1. SSL证书简介

  1.      一般来说,主流的Web服务软件,通常都基于两种基础密码库:OpenSSLJavaTomcatWeblogicJBoss等,使用Java提供的密码库。通过JavaKeytool工具,生成Java KeystoreJKS)格式的证书文件。ApacheNginx等,使用OpenSSL提供的密码库,生成PEMKEYCRT等格式的证书文件。另外,PFXPKCS12)主要应用于IISKDB主要应用于IHSWebsphere。各类证书的关系如下图所示:<br />![image.png](https://cdn.nlark.com/yuque/0/2020/png/788484/1600304999147-9a225310-44ed-40d6-8b67-ab7004712b8a.png#height=192&id=EztfB&margin=%5Bobject%20Object%5D&name=image.png&originHeight=384&originWidth=962&originalType=binary&ratio=1&size=149525&status=done&style=none&width=481)

2. HTTPS配置步骤

  1. 申请SSL证书(先决条件:拥有域名,可在腾讯云、阿里云上免费申请,或者使用自签证书)。
  2. 如有需要将证书转换为对应Web服务器版本,如Tomcat需要jks证书。
  3. SpringBoot工程添加SSL证书及证书配置。

    3. SSL证书申请

    1. CA颁发证书

    略,请查阅相关参考。

    2. 自签署证书

    用JDK/JRE自带的keytool工具来生成SSL证书。常用参数如下所示:
  • alias:证书别名。
  • storetype:指定密钥仓库类型,不指定则JDK会默认选用JKS,其他常用还有PKCS12,内置Tomcat只支持PFXPKCS12)或__JKS
  • keyalg:生证书的算法名称,RSA是一种非对称加密算法。
  • keysize:证书大小。
  • keystore:生成的证书文件的存储路径。
  • validity:证书的有效期。

生成证书:

  1. @rem 进入%JAVA_HOME%/bin目录,如果配置了%PATH%则任意目录下都可以运行以下命令
  2. D:
  3. cd D:\jdk\jdk8x64\bin
  5. # 交互式安装
  6. keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore E:\tmp\dev.polaris.com.jks -validity 3650
  7. # -----交互输入-----
  8. 输入密钥库口令: [V1OUC2e0]
  9. 再次输入新口令: [V1OUC2e0]
  10. 您的名字与姓氏是什么?
  11.   [Unknown]: [wj]
  12. 您的组织单位名称是什么?
  13.   [Unknown]: [dev.polaris.com]
  14. 您的组织名称是什么?
  15.   [Unknown]: [polaris Inc]
  16. 您所在的城市或区域名称是什么?
  17.   [Unknown]: [sz]
  18. 您所在的省/市/自治区名称是什么?
  19.   [Unknown]: [gd]
  20. 该单位的双字母国家/地区代码是什么?
  21.   [Unknown]: [cn]
  22. CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown是否正确?
  23.   [否]:  
  25.  # 静默式安装
  26.  keytool -genkeypair -alias tomcat -keypass V1OUC2e0 -storepass V1OUC2e0 -dname "C=CN,ST=GD,L=SZ,O=wj,OU=dev,CN=polaris.com" -keyalg RSA -keysize 2048 -validity 3650 -keystore E:\tmp\dev.polaris.com.jks

查看证书:

  1. @rem 查看生成证书
  2. keytool -list -v -storetype JKS -keystore E:\tmp\dev.polaris.com.jks
  3. @rem 也可以将结果输出到文件
  4. keytool -list -v -storetype JKS -keystore E:\tmp\dev.polaris.com.jks > out.log

