window生成方法：

keytool -genkey -v -alias tomcat -keyalg RSA -keystore C:\apache-tomcat-8.5.31\conf\key\tomcat.keystore -validity 36500

centos生成方法：

keytool -genkey -v -alias tomcat -keyalg RSA -keystore /usr/local/apache-tomcat-8.5.31/conf/key/tomcat.keystore -validity 36500

配置过程：

Enter keystore password:  
Re-enter new password: 
What is your first and last name?
  [Unknown]:  localhost
What is the name of your organizational unit?
  [Unknown]:  localhost
What is the name of your organization?
  [Unknown]:  localhost       
What is the name of your City or Locality?
  [Unknown]:  shenzhen
What is the name of your State or Province?
  [Unknown]:  guangdong
What is the two-letter country code for this unit?
  [Unknown]:  CN
Is CN=localhost, OU=localhost, O=localhost, L=shenzhen, ST=guangdong, C=CN correct?
  [no]:  y

Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 36,500 days
    for: CN=localhost, OU=localhost, O=localhost, L=shenzhen, ST=guangdong, C=CN
Enter key password for <tomcat>
    (RETURN if same as keystore password):  
Re-enter new password: 
[Storing /usr/local/src/cert/tomcat.keystore]

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /usr/local/src/cert/tomcat.keystore -destkeystore /usr/local/src/cert/tomcat.keystore -deststoretype pkcs12".

命令参数部分解释：

C:\apache-tomcat-8.5.31\conf\key\tomcat.keystore ：表示数字证书生成后的文件路径

36500 ：表示有效时间，36500天，默认90天

二、tomcat的server.xml配置

1、注释掉8080端口配置 (不是必须，也可以不注释，不注释的话，则http 8080端口也可以访问)

<!--<Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />-->

2、取消注释8443端口配置，并改为443端口（访问不加端口的设置）（注意：Https访问的端口是8443，可以修改成别的端口。），将生成的正式和密码配置到keystoreFile="C:\apache-tomcat-8.5.31\conf\key\tomcat.keystore" keystorePass="123456"

?<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
?????????????? maxThreads="150" SSLEnabled="true"?
?? ??? ??? ??? keystoreFile="C:\apache-tomcat-8.5.31\conf\key\tomcat.keystore" keystorePass="123456"
?? ??? ??? ??? >
??????? <!--<SSLHostConfig>
??????????? <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
???????????????????????? type="RSA" />
??????? </SSLHostConfig>-->
??? </Connector>

?```
注意：
如果是tomcat8.0,由于tomcat8.0的server.xml和tomcat8.5的不同，tomcat8.0的server.xml文件应该这样改动：

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/usr/local/tomcat/conf/server.keystore"
keystorePass="123456" />

keystoreFile="D:\soft\apache-tomcat-8.0.47-9200\conf\key\tomcat.keystore"

keystorePass="tomcat123"，此密码就是生成证书时的密码。

![](https://s1.51cto.com/images/blog/201904/15/515b036ad2ea49d1dc40d3095148edf8.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)

3、更改8443端口为443

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

改为：

<Connector port="8009" protocol="AJP/1.3" redirectPort="443" />
# 三、访问，输入https://localhost/ 或 https://192.168.0.116
![](https://s1.51cto.com/images/blog/201904/15/1794907d7a024ee173723a045de7c915.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)

tomcat8.5配置https

原文：https://blog.51cto.com/chenshengsheng/2378792