openssl 生成client.jks与server.jks文件的方法

Setting up keystores for a Client and a

Service

Step 1:Creating Certicate Authority Keys

 $ openssl req -x509 -newkey rsa:1024 -keyout

cakey.pem -out cacert.pem -cong openssl.cnf

Step 2:Client and Service Keys

 $ keytool -genkey -alias client -keyalg RSA -keystore client.jks

%%% $ keytool -genkey -alias service -keyalg RSA -keystore service.jks

$ keytool -certreq -keystore service.jks -storepass changeme -alias service -le

service.cert.req

The above command will create the client.cert.req and service.cert.req les which we will

use in the next step to produce X509 certicates signed by the private key of the CA using

'openssl ca' command.

$ openssl ca -cong openssl.cnf -out client.pem -inles client.cert.req

$ openssl ca -cong openssl.cnf -out service.pem -inles service.cert.req

It should be noted that the CA's conguration (openssl.cnf) le is congured to point to the

cakey.pem le as the private key to use. The output produced in the client.pem and

service.pem les are plain text. To import these signed certicates into the keystores we