Springboot版本：2.1.9RELEASE
portecle下載地址：鏈接: https://pan.baidu.com/s/1UL6SX1utsZg-Vc6QYtyK9A 密碼: 0tmg

腳本如下，密碼123456需自行修改，dname需自行修改，alias也可根據(jù)需要自行修改：

#1、生成服務(wù)器證書庫
keytool -validity 3650 -genkeypair -v -alias server -keyalg RSA  -keystore server.keystore -dname "CN=127.0.0.1,OU=V,O=V,L=FZ,ST=FJ,c=CN" -storepass 123456 -keypass 123456
#2、生成客戶端證書庫
keytool -validity 3650 -genkeypair -v -alias client -keyalg RSA  -keystore client.keystore -dname "CN=client,OU=V,O=V,L=FZ,ST=FJ,c=CN" -storepass 123456 -keypass 123456
#3、從客戶端證書庫中導(dǎo)出客戶端證書
keytool -export -v -alias client -keystore client.keystore  -storepass 123456 -rfc -file client.cer
#4、從服務(wù)器證書庫中導(dǎo)出服務(wù)器證書
keytool -export -v -alias server -keystore server.keystore -storepass 123456  -rfc -file server.cer
#5、生成客戶端信任證書庫(由服務(wù)端證書生成的證書庫)
keytool -import -v -alias server -file server.cer -keystore client.truststore -storepass 123456
#6、將客戶端證書導(dǎo)入到服務(wù)器證書庫(使得服務(wù)器信任客戶端證書)
keytool -import -v -alias client -file client.cer -keystore server.keystore -storepass 123456
#7、生成服務(wù)端信任證書庫(由客戶端證書生成的證書庫)
keytool -import -v -alias client -file client.cer -keystore server.truststore -storepass 123456
#8、將服務(wù)端證書導(dǎo)入到客戶端證書庫(使得客戶端信任服務(wù)端證書)
keytool -import -v -alias server -file server.cer -keystore client.keystore -storepass 123456
#9、查看服務(wù)端證書庫中的全部證書
keytool -list -keystore server.keystore -storepass 123456
#10、查看客戶端證書庫中的全部證書
keytool -list -keystore server.keystore -storepass 123456

# 以下Springboot使用
keytool -importkeystore -srckeystore server.keystore -destkeystore server.p12 -srcalias server -destalias server -srcstoretype jks -deststoretype pkcs12 -noprompt

keytool -importkeystore -srckeystore server.truststore -destkeystore server_truststore.p12 -srcalias client -destalias server_truststore -srcstoretype jks -deststoretype pkcs12 -noprompt

Springboot里application.yml配置如下（節(jié)選）

server:
  port: 8443
  http:
    port: 8082
  ssl:
    key-store: classpath:server.p12
    key-alias: server
    key-store-type: PKCS12
    key-store-password: 123456

    trust-store: classpath:server_truststore.p12
    trust-store-password: 123456
    client-auth: need
    trust-store-type: PKCS12
  ...

需要在WebConfig里增加一些代碼支持http訪問

    // 同時(shí)支持http、https ---start---
    @Value("${server.http.port}")
    private int httpPort;

    @Bean
    public ServletWebServerFactory servletContainer() {
        TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory();
        tomcat.addAdditionalTomcatConnectors(createStandardConnector()); // 添加http
        return tomcat;
    }

    private Connector createStandardConnector() {
        Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
        connector.setPort(httpPort);
        return connector;
    }
    // 同時(shí)支持http、https ---end---

# 以下nginx用
openssl pkcs12 -clcerts -nokeys -out client_cert.pem -in client.p12
openssl pkcs12 -nocerts -out key.pem -in client.p12
# 處理導(dǎo)出的私鑰，將pkcs#8格式的密鑰文件轉(zhuǎn)換為pkcs#1格式,這樣apache/nginx才能識(shí)別。如果使用pkcs#8格式的密鑰，apache啟動(dòng)的時(shí)候會(huì)報(bào)(missing or encrypted private key?)。另外如果是nginx，使用pkcs#8格式的密鑰重啟的時(shí)候要輸入密碼，報(bào)錯(cuò)cannot load certificate key "/etc/nginx/cert/client_key.pem": PEM_read_bio_PrivateKey() failed (SSL: error:0906406D:PEM routines:PEM_def_callback:problems getting password error:0907B068:PEM routines:PEM_READ_BIO_PRIVATEKEY:bad password read)而導(dǎo)出成pkcs#1格式則不需要。
openssl rsa -in key.pem -out client_key.pem
cat client_cert.pem key_new.pem >client.pem

