26uuu久久噜噜噜噜,欧美日韩高清在线观看,视频在线观看你懂的

用Keytool和OpenSSL生成和签发数字证�?�?(�?

zhb8015 — Tue, 24 Apr 2012 06:44:00 GMT

original:http://hi.baidu.com/yangxinglouis/blog/item/7095d455ae59eac2b745ae8f.html

�?a >http://www.cjsdn.net/post/view?bid=6&id=27468&sty=1&tpg=1&age=0看到一��比较好的文章，虽然讲的�q�是Tomcat 4�Q�但里面把SSL工作原理讲得很清楚，�怿�读者再�l�合我们上一��文�?用Keytool和OpenSSL生成和签发数字证�?能够很好的掌握证书方面的知识�?/p>

配置Tomcat 4使用SSL
-----------------------
内容�Q?
1�Q�Tomcat��?
2�Q�SSL(Server Socket Layer)��?
3�Q�SSL工作原理
4�Q�配�|�Tomcat 4.x 使用SSL
5�Q�结�?/p>

----------------------

目前介绍配置Tomcat 4使用单向SSL认证(只验证服务器证书)的资料很多，�q�程也比较简单。但是由于配�|�其使用双向SSL认证(�q�需要验证客��L��个�h证书)除了需要CA对证书签名外�Q�还要从CA获得个�h证书。有兌��一问题�Q�目前结合具体web服务器来讲解如何操作的资料很��。作者通过摸烦借助一些SSL工具在本地实��C��单的CA功能�Q��ƈ在此基础上配�|�成功了Tomcat的双向认证，希望能把其中的一些经验与大家�׃�n。不�q�受本�h水��^所限，文中隑օ�会有错误与不当之处，敬请大家谅解�?
1�Q�Tomcat��?
Tomcat是Apache Jakarta的子��目之一�Q�作��Z��个优�U�的开源web应用服务器，全面支持jsp1.2以及servlet2.3规范。因其技术先�q�、性能�E�_��Q�而且免费�Q�因而深受Java爱好者的喜爱�q�得��C��部分软�g开发商的认可，成�ؓ目前比较��行的web应用服务器�?/p>

2�Q�SSL(Server Socket Layer)��?
在网�l�上信息在源-宿的传递过�E�中会经�q�其它的计算机。一般情况下�Q�中间的计算��Z��会监听�\�q�的信息。但在��用网上银行或者进行信用卡交易的时候有可能被监视，从而导致个人隐�U�的泄露。由于Internet和Intranet体系�l�构的原因，��L��某些��够读取�ƈ替换用户发出的信息。随着�|�上支付的不断发展，��Z��对信息安全的要求��来��高。因此Netscape公司提出了SSL协议�Q�旨在达到在开攄��l?Internet)上安全保密地传输信息的目的，�q�种协议在WEB上获得了�q�泛的应用�?之后IETF(www.ietf.org)对SSL作了标准化，即RFC2246�Q��ƈ��其�U�CؓTLS�Q�Transport Layer Security�Q�，从技术上�Ԍ��TLS1.0与SSL3.0的差别非常微��?/p>

3�Q�SSL工作原理
SSL协议使用不对�U�加密技术实��C��话双方之间信息的安全传递。可以实��C��息传递的保密性、完整性，�q�且会话双方能鉴别对方��n份。不同于常用的http协议�Q�我们在与网站徏立SSL安全�q�接时��用https协议�Q�即采用https://ip:port/的方式来讉K��。当我们与一个网站徏立https�q�接�Ӟ��我们的浏览器与Web Server之间要经�q�一个握手的�q�程来完成��n份鉴定与密钥交换�Q�从而徏立安全连接。具体过�E�如下：

