文章目录
- 前言
- 一、申请证书
- 二、转换证书
-
- [2.1 设置强密码](#2.1 设置强密码)
- [2.2 转换成.p12文件](#2.2 转换成.p12文件)
- 三、配置gateway网关
- 四、重启网关
- 五、验证
- 总结
前言
设:
网址:bztc.website
网关地址:bztc.website:10086
一、申请证书
申请证书后,会有如下文件:
bztc.website.crt
bztc.website.key
二、转换证书
转换成bztc.website.p12文件。
2.1 设置强密码
密码尽可能复杂。
bash
openssl rand -base64 16
# 示例输出:fD8tYjW7k3K2mN8zT4w0ZA==2.2 转换成.p12文件
在服务器上执行:
bash
openssl pkcs12 -export \
-in bztc.website.crt \
-inkey bztc.website.key \
-out bztc.website.p12 \
-name bztc.website \
-passout pass:fD8tYjW7k3K2mN8zT4w0ZA==然后当前目录会生成bztc.website.p12文件:
三、配置gateway网关
配置yaml文件:
yml
server:
ssl:
key-store: /root/bztc-gateway/cert/bztc.website.p12
key-store-password: fD8tYjW7k3K2mN8zT4w0ZA==
key-store-type: PKCS12
spring:
cloud:
# 网关配置
gateway:
# 微服务名称配置
discovery:
locator:
enabled: true # 设置为true 请求路径前可以添加微服务名称(开启微服务发现功能)
lower-case-service-id: true # 将请求路径上的服务名配置为小写
globalcors:
corsConfigurations:
'[/**]':
allowedOrigins:
- "https://bztc.website"
allowedMethods:
- GET
- POST
allowedHeaders:
- "*"
allowCredentials: true四、重启网关
五、验证
执行:
bash
openssl s_client -connect bztc.website:10086会输出如下内容:
bash
CONNECTED(00000003)
depth=3 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=2 C = GB, O = Sectigo Limited, CN = Sectigo Public Server Authentication Root R46
verify return:1
depth=1 C = GB, O = Sectigo Limited, CN = Sectigo Public Server Authentication CA DV R36
verify return:1
depth=0 CN = bztc.website
verify return:1
---
Certificate chain
0 s:CN = bztc.website
i:C = GB, O = Sectigo Limited, CN = Sectigo Public Server Authentication CA DV R36
1 s:C = GB, O = Sectigo Limited, CN = Sectigo Public Server Authentication CA DV R36
i:C = GB, O = Sectigo Limited, CN = Sectigo Public Server Authentication Root R46
2 s:C = GB, O = Sectigo Limited, CN = Sectigo Public Server Authentication Root R46
i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGhTCCBO2gAwIBAgIQDuUsPcCGslpPkloIAE4f3zANBgkqhkiG9w0BAQsFADBg
..................................................................
MxQfDEuUqQf7FuhtEvxdLAW4exUecNZM+eOIMpWs0Jv51w53AL3e+Ts=
-----END CERTIFICATE-----
subject=CN = bztc.website
issuer=C = GB, O = Sectigo Limited, CN = Sectigo Public Server Authentication CA DV R36
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5548 bytes and written 394 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
..............................................................................................................................................................................................................................
00c0 - ef 43 fb cf 65 ff f3 65-c3 4b 67 c9 06 91 1f 6d .C..e..e.Kg....m
00d0 - 20 18 4c 1c 1b 20 0d 78-51 c0 ef 01 cc be a0 1f .L.. .xQ.......
00e0 - ab 8e b9 20 1b 55 1b 86-80 ea da 73 19 be ee 8c ... .U.....s....
Start Time: 1752073620
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
..........................................................................................................................................................................................
00c0 - e5 d8 24 15 be b7 8d 36-97 fb a5 7f 05 71 65 6c ..$....6.....qel
00d0 - 1b 1c ac 1a 2f 93 10 d6-09 c9 a9 d0 09 db 49 25 ..../.........I%
00e0 - d6 bc a3 19 6d 39 1e fd-45 42 bf 22 78 ed cd 00 ....m9..EB."x...
Start Time: 1752073620
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK最后需保证网关接口可正常访问。
总结
SpringGateway网关增加https证书验证