SSL配置 SpringBoot、Tomcat、Nginx

一、Spring boot配置
1、生成jsk命令
keytool -importkeystore -srckeystore 读取绝对路径.pfx -destkeystore 存放的绝对路径.jks -srcstoretype PKCS12 -deststoretype JKS
自己生成测试的签名文件：

C:\Users\Administrator>keytool -genkey -alias tomcat -keyalg RSA -keystore E:\testkey.keystore
输入密钥库口令:
再次输入新口令:
您的名字与姓氏是什么?
  [Unknown]:  cao
您的组织单位名称是什么?
  [Unknown]:  hzcs
您的组织名称是什么?
  [Unknown]:  hzcs
您所在的城市或区域名称是什么?
  [Unknown]:  beijing
您所在的省/市/自治区名称是什么?
  [Unknown]:  beijingshi
该单位的双字母国家/地区代码是什么?
  [Unknown]:  China
CN=cao, OU=hzcs, O=hzcs, L=beijing, ST=beijingshi, C=China是否正确?
  [否]:  y

输入 <tomcat> 的密钥口令
        (如果和密钥库口令相同, 按回车):

2、放到.yml配置文件同级目录下
3、配置文件修改

server:
  port: 443
  ssl:
    key-store: classpath:xxx.jks
    key-store-password: 密码
    key-alias: alias
    key-store-type: JKS

4、启动文件修改

    @Bean
    public TomcatServletWebServerFactory servletContainer() {
        TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory() {
            @Override
            protected void postProcessContext(Context context) {
                //如果不要http，就放开注释
//                SecurityConstraint constraint = new SecurityConstraint();
//                constraint.setUserConstraint("CONFIDENTIAL");
//                SecurityCollection collection = new SecurityCollection();
//                collection.addPattern("/*");
//                constraint.addCollection(collection);
//                context.addConstraint(constraint);
            }
        };
        tomcat.addAdditionalTomcatConnectors(httpConnector());
        return tomcat;
    }

    @Bean
    public Connector httpConnector() {
        Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
        connector.setSecure(false);
        connector.setScheme("http");
        //Connector监听的http的端口号
        connector.setPort("8080");
        connector.setSecure(false);
        //监听到http的端口号后转向到的https的端口号
        connector.setRedirectPort("443");
        return connector;
    }

二、Tomcat配置
1、pfx
增加keystoreFile 、 keystoreType 、 keystorePass

<Connector port="8443" protocol="HTTP/1.1"
            maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
            keystoreFile="/证书路径/名称.pfx"
            keystoreType="PKCS12"
            keystorePass="证书密码"
            clientAuth="false" sslProtocol="TLS" />

2、jks
增加keystoreFile、 keystorePass

<Connector port="8443" protocol="HTTP/1.1"
            maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
            keystoreFile="/证书路径/名称.jks"
            keystorePass="证书密码"
            clientAuth="false" sslProtocol="TLS" />

3、如果修改端口为443，则需修改下列

<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="443" />

三、 Nginx配置
1、将pem、key文件放到指定目录
2、修改nginx配置文件

    # HTTPS server
    #
    server {
        listen       443 ssl;
        server_name  域名;

        ssl_certificate      xxx.pem;
        ssl_certificate_key  xxx.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        #location / {
        #    root   html;
        #    index  index.html index.htm;
        #}
    }