http://blog.csdn.net/skygpan/article/details/50720658

Generate server keys生成服务器证书

1. keytool -genkey -alias serverkey -keyalg RSA -keystore kserver.keystore
2. keytool -export -alias serverkey -keystore kserver.keystore -rfc -file server.crt
3. keytool -import -alias serverkey -file server.crt -keystore tclient.keystore

其中：kserver.keystore就是服务使用的keystore，server.crt是证书，tclient.keystore是给客户端使用的信任keystore

特别说明：这里我们使用自己的keystore直接导出证书，仅在自己的内部系统可用，如果希望在公网可用，应生成crs向ca申请证书

生成客户端证书

JKS方式

1. keytool -genkey -alias clientKey -keystore kclient.keystore
2. keytool -export -alias clientKey -keystore kclient.keystore -file client.crt
3. keytool -import -alias clientKey -file client.crt -keystore tserver.keystore

PKCS12方式

1. keytool -genkeypair -alias clientkey -keyalg RSA -storetype PKCS12 -keystore client.p12
2. keytool -export -alias clientKey -keystore client.p12 -storetype PKCS12 -rfc -file client.crt
3. keytool -import -alias clientKey -file client.crt -keystore tserver.keystore

From DAO

Generate self-signed server and client certificates (the client certificate
is signed by the (self-generated) CA cert which is also used to sign the
server certificate. So the client can authenticate to the server using
the client certificate.http://nategood.com/client-side-certificate-authentication-in-ngi

# Create the CA Key and Certificate for signing Client Certs 
openssl genrsa -des3 -out ca.key 4096 
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

# Create the Server Key, CSR, and Certificate 
openssl genrsa -des3 -out server.key 1024 
openssl req -new -key server.key -out server.csr

# Self-sign the Server Cert openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

# Create the Client Key and CSR 
openssl genrsa -des3 -out client.key 1024 
openssl req -new -key client.key -out client.csr

# Sign the client certificate with the CA cert

# Serial should be different from the server one, otherwise curl will return NSS error -8054                <========
 
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt 

In nginx.conf:    

ssl_certificate      /etc/nginx/certs/server.crt;
   ssl_certificate_key  /etc/nginx/certs/server.key;
   ssl_client_certificate /etc/nginx/certs/ca.crt;