SpringBoot 配置内部tomcat https双向验证

　　1.在application.properties或者application.yml配置文件中加入

server:
  port: 8443
  ssl:
    key-store: classpath:xxxx.jks
    # xxxx.jks的别名
    key-alias: transfer 
    key-store-password: 123456
    key-store-type: JKS
    enabled: true
    # 以下是配置双向验证，如不需要，可以不配置
    trust-store: classpath:truststore.jks
    trust-store-password: 654321
    trust-store-type: JKS
    client-auth: need
    trust-store-provider: SUN

　　附上生成jks的一些操作

# 切换到java的jre/lib/security路径

# 生成自签的证书公私钥库jks文件
keytool -genkey -alias test -keyalg RSA -keysize 2048 -keystore test.jks

# 从jks文件导出cer
keytool -export -alias test -keystore test.jks -rfc -file test.cer

# java添加自签证书的本地信任，不然会抛出错误：unable to find valid certification path to requested target
keytool -import -alias test -keystore cacerts -file test.cer -storepass changeit

# 根据别名查看证书
keytool -list -alias test -keystore cacerts -storepass changeit

# 根据别名删除证书
keytool -delete -alias test -keystore cacerts -storepass changeit

　　但是在启动的时候，却一直报错：the trustAnchors parameter must be non-empty

　　经排查，是trust-store有问题，可以看看解释的文章：

　　https://blog.csdn.net/HD243608836/article/details/118555240

　　具体解释代码在JavaKeyStore.class的engineLoad(InputStream var1, char[] var2)方法里

for(int var13 = 0; var13 < var12; ++var13) {
    int var14 = var4.readInt();
    String var15;
    byte[] var23;
    if(var14 != 1) {
        if(var14 != 2) {
            throw new IOException("Unrecognized keystore entry");
        }
　　　　　# 只含有公钥的jks会加载为TrustedCertEntry
        JavaKeyStore.TrustedCertEntry var27 = new JavaKeyStore.TrustedCertEntry();
        var15 = var4.readUTF();
        var27.date = new Date(var4.readLong());
        if(var11 == 2) {
            String var29 = var4.readUTF();
            if(var7.containsKey(var29)) {
                var6 = (CertificateFactory)var7.get(var29);
            } else {
                var6 = CertificateFactory.getInstance(var29);
                var7.put(var29, var6);
            }
        }

        var23 = IOUtils.readFully(var4, var4.readInt(), true);
        var8 = new ByteArrayInputStream(var23);
        var27.cert = var6.generateCertificate(var8);
        var8.close();
        this.entries.put(var15, var27);
    } else {
        JavaKeyStore.KeyEntry var16 = new JavaKeyStore.KeyEntry();
        var15 = var4.readUTF();
        var16.date = new Date(var4.readLong());
        var16.protectedPrivKey = IOUtils.readFully(var4, var4.readInt(), true);
        int var17 = var4.readInt();
        if(var17 > 0) {
            ArrayList var18 = new ArrayList(var17 > 10?10:var17);

            for(int var19 = 0; var19 < var17; ++var19) {
                if(var11 == 2) {
                    String var20 = var4.readUTF();
                    if(var7.containsKey(var20)) {
                        var6 = (CertificateFactory)var7.get(var20);
                    } else {
                        var6 = CertificateFactory.getInstance(var20);
                        var7.put(var20, var6);
                    }
                }

                var23 = IOUtils.readFully(var4, var4.readInt(), true);
                var8 = new ByteArrayInputStream(var23);
                var18.add(var6.generateCertificate(var8));
                var8.close();
            }

            var16.chain = (Certificate[])var18.toArray(new Certificate[var17]);
        }

        this.entries.put(var15, var16);
    }
}

　　总体来说，就是trust-store只需要包含公钥的信息，而之前配置的JKS文件同时含有公私钥的信息而导致出错，如下文章讲述了如何生成只有公钥的jks：

　　http://t.zoukankan.com/Amos-Turing-p-7111499.html