Prerequisite:nginx as Server, Java httpclient as Client
Nginx need to increase the Nginx SSL module:
./configure--prefix=/usr/local/nginx--with-http_stub_status_module--with-http_ssl_module--with-openssl=/usr/ Local/openssl
At this point, you may also need to resolve the problem with the OpenSSL path when make, for reference:
http://blog.csdn.net/u013091013/article/details/53640318
************************************ instruction started **************************************************
=======================================================
===================== Generate Nginx Certificate ===================
=======================================================
===================== Root Certificate ====================
1) Create the root certificate private key
OpenSSL genrsa-out Root-key.key 1024
2) Create the root certificate request file
OpenSSL req-new-out Root-req.csr-key Root-key.key
3 self-signed root certificate
OpenSSL x509-req-in root-req.csr-out Root-cert.cer-signkey root-key.key-cacreateserial-days 730
===================== Service End ====================
4 Generating service-side key
OpenSSL genrsa-out Server-key.key 1024
5 Generating server-side request files
OpenSSL req-new-out Server-req.csr-key Server-key.key
6 Generating server-side certificates
OpenSSL x509-req-in server-req.csr-out server-cert.cer-signkey server-key.key-ca Root-cert.cer-cakey Acreateserial-days 730
===================== Client ====================
7) Generate client key
OpenSSL genrsa-out Client-key.key 1024
8 Generating Client request files
OpenSSL req-new-out Client-req.csr-key Client-key.key
9 Generate client certificate (root certificate, ROOTKEY, client key, client request file, 4 generate client certificate)
OpenSSL x509-req-in client-req.csr-out client-cert.cer-signkey client-key.key-ca Root-cert.cer-cakey Acreateserial-days 730
10 generate client P12 format root certificate
OpenSSL pkcs12-export-clcerts-in Client-cert.cer-inkey client-key.key-out client.p12
Password: client123456
=======================================================
===================== Generate Tomcat Certificate ====================
===tomcat-root.truststore and Tomcat-server.p12 ========
=======================================================
=====================ca====================
1). Generate Truststore JKs files based on CA certificate Root.truststore
This step is only for two-way authentication, one-way does not need
Keytool-keystore tomcat-root.truststore-keypass Root123456-storepass Root123456-alias ca-import-trustcacerts-file R Oot-cert.cer
Password: root123456
===================== Service End ====================
1. Export. p12 file Server.p12
(according to the command prompt, enter server.key password, create p12 password)
OpenSSL pkcs12-export-in server-cert.cer-inkey server-key.key-out tomcat-server.p12-name "Server"
Password: server123456
2. Import the. p12 file to the KeyStore jks file Server.keystore
(Here Srcstorepass after server123456 for server.p12 password deststorepass server123456 for keystore password)
Keytool-importkeystore-v-srckeystore tomcat-server.p12-srcstoretype Pkcs12-srcstorepass server123456-destkeystore Tomcat-server.keystore-deststoretype Jks-deststorepass server123456
Password: server123456
=======================================================
================ Java HTTP client ====================
=======================================================
Keytool-import-v-alias trustsrv-file root-cert.cer-keystore trustsrv.jks-storepass trust123456
Keystore:client.p12truststore:trustsrv.jks
************************************* command End **************************************************
Reference: http://blog.csdn.net/qq315737546/article/details/52864220
Https://www.jianshu.com/p/045f95c008a0