使用JDK自带的keytool工具生成的SSL证书由于未通过第三方认证，在本地项目浏览器时访问会报警告，为了调试方便，可以使用mkcert工具来生成本地安全的SSL证书

项目地址: mkcert

安装mkcert参考文档: 文档

使用说明

$ mkcert --help
Usage of mkcert:

    $ mkcert -install
    Install the local CA in the system trust store.

    $ mkcert example.org
    Generate "example.org.pem" and "example.org-key.pem".

    $ mkcert example.com myapp.dev localhost 127.0.0.1 ::1
    Generate "example.com+4.pem" and "example.com+4-key.pem".

    $ mkcert "*.example.it"
    Generate "_wildcard.example.it.pem" and "_wildcard.example.it-key.pem".

    $ mkcert -uninstall
    Uninstall the local CA (but do not delete it).

Advanced options:

    -cert-file FILE, -key-file FILE, -p12-file FILE
        Customize the output paths.

    -client
        Generate a certificate for client authentication.

    -ecdsa
        Generate a certificate with an ECDSA key.

    -pkcs12
        Generate a ".p12" PKCS #12 file, also know as a ".pfx" file,
        containing certificate and key for legacy applications.

    -csr CSR
        Generate a certificate based on the supplied CSR. Conflicts with
        all other flags and arguments except -install and -cert-file.

    -CAROOT
        Print the CA certificate and key storage location.

    $CAROOT (environment variable)
        Set the CA certificate and key storage location. (This allows
        maintaining multiple local CAs in parallel.)

    $TRUST_STORES (environment variable)
        A comma-separated list of trust stores to install the local
        root CA into. Options are: "system", "java" and "nss" (includes
        Firefox). Autodetected by default.

使用mkcert生成本机识别Secure的证书

$ mkcert -install
Created a new local CA at "/Users/filippo/Library/Application Support/mkcert" 💥
The local CA is now installed in the system trust store! ⚡️
The local CA is now installed in the Firefox trust store (requires browser restart)! 🦊

$ mkcert example.com "*.example.com" example.test localhost 127.0.0.1 ::1
Using the local CA at "/Users/filippo/Library/Application Support/mkcert" ✨

Created a new certificate valid for the following names 📜
 - "example.com"
 - "*.example.com"
 - "example.test"
 - "localhost"
 - "127.0.0.1"
 - "::1"

The certificate is at "./example.com+5.pem" and the key at "./example.com+5-key.pem" ✅

通过添加-pkcs12参数生成PKCS#12文件

$ mkcert -p12-file keystore.p12 -pkcs12 example.com "*.example.com" example.test localhost 127.0.0.1 ::1
Using the local CA at "/Users/filippo/Library/Application Support/mkcert" ✨

Created a new certificate valid for the following names 📜
 - "example.com"
 - "*.example.com"
 - "example.test"
 - "localhost"
 - "127.0.0.1"
 - "::1"

The PKCS#12 bundle is at "keystore.p12" ✅

The legacy PKCS#12 encryption password is the often hardcoded default "changeit" ℹ️

默认配置alias=1, password=changeit

通过keytool修改配置信息

$ keytool -changealias -alias 1 -destalias tomcat -keystore keystore.p12
Enter keystore password:
$ keytool -storepasswd -new password -keystore keystore.p12
Enter keystore password:

通过keytool将PKCS#12文件转换成JKS KeyStore文件

$  keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -srcalias 1 -destkeystore ./keystore.jks -deststoretype jks -deststorepass password -destalias tomcat
Importing keystore keystore.p12 to ./keystore.jks...
Enter source keystore password:  

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore ./keystore.jks -destkeystore ./keystore.jks -deststoretype pkcs12".

Chrome访问正常

Screen Shot.png