4. SSL证书转换

根据Web服务器需求(见第1章节),将证书转换为其支持的类型。

  1. @rem 进入%JAVA_HOME%/bin目录,如果配置了%PATH%则任意目录下都可以运行以下命令
  2. D:
  3. cd D:\jdk\jdk8x64\bin
  4. # 示例1:将PFX转换为JKS证书
  5. keytool -importkeystore -srckeystore E:\tmp\dev.polaris.com.pfx -destkeystore E:\tmp\dev.polaris.com.jks -srcstoretype PKCS12 -deststoretype JKS
  7. # 示例2:将JKS转换为PFX证书
  8. keytool -importkeystore -srckeystore E:\tmp\dev.polaris.com.jks -destkeystore E:\tmp\dev.polaris.com.pfx -srcstoretype JKS -deststoretype PKCS12
  9. keytool -importkeystore -deststorepass V1OUC2e0 -destkeypass V1OUC2e0 -srckeystore E:\tmp\dev.polaris.com.jks -destkeystore E:\tmp\dev.polaris.com.pfx -srcstoretype JKS -deststoretype PKCS12 -srcstorepass V1OUC2e0

5. SSL证书配置Web站点

1. Tomcat & SSL

Ø 场景1:Tomcat-7.0.103(Http11Protocol)

  1. <?xml version='1.0' encoding='utf-8'?>
  2. <Server port="18005" shutdown="SHUTDOWN">
  3.     <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
  4.     <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  5.     <Listener className="org.apache.catalina.core.JasperListener" />
  6.     <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  7.     <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  8.     <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
  10.     <GlobalNamingResources>
  11.         <Resource name="UserDatabase" auth="Container"
  12.               type="org.apache.catalina.UserDatabase"
  13.               description="User database that can be updated and saved"
  14.               factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
  15.               pathname="conf/tomcat-users.xml" />
  16.     </GlobalNamingResources>
  18.     <Service name="Catalina">
  19.         <Connector port="18080" protocol="HTTP/1.1"
  20.                    connectionTimeout="20000"
  21.                    redirectPort="8444" />
  23.         <Connector port="8444" protocol="org.apache.coyote.http11.Http11Protocol"
  24.                maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
  25.                clientAuth="false" sslProtocol="TLS" keystoreFile="conf/local.polaris.org.jks"   
  26.                 keystorePass="V1OUC2e0" />
  28.         <Connector port="18009" protocol="AJP/1.3" redirectPort="8444" secretRequired=""/>
  30.         <Engine name="Catalina" defaultHost="localhost">
  31.             <Realm className="org.apache.catalina.realm.LockOutRealm">
  32.                 <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
  33.             </Realm>
  35.             <Host name="localhost"  appBase="webapps"    unpackWARs="true" autoDeploy="true">
  36.                 <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
  37.                     prefix="localhost_access_log." suffix=".txt"
  38.                     pattern="%h %l %u %t &quot;%r&quot; %s %b" />
  40.             </Host>
  41.         </Engine>
  42.     </Service>
  43. </Server>

Ø 场景2:Tomcat-8.5.5(Http11Nio2Protocol)

  1. server.xml

    1. <?xml version="1.0" encoding="UTF-8"?>
    2. <Server port="8005" shutdown="SHUTDOWN">
    3. <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
    4. <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
    5. <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
    6. <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
    7. <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
    9. <GlobalNamingResources>
    10.  <Resource name="UserDatabase" auth="Container"
    11.            type="org.apache.catalina.UserDatabase"
    12.            description="User database that can be updated and saved"
    13.            factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
    14.            pathname="conf/tomcat-users.xml" />
    15. </GlobalNamingResources>
    17. <Service name="Catalina">
    18.  <Connector port="18080" protocol="HTTP/1.1"
    19.             connectionTimeout="20000"
    20.             redirectPort="8444" />
    22.  <Connector port="8444"
    23.      protocol="org.apache.coyote.http11.Http11Nio2Protocol" maxThreads="150" SSLEnabled="true" >
    24.      <SSLHostConfig >
    25.          <Certificate certificateKeystoreFile="conf/local.polaris.org.jks"
    26.              certificateKeystorePassword="V1OUC2e0"
    27.              type="RSA" />
    28.      </SSLHostConfig>
    29.  </Connector>
    31.  <Connector port="8009" protocol="AJP/1.3" redirectPort="8444" />
    33.  <Engine name="Catalina" defaultHost="localhost">
    34.    <Realm className="org.apache.catalina.realm.LockOutRealm">
    35.      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
    36.             resourceName="UserDatabase"/>
    37.    </Realm>
    39.    <Host name="localhost"  appBase="webapps"
    40.          unpackWARs="true" autoDeploy="true">
    41.      <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
    42.             prefix="localhost_access_log" suffix=".txt"
    43.             pattern="%h %l %u %t &quot;%r&quot; %s %b" />
    45.    </Host>
    46.  </Engine>
    47. </Service>
    48. </Server>

