我是https配置的新手,并尝试与Comodo SSL一起配置spring-boot。
打完几次电话后,我想出了如何为您的spring-boot网站正确配置https。
下面的答案是详细步骤。希望它可以帮助人们生成更安全的网站或服务。
答案 0 :(得分:0)
1. Purchase a Comodo plan, such as a Wildcard
2. Generate CSR(certificate signing request) from one of your servers
on AWS.
a. keytool -genkey -keyalg RSA -keysize 2048 -dname "CN=www.yourdomain.com, O=Default, C=US" -keystore domain.keystore
Notes: If you purchased a Wildcard please put CN=*.yourdomain.com
notes: you have to set a password right here, please remember it.
b. keytool -certreq -keyalg RSA -file domain.csr -keystore domain.keystore
Notes: The domain.csr is your generated CSR, you have to copy and paste it into the field that Comodo requires.
3. Comodo will send a link to admin@yourdomain.com, you have to verify it to pass DCV.
4. After you finish step 2 and 3, you will receive 4 CRT files by email and you need to add these 4 CRTs into you existed domain.keystore.
5. Install
keytool -import -trustcacerts -alias AddTrustExternalCARoot -file AddTrustExternalCARoot.crt -keystore domain.keystore
keytool -import -trustcacerts -alias COMODORSAAddTrustCA -file COMODORSAAddTrustCA.crt -keystore domain.keystore
keytool -import -trustcacerts -alias COMODORSADomainValidationSecureServerCA -file COMODORSADomainValidationSecureServerCA.crt -keystore domain.keystore
keytool -import -trustcacerts -alias mykey -file STAR_domain_com.crt -keystore domain.keystore
Notes: You have to set -alias to "mykey" if you didn't set an alias in the CSR generation.
Notes: After you have done these imports, you may receive a message: "Certificate reply was installed in keystore", which
indicate that you have successfully installed the keystore.
Notes: If you keep receiving a warning says: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12
which is an industry standard format using "keytool -importkeystore -srckeystore domain.keystore -destkeystore domain.keystore -deststoretype pkcs12".
You could run the recommanded command after the imports and convert the keystore to pkcs12 format. It is not neccessary.
6. Config Spring-boot
a. Write a configuration file in your SpringBoot project for redirect
@Configuration
public class HttpsConfig {
@Bean
public TomcatServletWebServerFactory servletContainer() {
TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory(){
@Override
protected void postProcessContext(Context context){
SecurityConstraint securityConstraint = new SecurityConstraint();
securityConstraint.setUserConstraint("CONFIDENTIAL");
SecurityCollection collection = new SecurityCollection();
collection.addPattern("/*");
securityConstraint.addCollection(collection);
context.addConstraint(securityConstraint);
}
};
tomcat.addAdditionalTomcatConnectors(createHttpConnector());
return tomcat;
}
private Connector createHttpConnector() {
Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
connector.setScheme("http");
connector.setSecure(false);
connector.setPort(1234);
connector.setRedirectPort(5678);
return connector;
}
}
b. In application.properties, turn on https support
server.port: 5678
security.require-ssl=true
server.ssl.key-store=classpath:domain.keystore
server.ssl.key-store-password=abc12345