用户��览器将其SSL版本受��加密设�|�参数、与session有关的数据以及其它一些必要信息发送到服务器�?
服务器将其SSL版本受��加密设�|�参数、与session有关的数据以及其它一些必要信息发送给��览器，同时发给��览器的�q�有服务器的证书。如果配�|�服务器的SSL需要验证用戯��n份，�q�要发出��h��要求��览器提供用戯��书�?
客户端检查服务器证书�Q�如果检查失败，提示不能建立SSL�q�接。如果成功，那么�l�箋。客��L��览器�ؓ本次会话生成pre-master secret�Q��ƈ��其用服务器公钥加密后发送给服务器。如果服务器要求鉴别客户�w�䆾�Q�客��L��q�要再对另外一些数据签名后�q�将其与客户端证书一起发送给服务器�?
如果服务器要求鉴别客戯��n份，则检查签�|�客戯��书的CA是否可信。如果不在信��d��表中�Q�结束本�ơ会话。如果检查通过�Q�服务器用自��q��U�钥解密收到的pre-master secret�Q��ƈ用它通过某些��法生成本次会话的master secret�?
客户端与服务器均使用此master secret生成本次会话的会话密�?对称密钥)。在双方SSL握手�l�束后传递�Q何消息均使用此会话密钥。这样做的主要原因是对称加密比非对称加密的运��量低一个数量��以上�Q�能够显著提高双方会话时的运��速度�?
客户端通知服务器此后发送的消息都��用这个会话密钥进行加密。�ƈ通知服务器客��L��已经完成本次SSL握手�?
服务器通知客户端此后发送的消息都��用这个会话密钥进行加密。�ƈ通知客户端服务器已经完成本次SSL握手�?
本次握手�q�程�l�束�Q�会话已�l�徏立。双方��用同一个会话密钥分别对发送以及接受的信息�q�行加、解密�?/p>

4�Q�配�|�Tomcat 4.x 使用SSL

4.1 用到的��Y件包

Tomcat 4.0.2
用途：Web Server�?
下蝲�Q?http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.3/bin/
JSSE 1.0,2
用途：用来产生Tocmcat使用的秘钥对(keystore)�?
下蝲�Q?http://java.sun.com/products/jsse/
Openssl 0.9.9.6
用途：用来产生CA证书、签名�ƈ生成IE可导入的PKCS#12格式�U�钥�?
下蝲�Q?http://www.openssl.org/
以上工具的安装过�E�可以参考自带的帮助�Q�本文就不再详细描述了�?/p>

4.2 建立自己的CA

4.2.1 建立工作目录
mkdir ca

4.2.2 生成CA�U�钥以及自签名根证书
4.2.2.1 生成CA�U�钥
openssl genrsa -out ca\ca-key.pem 1024

4.2.2.2 生成待签名证�?
openssl req -new -out ca\ca-req.csr -key ca\ca-key.pem

4.2.2.3 用CA�U�钥�q�行自签�?
openssl x509 -req -in ca\ca-req.csr -out ca\ca-cert.pem -signkey ca\ca-key.pem -days 365

4.3 讄��Tomcat 4.x
在本文中用符�?%JDK_HOME%"来表�C�JDK的安装位�|�，用符�?%TCAT_HOME%" 表示Tomcat的安装位�|��?/p>

4.3.1建立工作目录
mkdir server

4.3.2 生成server端证�?
4.3.2.1 生成KeyPair
%JDK_HOME%\bin\keytool -genkey -alias tomcat_server -validity 365 -keyalg RSA -keysize 1024 -keypass changeit -storepass changeit -dname "cn=localhost, ou=department, o=company, l=Beijing, st=Beijing, c=CN" -keystore server\server_keystore

4.3.2.2 生成待签名证�?
%JDK_HOME%\bin\keytool -certreq -alias tomcat_server -sigalg MD5withRSA -file server\server.csr -keypass changeit -keystore server\server_keystore -storepass changeit

4.3.2.3 用CA�U�钥�q�行�{�֐�
openssl x509 -req -in server\server.csr -out server\server-cert.pem -CA ca\ca-cert.pem -CAkey ca\ca-key.pem -days 365

4.3.2.4 导入信�Q的CA根证书到JSSE的默认位�|?%JDK_ROOT %/jre/security/cacerts)
%JDK_HOME%\bin\keytool -import -v -trustcacerts -storepass changeit -alias my_ca_root -file ca\ca-cert.pem -keystore %JDK_HOME%\jre\lib\security\cacerts

4.3.2.5 把CA�{�֐�后的server端证书导入keystore
%JDK_HOME%\bin\keytool -import -v -trustcacerts -storepass changeit -alias tomcat_server -file server\server-cert.pem -keystore server\server_keystore

4.3.2.6 查看server端证�?
keytool -list -keystore %JDK_HOME%\jre\lib\security\cacerts
keytool -list -keystore server\server_keystore

4.3.3 修改server.xml使Tomcat支持SSL
首先扑ֈ�以下内容�Q�去掉对其的注释。然后参照红色部分修攏V��如果配�|�Tomcat不验证客戯��n份，可以讄��

clientAuth="false"�?
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true"
acceptCount="10" debug="0" scheme="https" secure="true">
clientAuth="true" protocol="TLS"
keystoreFile="%TCAT_HOME%/conf/server_keystore" keystorePass="changeit"
/>

