Linux下的shelle脚本(注意最后一行keytool命令位于$JAVA_HOME/bin下):
md ca md client md server md jks openssl genrsa -out ca/ca-key.pem 2048 openssl req -new -out ca/ca-req.csr -key ca/ca-key.pem openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey ca/ca-key.pem -days 3650 openssl pkcs12 -export -clcerts -in ca/ca-cert.pem -inkey ca/ca-key.pem -out ca/ca.p12 openssl genrsa -out server/server-key.pem 2048 openssl req -new -out server/server-req.csr -key server/server-key.pem openssl x509 -req -in server/server-req.csr -out server/server-cert.pem -signkey server/server-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650 openssl pkcs12 -export -clcerts -in server/server-cert.pem -inkey server/server-key.pem -out server/server.p12 openssl genrsa -out client/client-key.pem 2048 openssl req -new -out client/client-req.csr -key client/client-key.pem openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkey client/client-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650 openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12 keytool -keystore jks/truststore.jks -keypass changeit -storepass 123456 -alias ca -import -trustcacerts -file ca/ca-cert.pem
tomcat的conf目录下server.xml片段:
<Connector SSLEnabled="true" clientAuth="true" maxThreads="150" port="443" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS" keystoreFile="conf/server.p12" keystorePass="123456" keystoreType="PKCS12" truststoreFile="conf/ca.p12" truststorePass="123456" truststoreType="PKCS12" />
参考文章:
2012.03.29 15:40补充:
不知道为什么,按上面所说配置的server.xml没有起作用,改成JKS方式的truststore才能成功,如下:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS" keystoreFile="/Applications/tomcat/ssl/server/server.p12" keystorePass="123456" keystoreType="PKCS12" truststoreFile="/Applications/tomcat/ssl/jks/truststore.jks" truststorePass="123456" truststoreType="JKS"/>