openssl 生成私钥、申请文件，证书导入jks说明
http://www.cnblogs.com/liaier/p/4137383.html
openssl pkcs12 -export -in server.pem -inkey serverkey.key -out server.pfx  -CAfile chain.pem
由于keytool没有直接导入private key的命令，又没有办法生成SAN证书请求，所以只能通过openssl生成CSR，然后再将签过的证书跟私钥生成PFX，再利用keytool将PFX转成JKS来使用

1.创建私钥
openssl genrsa -out c:/server/server-key.pem 1024

2.创建证书请求 (subject alternative name (SAN) certificates)：
openssl req -new -config CONF\san.conf -out server-req.csr -key server-key.pem
san.conf

[req]
distinguished_name  = req_distinguished_name
req_extensions = v3_req

[ req_distinguished_name ]
countryName_default   = CN
stateOrProvinceName_default = Test
localityName_default  = Test
organizationName_default  = Test
commonName            = Test (eg, YOUR name)
commonName_max        = 64

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1   = IPaddress1
DNS.2   = IPaddress2

 3.CA收到证书申请后签发证书
openssl x509 -req -in c:/server/server-req.csr -out c:/server/server-cert.pem -signkey c:/server/server-key.pem -CA c:/ca/ca-cert.pem -CAkey c:/ca/ca-key.pem -CAcreateserial -days 3650

4.收到证书server-cert.pem(-----BEGIN CERTIFICATE-----),已有ca-cert.pem(-----BEGIN CERTIFICATE-----),server-key.pem(-----BEGIN RSA PRIVATE KEY-----)

利用这三者生成PFX文件
openssl pkcs12 -export -in server-cert.pem -inkey server-key.key -out server.pfx  -CAfile ca-cert.pem

5.利用keytool将PFX转成JKS
keytool -importkeystore -srckeystore D:\Temp\server.pfx -srcstoretype pkcs12 -destkeystore D:\Temp\server.jks -deststoretype JKS -storepass testpwd2

6.查看JKS里面key alias为1
keytool -list -v -keystore D:\Temp\server.jks -storepass testpwd2

tibco server keystore使用多域名证书