生成ca证书

# openssl生成自签名ca证书私钥
openssl genrsa -out ca.key 2048

# openssl生成CA公钥/根证书
openssl req -new -x509 -days 7300 -key ca.key -out ca.crt

服务端证书签发请求文件生成

# openssl生成服务端私钥
openssl genrsa -out server.pem 1024
openssl rsa -in server.pem -out server.key

# openssl生成签发请求
openssl req -new -key server.pem -out server.csr

客户端证书签发请求文件生成

# keytool或openssl二选一

# keytool创建JKS秘钥库文件
keytool -genkeypair -alias client -keyalg RSA -keysize 2048 -keypass 123456 -sigalg SHA256withRSA -dname "cn=www.domain.com,ou=IT,o=company,l=Shanghai,st=Shanghai,c=CN,uid=user" -validity 365 -keystore client.jks -storetype JKS -storepass 123456

# keytool创建CSR证书签发请求文件
keytool -certreq -keyalg RSA -alias client -keystore myclient.jks -storetype JKS -storepass 123456 -file client.csr

------------

# openssl生成客户端私钥
openssl genrsa -out client.pem 1024
openssl rsa -in client.pem -out client.key

# openssl生成签发请求
openssl req -new -key client.pem -out client.csr

查看证书请求文件内容

openssl req -text -in server.csr -noout

ca签发服务端证书

openssl x509 -req -sha256 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 365 -out server.crt

ca签发客户端证书

openssl x509 -req -sha256 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 365 -out client.crt

客户端证书crt + ca转jks

# 如果是使用keytool生成的客户端csr,请使用keytool直接导入jks

# ca导入jks
keytool -import -v -trustcacerts -alias ca -file ca.crt -storepass 123456 -keystore client.jks

# 客户端crt导入jks
keytool -import -v -alias client -file client.crt -storepass 123456 -keystore client.jks

------------

# 如果是使用openssl生成的客户端csr,请使用openssl + keytool导入jks

# 客户端crt + 客户端key 先转 p12
openssl pkcs12 -export -in client.crt -inkey cleint.key -out client.p12

# p12 转 jks
keytool -importkeystore -srckeystore client.p12 -srcstoretype PKCS12 -destkeystore client.jks -deststoretype JKS

# ca导入jks
keytool -import -v -trustcacerts -alias ca -file ca.crt -storepass 123456 -keystore client.jks

查看jks证书链

keytool -list -v -keystore client.jks