  2. web.xml ```xml <?xml version=”1.0” encoding=”UTF-8”?>

    1.  <web-resource-collection>
    2.      <web-resource-name>OPENSSL</web-resource-name>
    3.      <url-pattern>/*</url-pattern>
    4.  </web-resource-collection>
    5.  <user-data-constraint>
    6.      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    7.  </user-data-constraint>

    1.  <session-timeout>30</session-timeout>
    2.  <cookie-config>
    3.      <secure>true</secure>
    4.  </cookie-config>

  1. <a name="zSv96"></a>
  2. ### Ø  场景3:Tomcat-9.0.37(TLSv1.2)
  3. ```xml
  4. <?xml version="1.0" encoding="UTF-8"?>
  5. <Server port="8005" shutdown="SHUTDOWN">
  6.   <Listener className="org.apache.catalina.startup.VersionLoggerListener"/>
  7.   <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  8.   <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
  9.   <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
  10.   <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
  11.   <GlobalNamingResources>
  12.     <Resource auth="Container" description="User database that can be updated and saved" 
  13.               factory="org.apache.catalina.users.MemoryUserDatabaseFactory" 
  14.               name="UserDatabase" 
  15.               pathname="conf/tomcat-users.xml" 
  16.               type="org.apache.catalina.UserDatabase"/>
  17.   </GlobalNamingResources>
  18.   <Service name="Catalina">
  19.     <Connector port="8080" protocol="HTTP/1.1" 
  20.                connectionTimeout="20000"  
  21.                redirectPort="443"/>
  22.     <Connector port="443" 
  23.                protocol="org.apache.coyote.http11.Http11NioProtocol"
  24.                acceptCount="100"
  25.                maxThreads="150" 
  26.                SSLEnabled="true"
  27.                allowTrace="false"
  28.                xpowereBy="false"
  29.                secure="true">
  30.         <SSLHostConfig protocol="TLSv1.2"
  31.                        ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
  32.                                 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
  33.                                 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  34.                                 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
  35.                                 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
  36.                                 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
  37.                                 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
  38.                                 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
  39.                                 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
  40.                                 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
  41.                                 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
  42.                                 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA">
  43.             <Certificate certificateKeystoreFile="/data/cert/HTTPS_UAT/keystore"
  44.                          certificateKeystorePassword="&#80;&#64;&#115;;&#119;;&#48;;&#114;;&#100;"
  45.                          type="RSA" />
  46.         </SSLHostConfig>
  47.     </Connector>
  49.     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
  51.     <Engine defaultHost="localhost" name="Catalina">
  52.       <Realm className="org.apache.catalina.realm.LockOutRealm">
  53.         <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
  54.       </Realm>
  55.       <Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true">
  56.         <Valve className="org.apache.catalina.valves.AccessLogValve" 
  57.              directory="logs" 
  58.              pattern="%h %l %u %t &quot;%r&quot; %s %b" 
  59.              prefix="localhost_access_log" 
  60.              suffix=".txt"/>
  61.         <Valve className="org.apache.catalina.valves.ErrorReportValue" 
  62.              showReport="false"
  63.              showServerInfo="false" />
  64.       </Host>
  65.     </Engine>
  66.   </Service>
  67. </Server>

