開啟 https，使用 openssl CA

建立CA私鑰
D:\EclipseAndroid\Web>openssl genrsa -out cakey.pem 2048
查看公鑰
D:\EclipseAndroid\Web>openssl rsa -in cakey.pem -pubout -text
生成自簽證書
D:\EclipseAndroid\Web>set OPENSSL_CONF=c:\Program Files (x86)\GnuWin32\share\openssl.cnf
D:\EclipseAndroid\Web>openssl req -new -x509 -key cakey.pem -out cacert.pem -days 3650
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:Taiwan
Locality Name (eg, city) []:Taichung
Organization Name (eg, company) [Internet Widgits Pty Ltd]:R&D
Organizational Unit Name (eg, section) []:Mark Chen
Common Name (eg, YOUR name) []:Mark Chen
Email Address []:ingrenn@yahoo.com.tw
D:\EclipseAndroid\Web>mkdir demoCA
D:\EclipseAndroid\Web>mkdir demoCA\private
D:\EclipseAndroid\Web>mkdir demoCA\newcerts
在 demoCA 目錄下建立文字檔 index.txt
在 demoCA 目錄下建立文字檔 serial，內容 "00"
D:\EclipseAndroid\Web>copy cakey.pem demoCA\private
D:\EclipseAndroid\Web>copy cacert.pem demoCA
建立給 tomcat 使用的私鑰
D:\EclipseAndroid\Web>openssl genrsa -out tomcat.key 1024
tomcat 客戶端生成證書簽屬請求
D:\EclipseAndroid\Web>openssl req -new -key tomcat.key -out tomcat.csr
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:Taiwan
Locality Name (eg, city) []:Taichung
Organization Name (eg, company) [Internet Widgits Pty Ltd]:R&D
Organizational Unit Name (eg, section) []:Mark Chen
Common Name (eg, YOUR name) []:localhost因為在本機使用，正式須如：www.domain.com
Email Address []:ingrenn@localhost

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:不要打密碼，不然會失敗
An optional company name []:
D:\EclipseAndroid\Web>openssl ca -in tomcat.csr -out tomcat.crt -days 3655
D:\EclipseAndroid\Web>openssl pkcs12 -export -in tomcat.crt -inkey tomcat.key -out tomcat.p12
Loading 'screen' into random state - done
Enter Export Password:在 tomcat 的 server.xml 設定中要用
Verifying - Enter Export Password:

在 tomcat 的 server.xml 設定中
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
  maxThreads="150" scheme="https" secure="true"
  clientAuth="false" sslProtocol="TLS"
  keystoreFile="D:\EclipseAndroid\Web\tomcat.p12"
  keystoreType="pkcs12" keystorePass="changit"
/>

開啟 IE /網際網路選項/內容/憑證/受信任的跟憑證授信單位/匯入 cacert.pem

如果要將 http 自動轉成 https，在 web.xml 的 <web-app> 中加入下列設定
<!-- Require HTTPS for everything except /img (favicon) and /css. -->
<security-constraint>
  <web-resource-collection>
    <web-resource-name>HTTPSOnly</web-resource-name>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>
<security-constraint>
  <web-resource-collection>
    <web-resource-name>HTTPSOrHTTP</web-resource-name>
    <url-pattern>*.ico</url-pattern>
    <url-pattern>/img/*</url-pattern>
    <url-pattern>/css/*</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
    <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
</security-constraint>


android 安裝證書
1. copy cakey.pem cakey.cer
2. 將 cakey.cer 證書放到 /storage/sdcard0/Download
3. 設定/安全性/從手機儲存空間安裝