step 1 : 生成server key
使用java/kegtool工具
keytool -genkey -alias tomcat -keyalg RSA -keypass changeit -storepass changeit -keystore e:/server.keystore -validity 3600
注:参数 -validity 指证书的有效期(天)，缺省有效期很短，只有90天。

step 2 : 将证书导入java证书信任库,服务端和客户端都必须导入证书
分2步,第一步导出证书,第二步导入信任库(tomcat为证书别名)
keytool -export -trustcacerts -alias tomcat -file server.cer -keystore e:/server.keystore -storepass changeit
keytool -import -trustcacerts -alias tomcat -file server.cer -keystore E:/Java/jdk1.6.0_03/jre/lib/security/cacerts -storepass changeit
其他有用的keytool命令
列表:keytool -list -v -keystore E:/Java/jre1.6.0_03/lib/security/cacerts
删除:keytool -delete -trustcacerts -alias tomcat -keystore E:/Java/jdk1.6.0_03/jre/lib/security/cacerts -storepass changeit
注:E:/Java/jdk1.6.0_03/jre/lib/security/cacerts的JRE路径和tomcat设置的E:\Java\jdk1.6.0_03\jre\bin\client\jvm.dll路径相同

step 3 : 配置tomcat server.xml,服务端和客户端都必须配置
tomcat6.0加入以下xml代码
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
           port="8443" minSpareThreads="5" maxSpareThreads="75"
           enableLookups="true" disableUploadTimeout="true"
           acceptCount="100"  maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="e:/server.keystore" keystorePass="changeit"
           clientAuth="false" sslProtocol="TLS"/>
 
参考:http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html