1.在application.properties或者application.yml配置文件中加入
server: port: 8443 ssl: key-store: classpath:xxxx.jks # xxxx.jks的别名 key-alias: transfer key-store-password: 123456 key-store-type: JKS enabled: true # 以下是配置双向验证,如不需要,可以不配置 trust-store: classpath:truststore.jks trust-store-password: 654321 trust-store-type: JKS client-auth: need trust-store-provider: SUN
附上生成jks的一些操作
# 切换到java的jre/lib/security路径 # 生成自签的证书公私钥库jks文件 keytool -genkey -alias test -keyalg RSA -keysize 2048 -keystore test.jks # 从jks文件导出cer keytool -export -alias test -keystore test.jks -rfc -file test.cer # java添加自签证书的本地信任,不然会抛出错误:unable to find valid certification path to requested target keytool -import -alias test -keystore cacerts -file test.cer -storepass changeit # 根据别名查看证书 keytool -list -alias test -keystore cacerts -storepass changeit # 根据别名删除证书 keytool -delete -alias test -keystore cacerts -storepass changeit
但是在启动的时候,却一直报错:the trustAnchors parameter must be non-empty
经排查,是trust-store有问题,可以看看解释的文章:
https://blog.csdn.net/HD243608836/article/details/118555240
具体解释代码在JavaKeyStore.class的engineLoad(InputStream var1, char[] var2)方法里
for(int var13 = 0; var13 < var12; ++var13) {
int var14 = var4.readInt();
String var15;
byte[] var23;
if(var14 != 1) {
if(var14 != 2) {
throw new IOException("Unrecognized keystore entry");
}
# 只含有公钥的jks会加载为TrustedCertEntry
JavaKeyStore.TrustedCertEntry var27 = new JavaKeyStore.TrustedCertEntry();
var15 = var4.readUTF();
var27.date = new Date(var4.readLong());
if(var11 == 2) {
String var29 = var4.readUTF();
if(var7.containsKey(var29)) {
var6 = (CertificateFactory)var7.get(var29);
} else {
var6 = CertificateFactory.getInstance(var29);
var7.put(var29, var6);
}
}
var23 = IOUtils.readFully(var4, var4.readInt(), true);
var8 = new ByteArrayInputStream(var23);
var27.cert = var6.generateCertificate(var8);
var8.close();
this.entries.put(var15, var27);
} else {
JavaKeyStore.KeyEntry var16 = new JavaKeyStore.KeyEntry();
var15 = var4.readUTF();
var16.date = new Date(var4.readLong());
var16.protectedPrivKey = IOUtils.readFully(var4, var4.readInt(), true);
int var17 = var4.readInt();
if(var17 > 0) {
ArrayList var18 = new ArrayList(var17 > 10?10:var17);
for(int var19 = 0; var19 < var17; ++var19) {
if(var11 == 2) {
String var20 = var4.readUTF();
if(var7.containsKey(var20)) {
var6 = (CertificateFactory)var7.get(var20);
} else {
var6 = CertificateFactory.getInstance(var20);
var7.put(var20, var6);
}
}
var23 = IOUtils.readFully(var4, var4.readInt(), true);
var8 = new ByteArrayInputStream(var23);
var18.add(var6.generateCertificate(var8));
var8.close();
}
var16.chain = (Certificate[])var18.toArray(new Certificate[var17]);
}
this.entries.put(var15, var16);
}
}
总体来说,就是trust-store只需要包含公钥的信息,而之前配置的JKS文件同时含有公私钥的信息而导致出错,如下文章讲述了如何生成只有公钥的jks:
http://t.zoukankan.com/Amos-Turing-p-7111499.html
标签:var4,var6,SpringBoot,tomcat,jks,https,test,new,store From: https://www.cnblogs.com/zgz21/p/16824929.html