https://www.jianshu.com/p/e5f46dcf4664
https://blog.csdn.net/sayyy/article/details/78351512

openssl pkcs12 -export -in uydc-101.crt -inkey uydc-101.key -out uydc-101.p12 \
  -name uydc-101 -CAfile yxt-ca.crt -caname yxtca -passout pass:123456

openssl pkcs12 -in ydc.p12 -password file:pass -passin file:pass -nokeys
openssl pkcs12 -in ydc.p12 -password file:pass -passin file:pass -nokeys -

keytool -importkeystore -deststorepass 123456 -destkeypass 123456 \ 
  -destkeystore uydc-101.jks -srckeystore uydc-101.pkcs12 \
  -srcstoretype PKCS12 -srcstorepass 123456 -alias uydc-101

openssl pkcs12 -info -in uydc-101.pkcs12 -passin pass:123456
 
keytool example
Create keystore and certificate
keytool \
-genkeypair \
-alias uydc-102.hbase.thrift \
-keyalg RSA \
-keysize 2048 \
-keypass 123456 \
-sigalg SHA256withRSA \
-dname "CN=uydc-102,OU=data,O=yxt,L=SuZhou,ST=JiangSu,C=CN" \
-validity 3650 \
-keystore uydc-102_keystore.jks \
-storetype JKS \
-storepass 123456


Generate CSR - Certificate Signing Request
keytool \
-certreq \
-alias uydc-102.hbase.thrift \
-keyalg RSA \
-keypass 123456 \
-keystore uydc-102_keystore.jks \
-storetype JKS \
-storepass 123456 \
-file uydc-102.hbase.thrift.csr


Import Certificate Sign Authority ROOT Certificate
keytool \
-import \
-trustcacerts \
-alias ca_root_GlobalSign \
-keypass 123456 \
-keystore uydc-102_keystore.jks \
-storepass 123456 \
-file GlobalSign_cert.cer

Import Signed Certificate base on above CSR
keytool \
-import \
-trustcacerts \
-alias uydc-102.hbase.thrift \
-keypass 123456 \
-keystore uydc-102_keystore.jks \
-storepass 123456 \
-file uydc-102.hbase.thrift.cer

openssl example
自签名：
# 1.生成私钥
$ openssl genrsa -out server.key 2048

# 2.生成 CSR (Certificate Signing Request)
$ openssl req -subj "/C=CN/ST=Tianjin/L=Tianjin/O=Mocha/OU=Mocha Software/CN=test1.sslpoc.com/emailAddress=test@mochasoft.com.cn" -new -key server.key -out server.csr

# 3.生成自签名证书
$ openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

私有 CA 签名：
# 1.创建 CA 私钥
$ openssl genrsa -out ca.key 2048

# 2.生成 CA 的自签名证书
$ openssl req -subj "/C=CN/ST=Tianjin/L=Tianjin/O=Mocha/OU=Mocha Software/CN=Server CA/emailAddress=test@mochasoft.com.cn" -new -x509 -days 3650 -key ca.key -out ca.crt

# 3.生成需要颁发证书的私钥
$ openssl genrsa -out server.key 2048

# 4.生成要颁发证书的证书签名请求，证书签名请求当中的 Common Name 必须区别于 CA 的证书里面的 Common Name
$ openssl req -subj "/C=CN/ST=Tianjin/L=Tianjin/O=Mocha/OU=Mocha Software/CN=test2.sslpoc.com/emailAddress=test@mochasoft.com.cn" -new -key server.key -out server.csr

# 5.用 2 创建的 CA 证书给 4 生成的 签名请求 进行签名
$ openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt


指定证书 distinguish name 
-subj /C=CN/ST=Guangdong/L=Shenzhen/O=PAX/OU=Common Software/CN=Server CA/emailAddress=qiaojx@paxsz.com