openssl 生成私鑰、申請文件，證書導入jks說明
http://www.cnblogs.com/liaier/p/4137383.html
openssl pkcs12 -export -in server.pem -inkey serverkey.key -out server.pfx -CAfile chain.pem
由於keytool沒有直接導入private key的命令，又沒有辦法生成SAN證書請求，所以只能通過openssl生成CSR，然後再將簽過的證書跟私鑰生成PFX，再利用keytool將PFX轉成JKS來使用

1.創建私鑰
openssl genrsa -out c:/server/server-key.pem 1024

2.創建證書請求 (subject alternative name (SAN) certificates)：
openssl req -new -config CONF\san.conf -out server-req.csr -key server-key.pem
san.conf

[req]
distinguished_name  = req_distinguished_name
req_extensions = v3_req

[ req_distinguished_name ]
countryName_default   = CN
stateOrProvinceName_default = Test
localityName_default  = Test
organizationName_default  = Test
commonName            = Test (eg, YOUR name)
commonName_max        = 64

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1   = IPaddress1
DNS.2   = IPaddress2

3.CA收到證書申請後簽發證書
openssl x509 -req -in c:/server/server-req.csr -out c:/server/server-cert.pem -signkey c:/server/server-key.pem -CA c:/ca/ca-cert.pem -CAkey c:/ca/ca-key.pem -CAcreateserial -days 3650

4.收到證書server-cert.pem(-----BEGIN CERTIFICATE-----),已有ca-cert.pem(-----BEGIN CERTIFICATE-----),server-key.pem(-----BEGIN RSA PRIVATE KEY-----)

利用這三者生成PFX文件
openssl pkcs12 -export -in server-cert.pem -inkey server-key.key -out server.pfx -CAfile ca-cert.pem

5.利用keytool將PFX轉成JKS
keytool -importkeystore -srckeystore D:\Temp\server.pfx -srcstoretype pkcs12 -destkeystore D:\Temp\server.jks -deststoretype JKS -storepass testpwd2

6.查看JKS裏面key alias為1
keytool -list -v -keystore D:\Temp\server.jks -storepass testpwd2

tibco server keystore使用多域名證書