server certificate here, both of which are qweasdzxc.
File after success:
2. Generate a client certificate
Basically, it is similar to the server certificate generation, except that the format and file format of the certificate are set here;
The name and surname here can be filled in at will or not.
Generated file:
3. Import the client certificate into the client (browser)
Double-click the testkey.p12 file to import the certificate, keep clicking Next, enter the certificate password, and complete the import.
4. Set the server-side trust client certificate
Since it is a two-way SSL authentication, the server must trust the client certificate. Therefore, the client certificate must be added as the server's trust certificate. Because the certificate store in PKCS12 format cannot be directly imported into the server certificate store, export the client certificate as a separate cer file.
First, export the cer certificate file
Where qweasdzxc is the password
2. Import the cer file into the server certificate store
5. Export the server certificate as a cer file and install it on the client
6. Add server-side certificate authentication to the client
Double-click the test.cer file to import the certificate, click Install Certificate,
Path Select Trusted Root Certification Authorities to complete the import.
At this point, the certificate problem has been solved. You only need to configure tomcat as mentioned above to achieve https access. If clientAuth is set to false, the client does not need to install a certificate to access the server. If clientAuth is set to true, you need to By importing the server's trusted certificate into the browser, you can communicate with the server. If you don't have it, you can't access the server.
However, when I set clientAuth to true, import the client certificate, and it is still a trusted certificate on the server side, there are still insecure links using Google and Firefox browsers, it seems that it is because of my certificate issuer and certificate. It is caused by the unit you belong to. This requires further experiments, but in addition to these two browsers, 360 fast, 360 security, edge, ie and other browsers display safe links.