2. SpringBoot & SSL

Ø SpringBoot配置SSL

  1.      将证书复制到项目根目录(如:resources),修改application.properties  application.yml
  1. # https请求访问端口,https默认443端口,配置后可以不带端口访问站点
  2. server.port=443
  4. # 开启https
  5. server.ssl.enabled=true
  6. # 密钥仓库路径
  7. server.ssl.key-store=classpath:dev.polaris.com.jks
  8. # 签名密码
  9. server.ssl.key-store-password=V1OUC2e0
  10. # 密钥仓库类型
  11. server.ssl.keyStoreType=JKS
  12. # 别名,根据证书情况配置,如果证书没有,则无需配置
  13. server.ssl.keyAlias=tomcat
  14. # 指定Spring Security请求也需要透过HTTPS签名文件
  15. # security.require-ssl=true

以上配置完成之后我们就可以通过HTTPS来访问我们的Web了。

Ø HTTP自动转向HTTPS

  1.      在安装网站证书后我们需要将所有http的请求自动跳转到https,这样才能让整站证书生效。
  1. import  org.apache.catalina.Context;
  2. import  org.apache.catalina.connector.Connector;
  3. import  org.apache.tomcat.util.descriptor.web.SecurityCollection;
  4. import  org.apache.tomcat.util.descriptor.web.SecurityConstraint;
  5. import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
  6. import  org.springframework.context.annotation.Bean;
  7. import  org.springframework.context.annotation.Configuration;
  9. @Configuration
  10. public class SSLConfig {
  12.      @Bean
  13.      public Connector connector() {
  14.           Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
  15.           connector.setScheme("http");
  16.           connector.setPort(8080);
  17.           connector.setSecure(false);
  18.           connector.setRedirectPort(443);
  19.           return connector;
  20.      }
  22.      @Bean
  23.      public TomcatServletWebServerFactory   tomcatServletWebServerFactory() {
  24.           TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory() {
  26.                @Override
  27.                protected void postProcessContext(Context context) {
  28.                     SecurityConstraint securityConstraint = new SecurityConstraint();
  29.                     securityConstraint.setUserConstraint("CONFIDENTIAL");
  30.                     SecurityCollection collection = new SecurityCollection();
  31.                     collection.addPattern("/*");
  32.                     securityConstraint.addCollection(collection);
  33.                     context.addConstraint(securityConstraint);
  34.                }
  36.           };
  37.           tomcat.addAdditionalTomcatConnectors(connector());
  38.           return tomcat;
  39.      }
  41. }

Ø SpringBoot跨域配置

  1.      WebMvcConfigurer对象配置跨域:
  1. @Bean
  2. public  WebMvcConfigurer corsConfigurer() {
  3.     return new WebMvcConfigurer() {
  5.         @Override
  6.         public void addCorsMappings(CorsRegistry registry) {
  7.             registry.addMapping("/api/**")
  8.                       .allowedOrigins("*")  
  9.                       .allowCredentials(true)
  10.                       .allowedMethods("GET", "POST", "DELETE", "PUT","PATCH")
  11.                       .maxAge(3600);  
  12.         }
  14.     };
  15. }