然后把文件server\server_keystore复制到目�?TCAT_HOME%\conf\下�?/p>

4.4 在IE中安装个��?
4.4.1 建立工作目录
mkdir client

4.4.2 生成client�U�钥�q�用CA�U�钥�{�֐�

4.4.2.1 生成client�U�钥
openssl genrsa -out client\client-key.pem 1024

4.4.2.2 生成待签名证�?
openssl req -new -out client\client-req.csr -key client\client-key.pem

4.4.2.3 用CA�U�钥�q�行�{�֐�
openssl x509 -req -in client\client-req.csr -out client\client.crt -signkey client\client-key.pem

-CA ca\ca-cert.pem -CAkey ca\ca-key.pem -CAcreateserial -days 365

4.4.2.4 生成client端的个�h证书
因�ؓJSSE1.0.2没有完全实现了对PKCS#12格式文�g的操�?只能��d��Q�不能输�?�Q�所以在�q�里需要用openssl制作client端的个�h证书(包含�U�钥)�?
openssl pkcs12 -export -clcerts -in client\client.crt -inkey client\client-key.pem -out client\client.p12

4.4.2.5 安装信�Q的根证书
把ca\ca-key.pem改名为ca\ca-key.cer�Q�在client端的IE中��?工具 ' Internet选项 ' 内容 ' 证书 ' 导入"把我们生成的CA根证书导入，使其成�ؓ用户信�Q的CA�?/p>

4.4.3 安装个�h证书
把client.p12导入到client端的IE中作��Z��书，导入�q�程�?.4.2.5�?/p>

4.5 用IE��览器��用SSL协议讉K��Tomcat

4.5.1 启动Tomcat 4.x
执行%TCAT_HOME%\bin\startup.bat启动Tomcat 4.x

4.5.2 用IE讉K��Tomcat 4.x
在IE��览器的地址栏中输入https://localhost:8443�Q�如果前面的操作都正��的话，应该可以看到Tomcat的欢�q�页面。同时状态栏上的��锁处于闭合状态，表示您已�l�成功地与服务器建立了要求客��L��验证的SSL安全�q�接�?/p>

5 �l�论
以上我们实现了�ؓTomcat 4.x配置要求客户端验证的SSL的全�q�程。对于其它类型的服务器，例如Apache�Q�Netscape Enterprise Server, Websphere�Q�Weblogic�{�，一般只是在服务器端保存证书的方式略有不同，但它们的原理都是�c�M��的，配置时可以在本文中办法的基础上做出相应的调整�?/p>

参考资�?/p>

Tomcat SSL Configuration HOW-TO
SSL3.0规范
Description of the Secure Sockets Layer (SSL) Handshake (Q257591)
keytool - Key and Certificate Management Tool
Openssl使用手册

zhb8015 2012-04-24 14:44 发表评论

用Keytool和OpenSSL生成和签发数字证�?�?

zhb8015 — Tue, 24 Apr 2012 06:15:00 GMT

original: http://apps.hi.baidu.com/share/detail/30995314

弄了差不多两天的证书�Q�头都大�?��C��很多弯�\�Q�把知识拿出来跟大家share下，其实�q�不复杂�?/p>

背景�Q�我们有个WEB服务器，比如TOMCAT�Q�在TOMCAT上我们部�|�了个应�?a>http://localhost:8080/sslPro, 当我们从��览器以安全模式�Q�即https讉K��q�个应用�Ӟ��用到的知识数字证�?数字�{�֐�。这里我们只讲到单向认证�Q�即服务器端认证。当我从��览器访问服务器�Ӟ��我们的目的是要确认我现在讉K��的就是localhost上的sslPro,反过来服务器向我证明我就是localhost.

目的�Q�我们要做的事是�Q�用keytool生成证书�{�֐��h��Q�用openssl生成自签名证书，然后模拟CA用自��q��成的自签名证书对�{�֐��h��q�行�{�֐��Q��ƈ把根证书及签名后的证书倒入到KEYSTORE�?/p>

