1.
What is the https protocol required for https construction? It is not introduced in detail here, just know that it is a secure access protocol (for details, refer to http://www.linuxde.net/2012/03/8301. html). To achieve one https service access at a time, you need a service provider (here, take Tomcat as an example, and directly say Tomcat below), and a service access end (take IE browser as an example). When IE accesses Tomcat through https, the IE browser needs to recognize (trust) Tomcat's service as a legitimate and real service. The basis for this trust is the certificate (here takes a single certification as an example, that is, IE recognizes Tomcat, Tomcat does not need to recognize it) IE user's identity). Therefore, to build a (single authentication) https service on Tomcat, Tomcat and a certificate are required. A certificate refers to a CA certificate, which is a document that represents an identity issued by a well-known authority.
2. Problems encountered in the construction of
https After the https service is built, there will be two results. One is to prompt "There is a problem with the security certificate of this website", and you need to click to continue to access to use it; (Figure 1) 
The other is to directly Open the desired page with a green lock on the address bar; (Figure 2) 
.
The reason for the first case is because IE cannot trust the certificate provided by Tomcat. IE (including other browsers) has built-in certificates of existing authorities during installation, so IE can open the addresses of many large websites and display green locks directly.
There are three kinds of certificates (as far as I know), the first is to apply directly to the CA agency and pay the CA agency. This kind of certificate can be well recognized by IE and displays a green lock; the second It is to go to some CA agencies to apply for a free certificate (you can choose https://www.startssl.com), some functions are limited, this can also display a green lock; the third is to generate a certificate directly through a tool, because It is a self-generated certificate. IE cannot judge the validity of the certificate, so it can only prompt that there is a security problem.
The CA certificate authority is divided into root certificate authority, agency, secondary agency, etc. There can be many levels, and the entire level information will be written into the certificate. When IE verifies the certificate, it is verified according to the level. It will first verify whether the lowest-level certificate is legal. If it cannot verify the legality, it will verify the upper-level organization that issued the certificate, and it will be verified to the top of the certificate chain, which is the so-called root certificate. If the verification still fails, it will be considered untrusted by IE.
3. Build step
3.1. Use jdk's own keytool to generate a keystore file. Unit information and password will be entered during execution.
keytool -genkey -alias <alias> -keyalg RSA -keystore <file name> -keysize 2048
After this step is completed, you can directly Configure the generated keystore file into tomcat and you can use it, and the display effect will be the first case.
3.2. Generate a CSR file, which is used to exchange a certificate with a CA agency
keytool -certreq -keyalg RSA -alias <alias> -file <name of the generated CSR file> -keystore <keystore file generated in the previous step>
3.3. Submit the content of the CSR file on the CA official website and apply for the CA certificate. After the application is successful, three certificates will be obtained. (image 3)
3.4. Import the certificate applied for from the CA into the keystore file. After the import is successful, you can visit Tomcat to display the small green lock. When importing, import the root certificate first, then import the intermediate certificate, and finally import the website certificate.
keytool -import -alias root -keystore e:/127laochen9.keystore -file C:/Users/lenovo/Desktop/root.crt
keytool -import -alias Intermediate -keystore e:/127laochen9.keystore -file C:/Users/lenovo /Desktop/1_Intermediate.crt
keytool -import -alias 127laochen9 -keystore e:/127laochen9.keystore -file C:/Users/lenovo/Desktop/2_127.laochen9.top.crt
3.5. Configure the server.xml file in Tomcat
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true" clientAuth="false"
sslProtocol ="TLS" keystoreFile="<keystore file path>" keystorePass="<password entered in the first step>" />
3.6. The verification of the access connection address is successful.
Extended connection:
http://www.linuxde.net/2012/03/8316.html