echo 生成CA证书
openssl genrsa -out root/root-key.pem 1024
openssl req -new -out root/root-req.csr -key root/root-key.pem -config openssl.cnf
CN
BEIJING
beijing
testCA
testorg
tester
tester@testorg.com
111111
.
openssl x509 -req -in root/root-req.csr -out root/root-cert.pem -signkey root/root-key.pem -days 3650
openssl pkcs12 -export -clcerts -in root/root-cert.pem -inkey root/root-key.pem -out root/root.p12
echo 生成server证书
openssl genrsa -out server/server-key.pem 1024
openssl req -new -out server/server-req.csr -key server/server-key.pem -config openssl.cnf
CN
BEIJING
beijing
myserver
testorg
myserver
myserver@testorg.com
111111
.
openssl x509 -req -in server/server-req.csr -out server/server-cert.pem -signkey server/server-key.pem -CA root/root-cert.pem -CAkey root/root-key.pem -CAcreateserial -days 3650
openssl pkcs12 -export -clcerts -in server/server-cert.pem -inkey server/server-key.pem -out server/server.p12
echo 生成client证书
openssl genrsa -out client/client-key.pem 1024
openssl req -new -out client/client-req.csr -key client/client-key.pem -config openssl.cnf
CN
BEIJING
beijing
mycompany
testorg
tester
tester@testorg.com
111111
.
openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkey client/client-key.pem -CA root/root-cert.pem -CAkey root/root-key.pem -CAcreateserial -days 3650
openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12
echo 根据root证书生成jks文件
cd root
keytool -import -v -trustcacerts -storepass password -alias root -file root-cert.pem -keystore root.jks
yes
cd ..
tomcat 配置
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12" keystoreFile="c://server.p12" keystorePass="111111"
truststorefile="c://root.jks"
truststoretype="JKS" truststorepass="password"/>
注意"keystoreType"大小写错误时会有问题,会直接到用户目录下找.keystore文件,晕倒了