1.使用keytool導出成PKCS12格式：

keytool -importkeystore -srckeystore server.jks -destkeystore server.p12 -srcstoretype jks -deststoretype pkcs12

輸入目標密鑰庫口令:

再次輸入新口令:

輸入源密鑰庫口令:

已成功導入別名 ca_root 的條目。

已完成導入命令: 1 個條目成功導入, 0 個條目失敗或取消

2.生成pem證書(包含了key，server證書和ca證書)：

生成key 加密的pem證書

$ openssl pkcs12 -in server.p12 -out server.pem

Enter Import Password:

MAC verified OK

Enter PEM pass phrase:Verifying -

Enter PEM pass phrase:

生成key 非加密的pem證書

$ openssl pkcs12 -nodes -in server.p12 -out server.pem

Enter Import Password:

MAC verified OK

單獨導出key：

生成加密的key

$ openssl pkcs12 -in server.p12 -nocerts -out server.key

Enter Import Password:

MAC verified OK

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

生成非加密的key

$ openssl pkcs12 -in server.p12 -nocerts -nodes -out server.key

Enter Import Password:

MAC verified OK

單獨導出server證書：

$ openssl pkcs12 -in server.p12 -nokeys -clcerts -out server.crt

Enter Import Password:

MAC verified OK

單獨導出ca證書：

$ openssl pkcs12 -in server.p12 -nokeys -cacerts -out ca.crt

Enter Import Password:

MAC verified OK

Nginx服務器配置

server {

listen 443 ssl;

server_name www.yourdomain.net;

access_log /path_to_log/access.log;

error_log /path_to_log/error.log;

ssl_certificate? ? ? /path_to_certificate/server.crt;

ssl_certificate_key? /path_to_key/new/server.key;

ssl_session_timeout 1m;

ssl_protocols SSLv2 SSLv3 TLSv1.2;

#ssl_ciphers? HIGH:!aNULL:!MD5;

ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256:AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;

ssl_prefer_server_ciphers? on;

***

}