# 以下供android及本機(jī)瀏覽器使用，android通過portecle生成bks文件
keytool -importkeystore -srckeystore client.keystore -destkeystore client.p12 -srcalias client -destalias client -srcstoretype jks -deststoretype pkcs12 -noprompt

生成的client.p12，可雙擊打開導(dǎo)入系統(tǒng)，以便能在瀏覽器測(cè)試訪問https。
運(yùn)行protecle.jar--》打開文件選中client.p12,選擇tools-->change keystore type-->選擇BKS，最后關(guān)閉保存為client.bks
運(yùn)行protecle.jar--》打開文件選中client.truststore,選擇tools-->change keystore type-->選擇BKS，最后關(guān)閉保存為ca.bks
安卓需要在build.gradle里增加：

//retrofit
    implementation "com.squareup.retrofit2:retrofit:2.3.0"
    implementation "com.squareup.retrofit2:converter-scalars:2.3.0"
    implementation "com.squareup.retrofit2:converter-gson:2.3.0"
    implementation "com.squareup.okhttp3:logging-interceptor:3.8.1"

然后在Android Studio的Android視圖下，將client.bks和ca.bks導(dǎo)入assets里。
代碼如下，使用Retrofit2，

    public interface GetAppList {
        @GET("getAppList")
        Call<AppListBean> get();
    }

            //創(chuàng)建日志攔截器，用于日志打印
            HttpLoggingInterceptor interceptor = new HttpLoggingInterceptor();
            interceptor.setLevel(HttpLoggingInterceptor.Level.BODY);
            //創(chuàng)建okhttp
            OkHttpClient httpClient = new OkHttpClient().newBuilder()
                    .addInterceptor(interceptor)
                    .sslSocketFactory(SSLHelper.getSSLCertifcation(this), new HttpsUtil.UnSafeTrustManager())
                    .hostnameVerifier(new HttpsUtil.UnSafeHostnameVerifier())//由于還沒有域名，此處設(shè)置忽略掉域名校驗(yàn)
                    .build();
            //創(chuàng)建retrofit
            String baseUrl = "https://10.0.2.2:8443/";
            Retrofit retrofit = new Retrofit.Builder()
                    .baseUrl(baseUrl)
                    .client(httpClient)
                    .addConverterFactory(GsonConverterFactory.create())
                    .build();

            // 創(chuàng)建 網(wǎng)絡(luò)請(qǐng)求接口 的實(shí)例
            GetAppList request = retrofit.create(GetAppList.class);
            //創(chuàng)建請(qǐng)求，傳入?yún)?shù)
            Call<AppListBean> call = request.get();
            //異步請(qǐng)求
            call.enqueue(new Callback<AppListBean>() {
                @Override
                public void onResponse(Call<AppListBean> call, Response<AppListBean> response) {
                    System.out.println("response.toString():" + response.toString());
                }
                @Override
                public void onFailure(Call<AppListBean> call, Throwable t) {
                    t.printStackTrace();
                }
            });

參考了這些文章，感謝！
http://www.itdecent.cn/p/661c0459b375
https://blog.csdn.net/anshi4203351518/article/details/101966682
https://www.cnblogs.com/nhdlb/archive/2004/01/13/12258225.html
https://blog.csdn.net/huweijian5/article/details/79365439
https://blog.csdn.net/mingjie1212/article/details/51908174
https://blog.csdn.net/lhc_makefunny/article/details/89528517
https://blog.csdn.net/qq_39403545/article/details/88832473
https://blog.csdn.net/weixin_41917987/article/details/80988197