3. Nginx & SpringBoot & SSL

  1.      此种模式下,SpringBoot不需要做相关配置,仅需要配置Nginx即可。
  1. #user  nobody;
  2. worker_processes    1;
  4. events {
  5.      worker_connections  1024;
  6. }
  8. http {
  9.     include              mime.types;
  10.     default_type         application/octet-stream;
  11.     sendfile             on;
  12.     keepalive_timeout    65;
  14.     # HTTPS   server
  15.     server {
  16.           listen 443 ssl;
  17.           server_name dev.polaris.com;
  18.           ssl on;
  19.           ssl_certificate /usr/local/nginx/key/dev.polaris.com.pem;
  20.           ssl_certificate_key /usr/local/nginx/key/dev.polaris.com.key;
  21.           ssl_session_cache shared:SSL:1m;
  22.           ssl_session_timeout 5m;
  23.           ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
  24.           ssl_ciphers ECDH:AESGCM:HIGH:!RC4:!DH:!MD5:!3DES:!aNULL:!eNULL;
  25.           ssl_prefer_server_ciphers on;
  26.           location / {
  27.               proxy_pass                http://192.168.0.103:9080;
  28.               proxy_redirect            off;     
  29.               proxy_set_header          Host            $http_host;     
  30.               proxy_set_header          X-Real-IP       $remote_addr;     
  31.               proxy_set_header          X-Forwarded-For $proxy_add_x_forwarded_for;     
  32.               proxy_set_header          Cookie          $http_cookie;
  33.               #proxy_cookie_path
  34.               chunked_transfer_encoding off;
  35.           }
  36.     }
  38. }

4. Apache & SSL

  1. 安装ssl模块。

    1. # 查看是否已安装ssl模块
    2. ls /etc/httpd/modules |grep mod_ssl
    3. # 安装ssl模块
    4. yum -y install mod_ssl openssl

  2. 生成并上传证书。

    1. mkdir -p /etc/httpd/cert/CA

  • 生成私钥

    1. (umask 077; openssl genrsa -out /etc/httpd/cert/CA/cakey.pem 4096)

  • 生成自签证书

    1. openssl req -new -x509 -key /etc/httpd/cert/CA/cakey.pem -out /etc/httpd/cert/CA/cacert.pem -days 3655
    2. # -----交互输入-----
    3. Country Name (2 letter code) [XX]:CN
    4. State or Province Name (full name) []:Beijing
    5. Locality Name (eg, city) [Default City]:Beijing
    6. Organization Name (eg, company) [Default Company Ltd]:dev.polaris.com
    7. Organizational Unit Name (eg, section) []:polaris
    8. Common Name (eg, your name or your server's hostname) []:dev.polaris.com
    9. Email Address []:dev@polaris.com

  • CA初始化

    1. touch /etc/httpd/cert/CA/{serial,index.txt}
    2. echo 01 > /etc/httpd/cert/CA/serial
  1. 测试站点准备。

  • 主机名配置

    1. vi /etc/hosts

    内容如下:

    1. 192.168.0.103 dev.polaris.com

  • 模拟网站及内容

    1. mkdir -p /home/wwwroot/dev
    2. echo "dev.polaris.com" > /home/wwwroot/dev/index.html
  1. SSL配置。
    1. mkdir -p /etc/httpd/conf/extra
    2. vi /etc/httpd/conf/extra/httpd-ssl.conf
    内容如下: ```xml

    非默认端口(443),需要配置此处监听端口

    Listen 9443

DocumentRoot “/home/wwwroot/dev” ServerName dev.polaris.com:9443 SSLEngine on SSLCertificateFile /etc/httpd/cert/CA/cacert.pem SSLCertificateKeyFile /etc/httpd/cert/CA/cakey.pem 

  2. 5. 主配置文件更新。
  3. ```bash
  4. vi /etc/httpd/conf/httpd.conf

内容如下:

  1. LoadModule ssl_module modules/mod_ssl.so
  2. Include /etc/httpd/conf/extra/httpd-ssl.conf

  1. 重启生效配置。

    1. systemctl restart httpd

  2. 验证。

    1. curl https://dev.polaris.com:9443

    补充(设置HTTP请求自动跳转HTTPS):

    1. # 在httpd.conf文件中的<VirtualHost *:80> </VirtualHost>中间,添加以下重定向代码
    2. RewriteEngine on
    3. RewriteCond %{SERVER_PORT} !^9443$
    4. # 以下配置如果端口为443,则可以省略“:9443”
    5. RewriteRule ^(.*)$ https://%{SERVER_NAME}:9443$1 [L,R]