准备�Q�J2SDK在目�?JAVA_HOME%/bin提供了密钥库��理工具Keytool�Q�用于管理密钥、证书和证书链。Keytool工具的命令在JavaSE6中已�l�改变，不过以前的命令仍然支持。Keytool也可以用来管理对�U�加密算法中的密钥。有关Keytool的知识可以参考：http://java.sun.com/j2se/1.5.0/docs/tooldocs/windows/keytool.html。有关openssl的知识请参考：http://www.openssl.org�?下面的准备很重要�Q?1)把openssl目录下的文�gopenssl.cnf文�g拯��到openssl的bin目录下，在bin目录下新建目录demoCA、demoCA/certs、demoCA/private�?demoCA/newcerts (2) 在demoCA建立一个空文�g index.txt (3) 在demoCA建立一个文本文�?serial, 没有扩展名，内容是一个合法的16�q�制数字�Q�例�?0011, 我曾�l�写�q?000�Q�但会导致根证书跟签名证书的序列号都�?�Q�所以不行，��不写0000�?4) 配置好JDK的环境变�?/p>

�q�程�Q?br />a. 生成密钥�?br />Keytool –genkey –alias test –keystore test.jks �Ҏ��提示输入信息�Q�记住：输入的信息必��跟后面的自�{�֐�证书信息一�?名字与姓氏我们这里应该输入localhost�?可以�?list查看信息�?到这一步，其实我们可以用export命��o导出证书到cer文�g�Q�然后把cer文�g导入到浏览器�Q�这��是我们自己生成的没有经�q�签名的证书)
b. 生成证书�{�֐��h��
Keytool –certreq –alias test –keystore test.jks –file test.csr�?
c. 生成CA的自�{�֐�证书
openssl req -new -x509 -keyout root.key -out root.crt -config openssl.cnf 输入信息
d. 把test.csr拯��到openssl的bin目录下，用CA�U�钥�q�行�{�֐�(当然也可以到权威机构甌��CA�{�֐��Q�但要花很多�?�?br />   openssl ca -in test.csr -out demo.crt -cert root.crt -keyfile root.key -notext -config openssl.cnf �Q�其�?notext表示不要把证书文件的明文内容输出到文件中去，否则在后面用keytool导入到keystore时会出错。）。可以用openssl x509 -noout -text -in root.crt 命��o查看
e. 导入信�Q的CA根证书到keystore
   keytool -import -v -alias test2 -file root.crt -keystore test.jks
�q�一步你也可以把根证书倒入到keystore cacerts中，在目�?JAVA_HOME%\jre\lib\security 目录下，有关cacerts的官方资料如下：
The "cacerts" file represents a system-wide keystore with CA certificates. System administrators can configure and manage that file using keytool, specifying "jks" as the keystore type. The initial password of the "cacerts" keystore file is "changeit". 详细信息可参考：http://java.sun.com/j2se/1.5.0/docs/tooldocs/windows/keytool.html#cacerts
f. 把CA�{�֐�后的证书导入到keystore
keytool -import -v -trustcacerts -alias test –file demo.crt -keystore test.jks
好了�Q�把test.jks拯��C��应用的WEB-INF目录下。配�|�tomcat服务器，如下�Q?br />               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystorePass="changeit" keystoreFile="webapps\sslPro\WEB-INF\test.jks
               keyAlias="test" "/>
现在当你用HTTPS讉K��你的应用�Ӟ��?a>https://localhost:8443/proTest会出来一个框框，说此证书不在你的信用列表里，问是否信用。这个时候你�q�有一件事情要做，��是把你信用的根证书导入��C��的浏览器中，下次在访问时�q�个��框框就不会出来了，因�ؓ你已�l�信用它了�?br />�q�样自己�{�֐�的证书就做好了。写来简�?�Q?但也�׃��不少旉��?br />两个比较好的参考文章：http://zhouzhk.javaeye.com/blog/136943�Q?a>http://industry.ccidnet.com/art/1078/20030709/53943_2.html

有关SSL的工作原理读者可以参考下��文章�?/p>

zhb8015 2012-04-24 14:15 发表评论

zhb8015 — Tue, 24 Apr 2012 03:30:00 GMT

命��o�q�行�q�程DOS�H�口全记�?/legend>C:\TEMP\2>openssl genrsa -des3 -out server.key 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
...++++++
.............................................................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
5816:error:28069065:lib(40):UI_set_result:result too small:.\crypto\ui\ui_lib.c:850:You must type in 4 to 511 characters

Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

C:\TEMP\2>openssl req -new -key server.key -out server.csr -config openssl.cfg
Enter pass phrase for server.key:
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:bj
Locality Name (eg, city) []:bj
Organization Name (eg, company) [Internet Widgits Pty Ltd]:v
Organizational Unit Name (eg, section) []:v
Common Name (eg, YOUR name) []:z
Email Address []:p@1

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1234
An optional company name []:v

C:\TEMP\2>openssl genrsa -des3 -out client.key 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
..........................++++++
.++++++
e is 65537 (0x10001)
Enter pass phrase for client.key:
Verifying - Enter pass phrase for client.key:

