openssl自签名根证书服务端和客户端证书制作

1.生成CA证书目前不使用第三方权威机构的CA来认证，自己充当CA的角色 
root 
openssl genrsa -out root/root-key.pem 1024      
openssl req -new -out root/root-req.csr -key root/root-key.pem                    pass qazwsx   
openssl x509 -req -in root/root-req.csr -out root/root-cert.pem  -signkey root/root-key.pem -days 3650 
openssl pkcs12 -export -clcerts -in root/root-cert.pem -inkey root/root-key.pem  -out root/root.p12      pass 21313221

2.生成server证书

openssl genrsa -out server/server-key.pem 1024 
openssl req -new -out server/server-req.csr -key server/server-key.pem  pass 123132123
openssl x509 -req -in server/server-req.csr -out server/server-cert.pem  -signkey server/server-key.pem  -CA root/root-cert.pem -CAkey root/root-key.pem  -CAcreateserial -days 3650 
openssl pkcs12 -export -clcerts -in server/server-cert.pem -inkey server/server-key.pem  -out server/server.p12  pass 1231313


3.生成client证书
openssl genrsa -out client/client-key.pem 1024 
openssl req -new -out client/client-req.csr -key client/client-key.pem
openssl x509 -req -in client/client-req.csr -out client/client-cert.pem  -signkey client/client-key.pem -CA root/root-cert.pem -CAkey root/root-key.pem  -CAcreateserial -days 3650 
openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem   -out client/client.p12

4.根据root证书生成jks文件
keytool -import -v -trustcacerts -storepass 123456 -alias root -file root/root-cert.pem -keystore root/root.jks

5.将root.p12，client.p12分别导入到IE中去（打开IE->;Internet选项->内容->证书）
root.p12导入至受信任的根证书颁发机构，client.p12导入至个人


/////////////////////////////////////////////////////////////////////
将 server-cert.pem 修改为  server.cer

keytool -import -alias servercer -keystore client.jks -alias tomcat -file  server-cert.pem   1231321

keytool -genkey -alias websphere -keyalg RSA -keysize 1024 -dname "cn=cn,o=03,ou=0000,l=1000,st=01,c=CN" -validity "1825" -keypass 123456 -keystore ./websphere.jks -storepass 123456

keytool -list -v -keystore D:\client.jks -storepass 6767