转载请注明出处.谢谢 http://blog.youkuaiyun.com/mrshelly and http://www.mrshelly.com
===CA 部分===
*私钥
openssl genrsa -des3 -out ca/ca-key.pem 1024
*req证书
openssl req -new -out ca/ca-req.csr -key ca/ca-key.pem -config ./openssl.cnf
*x509证书
openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey ca/ca-key.pem -days 3650
*吊销证书
openssl ca -revoke client/client-cert.crt -config ./openssl.cnf
openssl ca -gencrl -out ca/ca-cert.crl -config ./openssl.cnf
===Server证书部分===
*私钥
openssl genrsa -des3 -out server/server-key.pem 1024
*Windows(32)私钥支持
openssl rsa -in server/server-key.pem -out server/server-key-w32.pem
*req证书
openssl req -new -key server/server-key.pem -out server/server-req.csr -config ./openssl.cnf
*服务器证书
openssl ca -policy policy_anything -in server/server-req.csr -cert ca/ca-cert.pem -keyfile ca/ca-key.pem -out server/server-cert.pem -days 3650 -config ./openssl.cnf
====Apache SSL====
*需要文件
**server-cert.pem
**server-key-w32.pem
**ca-cert.pem
*配置部分
**SSLCertificateFile 服务器证书路径
**SSLCertificateKeyFile 服务器私钥(Windows32)
**SSLCertificateChainFile CA 证书路径.
**SSLVerifyClient require 是否双向认证
**SSLRequire ( ... ) 客户端证书过滤
*运行部分
Apache -D SSL
====Tomcat SSL====
*需要文件
**server_keystore
keytool -genkey -alias ERP -validity 3650 -keyalg RSA -keysize 1024 -keypass changeit -storepass changeit -dname "Subject" -keystore server/server_keystore
keytool -certreq -alias ERP -sigalg MD5withRSA -file server/server-req.csr -keypass changeit -keystore server/server_keystore -storepass changeit
**cacerts
keytool -import -v -trustcacerts -storepass Helloechange1301 -alias CA -file ca/ca-cert.pem -keystore server/cacerts
*配置部分
**server_keystore文件配置到 Tomcat conf/server.xml Connector节keystoreFile属性及keystorePass
**cacerts文件配置到%JRE_HOME%/lib/security路径下
**server.xml 相关 SSL 其它章节
*运行部分
Tomcat 重启生效
===Client证书部分===
*私钥
openssl genrsa -des3 -out client/client-key.pem 1024
*req证书
openssl req -new -key client/client-key.pem -out client/client-req.csr -config ./openssl.cnf
*个人证书
openssl x509 -req -in client/client-req.csr -signkey client/client-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650 -out client/client-cert.crt
*个人证书(p12格式)
openssl pkcs12 -export -clcerts -in client/client-cert.crt -inkey client/client-key.pem -out client/client-p12.p12