C:\TEMP\2>openssl req -new -key client.key -out client.csr -config openssl.cfg
Enter pass phrase for client.key:
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:bj
Locality Name (eg, city) []:bj
Organization Name (eg, company) [Internet Widgits Pty Ltd]:v
Organizational Unit Name (eg, section) []:v
Common Name (eg, YOUR name) []:z
Email Address []:p@1

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1234
An optional company name []:v

C:\TEMP\2>openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cfg
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.......................................++++++
................++++++
writing new private key to 'ca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:bj
Locality Name (eg, city) []:bj
Organization Name (eg, company) [Internet Widgits Pty Ltd]:v
Organizational Unit Name (eg, section) []:v
Common Name (eg, YOUR name) []:z
Email Address []:p@1

C:\TEMP\2>Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cfg
Using configuration from openssl.cfg
Loading 'screen' into random state - done
Enter pass phrase for ca.key:
unable to load number from C:/TEMP/2/demoCA/serial
error while loading serial number
4176:error:0D066091:asn1 encoding routines:a2i_ASN1_INTEGER:odd number of chars:.\crypto\asn1\f_int.c:162:

C:\TEMP\2>Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cfg
Using configuration from openssl.cfg
Loading 'screen' into random state - done
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Apr 24 02:31:47 2012 GMT
            Not After : Apr 24 02:31:47 2013 GMT
        Subject:
            countryName               = cn
            stateOrProvinceName       = bj
            organizationName          = v
            organizationalUnitName    = v
            commonName                = z
            emailAddress              = p@1
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                E5:BE:16:C6:48:0D:91:1D:52:7C:3A:2C:7C:EF:9C:2D:FA:9A:12:32
            X509v3 Authority Key Identifier:
                keyid:97:6F:59:B9:97:EB:37:BB:89:54:12:7E:A3:72:BE:92:AE:83:2E:5B

Certificate is to be certified until Apr 24 02:31:47 2013 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

C:\TEMP\2>Openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
Using configuration from openssl.cnf
error loading the config file 'openssl.cnf'
1920:error:02001002:system library:fopen:No such file or directory:.\crypto\bio\bss_file.c:126:fopen('openssl.cnf','rb')

1920:error:2006D080:BIO routines:BIO_new_file:no such file:.\crypto\bio\bss_file.c:129:
1920:error:0E078072:configuration file routines:DEF_LOAD:no such file:.\crypto\conf\conf_def.c:197:

C:\TEMP\2>Openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
Using configuration from openssl.cnf
error loading the config file 'openssl.cnf'
2608:error:02001002:system library:fopen:No such file or directory:.\crypto\bio\bss_file.c:126:fopen('openssl.cnf','rb')

2608:error:2006D080:BIO routines:BIO_new_file:no such file:.\crypto\bio\bss_file.c:129:
2608:error:0E078072:configuration file routines:DEF_LOAD:no such file:.\crypto\conf\conf_def.c:197:

C:\TEMP\2>Openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cfg
Using configuration from openssl.cfg
Loading 'screen' into random state - done
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Apr 24 02:35:33 2012 GMT
            Not After : Apr 24 02:35:33 2013 GMT
        Subject:
            countryName               = cn
            stateOrProvinceName       = bj
            organizationName          = v
            organizationalUnitName    = v
            commonName                = z
            emailAddress              = p@1
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                50:61:5E:EE:38:C3:7D:41:66:C7:68:5F:29:9C:96:1E:C2:67:7C:E3
            X509v3 Authority Key Identifier:
                keyid:97:6F:59:B9:97:EB:37:BB:89:54:12:7E:A3:72:BE:92:AE:83:2E:5B

Certificate is to be certified until Apr 24 02:35:33 2013 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

C:\TEMP\2>type client.crt client.key > client.pem

client.crt

client.key

C:\TEMP\2>type server.crt server.key > server.pem

server.crt

server.key

C:\TEMP\2>openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
Loading 'screen' into random state - done
Enter pass phrase for client.key:
Enter Export Password:
Verifying - Enter Export Password:

C:\TEMP\2>openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12
Loading 'screen' into random state - done
Enter pass phrase for server.key:
Enter Export Password:
Verifying - Enter Export Password:

C:\TEMP\2>C:\TEMP\2>openssl genrsa -des3 -out server.key 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
...++++++
.............................................................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
5816:error:28069065:lib(40):UI_set_result:result too small:.\crypto\ui\ui_lib.c:850:You must type in 4 to 511 characters