ref
http://blog.csdn.net/jasonhwang/article/details/2344768
http://blog.csdn.net/jasonhwang/article/details/2413310
1. mkdir
mkdir ca cd ca mkdir certs mkdir private touch index.txt echo 01 > serial
vi /etc/ssl/openssl.cnf , set dir = ca
2. rand file
openssl rand -out private/.rand 1000
3. root ca
openssl genrsa -aes256 -out private/ca.key.pem 2048 openssl req -new -key private/ca.key.pem -out private/ca.csr -subj "/C=CN/ST=BJ/L=BJ/O=iam/OU=iam/CN=*.iam.com" openssl x509 -req -days 10000 -sha1 -extensions v3_ca -signkey private/ca.key.pem -in private/ca.csr -out certs/ca.cer openssl pkcs12 -export -cacerts -inkey private/ca.key.pem -in certs/ca.cer -out certs/ca.p12
4. server ca
openssl genrsa -aes256 -out private/server.key.pem 2048 openssl req -new -key private/server.key.pem -out private/server.csr -subj "/C=CN/ST=BJ/L=BJ/O=iam/OU=iam/CN=www.iam.com" openssl x509 -req -days 3650 -sha1 -extensions v3_req -CA certs/ca.cer -CAkey private/ca.key.pem -CAserial ca.srl -CAcreateserial -in private/server.csr -out certs/server.cer openssl pkcs12 -export -clcerts -inkey private/server.key.pem -in certs/server.cer -out certs/server.p12
5. client ca
openssl genrsa -aes256 -out private/client.key.pem 2048 openssl req -new -key private/client.key.pem -out private/client.csr -subj "/C=CN/ST=BJ/L=BJ/O=iam/OU=iam/CN=iam" openssl ca -days 3650 -in private/client.csr -out certs/client.cer -cert certs/ca.cer -keyfile private/ca.key.pem openssl pkcs12 -export -clcerts -inkey private/client.key.pem -in certs/client.cer -out certs/client.p12
6. tomcat config
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS" keystoreFile="ca/certs/server.p12" keystorePass="123456" keystoreType="PKCS12" truststoreFile="ca/openssl/ca/certs/ca.p12" truststorePass="123456" truststoreType="PKCS12" />