Generate server keys生成服务器证书

  1. keytool -genkey -alias serverkey -keyalg RSA -keystore kserver.keystore
  2. keytool -export -alias serverkey -keystore kserver.keystore -rfc -file server.crt
  3. keytool -import -alias serverkey -file server.crt -keystore tclient.keystore





  1. keytool -genkey -alias clientKey -keystore kclient.keystore
  2. keytool -export -alias clientKey -keystore kclient.keystore -file client.crt
  3. keytool -import -alias clientKey -file client.crt -keystore tserver.keystore


  1. keytool -genkeypair -alias clientkey -keyalg RSA -storetype PKCS12 -keystore client.p12
  2. keytool -export -alias clientKey -keystore client.p12 -storetype PKCS12 -rfc -file client.crt
  3. keytool -import -alias clientKey -file client.crt -keystore tserver.keystore

From DAO

Generate self-signed server and client certificates (the client certificate
is signed by the (self-generated) CA cert which is also used to sign the
server certificate. So the client can authenticate to the server using
the client certificate.

# Create the CA Key and Certificate for signing Client Certs 
openssl genrsa -des3 -out ca.key 4096 
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

# Create the Server Key, CSR, and Certificate 
openssl genrsa -des3 -out server.key 1024 
openssl req -new -key server.key -out server.csr

# Self-sign the Server Cert openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

# Create the Client Key and CSR 
openssl genrsa -des3 -out client.key 1024 
openssl req -new -key client.key -out client.csr

# Sign the client certificate with the CA cert

# Serial should be different from the server one, otherwise curl will return NSS error -8054                <========
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt 

In nginx.conf:    

ssl_certificate      /etc/nginx/certs/server.crt;
   ssl_certificate_key  /etc/nginx/certs/server.key;
   ssl_client_certificate /etc/nginx/certs/ca.crt;

Leave a Reply

Your email address will not be published. Required fields are marked *