set JDK_HOME=D:\j2sdk1.4.2_06

rem 生成KeyPair
%JDK_HOME%\bin\keytool -genkey -alias tomcat_server -validity 365 -keyalg RSA -keysize 1024 -keypass changeit -storepass changeit -dname "cn=localhost, ou=department, o=company, l=Beijing, st=Beijing, c=CN" -keystore server_keystore

rem 生成待簽名證書
%JDK_HOME%\bin\keytool -certreq -alias tomcat_server -sigalg MD5withRSA -file server.csr -keypass changeit -keystore server_keystore -storepass changeit

rem 用CA私鑰簽名
openssl ca -in %server.csr -config openssl.cnf -policy policy_anything -out server.cer

rem 從JSSE刪除同名的CA根證書
%JDK_HOME%\bin\keytool -delete -v -storepass changeit -alias my_ca_root -keystore %JDK_HOME%\jre\lib\security\cacerts

rem 導(dǎo)入信任的CA根證書到JSSE的默認位置
rem 在Windows會有兩個JRE，一個在JDK目錄下，一個在programe\java中，所以要明確指定使用那個JSSE
%JDK_HOME%\bin\keytool -import -v -trustcacerts -storepass changeit -alias my_ca_root -file ca\cacert.cer -keystore %JDK_HOME%\jre\lib\security\cacerts

pause
rem 將server.cer保存為base64編碼后繼續(xù)(server64.cer)

rem 把CA簽名后的server端證書導(dǎo)入keystore
%JDK_HOME%\bin\keytool -import -v -trustcacerts -storepass changeit -alias tomcat_server -file server64.cer -keystore server_keystore
pause