set JDK_HOME=D:\j2sdk1.4.2_06

rem 生成KeyPair
%JDK_HOME%\bin\keytool -genkey -alias tomcat_server -validity 365 -keyalg RSA -keysize 1024 -keypass changeit -storepass changeit -dname "cn=localhost, ou=department, o=company, l=Beijing, st=Beijing, c=CN" -keystore server_keystore

rem 生成待签名证书
%JDK_HOME%\bin\keytool -certreq -alias tomcat_server -sigalg MD5withRSA -file server.csr -keypass changeit -keystore server_keystore -storepass changeit

rem 用CA私钥签名
openssl ca -in %server.csr -config openssl.cnf -policy policy_anything -out server.cer

rem 从JSSE删除同名的CA根证书
%JDK_HOME%\bin\keytool -delete -v -storepass changeit -alias my_ca_root -keystore %JDK_HOME%\jre\lib\security\cacerts

rem 导入信任的CA根证书到JSSE的默认位置
rem 在Windows会有两个JRE，一个在JDK目录下，一个在programe\java中，所以要明确指定使用那个JSSE
%JDK_HOME%\bin\keytool -import -v -trustcacerts -storepass changeit -alias my_ca_root -file ca\cacert.cer -keystore %JDK_HOME%\jre\lib\security\cacerts

pause
rem 将server.cer保存为base64编码后继续(server64.cer)

rem 把CA签名后的server端证书导入keystore
%JDK_HOME%\bin\keytool -import -v -trustcacerts -storepass changeit -alias tomcat_server -file server64.cer -keystore server_keystore
pause