    5. IHS & SSL

    IHS版本为:9.0.5.7。

  • 创建目录

    1. mkdir -p /opt/IBM/HTTPServer/ssl/

  • 进入IHS命令执行目录

    1. cd /opt/IBM/HTTPServer/bin

  • 创建CMS密钥库

    1. ./gskcapicmd -keydb -create -db /opt/IBM/HTTPServer/ssl/key.kdb -pw pWd33mypa -type cms -expire 3650 -stash

  • 填充自签证书

    1. ./gskcapicmd -cert -create -db /opt/IBM/HTTPServer/ssl/key.kdb -pw pWd33mypa -dn "cn=polaris.org" -label "myssl" -size 2048 -default_cert yes

  • 查看证书

    1. # 查看CA证书
    2. ./gskcapicmd -cert -list ca -db /opt/IBM/HTTPServer/ssl/key.kdb -pw pWd33mypa -type cms
    3. # 查看所有证书
    4. ./gskcapicmd -cert -list all -db /opt/IBM/HTTPServer/ssl/key.kdb -pw pWd33mypa -type cms

  • 重置证书

    1. ./gskcapicmd -keydb /opt/IBM/HTTPServer/ssl/key.kdb -stashpw -pw pWd33mypa -db /opt/IBM/HTTPServer/ssl/key.kdb

  • IHS配置

    1. vi /opt/IBM/HTTPServer/conf/httpd.conf

    内容如下:

    1. # SSL Config Begin
    2. LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
    3. <IfModule mod_ibm_ssl.c>
    4.   Listen 443
    5.   <VirtualHost *:443>
    6.       SSLEnable
    7.   </VirtualHost>
    8. </IfModule>
    9. SSLDisable
    10. KeyFile "/opt/IBM/HTTPServer/ssl/key.kdb"
    11. # SSL Config End

  • IHS操作

    1. cd /opt/IBM/HTTPServer/bin
    2. # 启动Web服务器
    3. ./apachectl start
    4. # 停止Web服务器
    5. ./apachectl stop
    6. # 重启Web服务器
    7. ./apachectl restart

  • 追踪IHS错误日志

    1. tail -f -n200 /opt/IBM/HTTPServer/logs/error_log

    参考

    博客园:主流数字证书都有哪些格式
    https://www.cnblogs.com/lhj588/p/6069873.html
    博客园SpringBoot2.x配置Cors跨域
    https://www.cnblogs.com/anxminise/p/9808279.html
    简书:HTTPS之自签名证书配置
    https://www.jianshu.com/p/01c4f7a7b2c5
    简书:搭建Apache并使用自签证书实现https访问
    https://www.jianshu.com/p/771b5a243215
    IBM:IBM HTTP Server 证书管理
    https://www.ibm.com/docs/zh/was-nd/9.0.5?topic=SSAW57_9.0.5/com.ibm.websphere.ihs.doc/ihs/cihs_certmgmt.html
    CA颁发证书参考

CSDN:SpringBoot2.0配置https访问
https://blog.csdn.net/qq_40715775/article/details/82780881
B站:SSL认证视频参考-阿里云SSL证书上/中/下
https://www.bilibili.com/video/av53590261?from=search&seid=14115886556208614240
B站:SSL认证视频参考-腾讯云免费SSL证书配置
https://www.bilibili.com/video/av43700323?from=search&seid=9870719472163478832
B站:数字签名及数字证书原理
https://www.bilibili.com/video/BV18N411X7ty
B站:240分钟搞懂HTTP和HTTPS协议
https://www.bilibili.com/video/BV1F54y1t7Dx
阿里云:在Apache服务器上安装SSL证书
https://www.alibabacloud.com/help/zh/doc-detail/98727.htm