ZooKeeper SSL User Guide

 创建keyStore、trustStore文件：

Keystores are used in two different ways,
If the keystore contains private keys and public certificates that are signed by the private key which are used to authenticate themselves to the connecting party, that is called a keystore.
And if the keystore contains trusted SSL certificates, that is called a truststore.
We don’t keep private keys in a truststore.

I will be discussing the basic steps of creating PKCS12 trustores and keystores that can be used by a client and a server to authenticate via mutual SSL.

1. Create a keystore for the client

keytool -genkey -alias Client -keyalg RSA -keystore clientKeyStore.p12 -keysize 2048 -storeType PKCS12

2. Export the public cert of the client

keytool -export -keystore clientKeyStore.12 -alias Client -file client.crt

3. Create a keystore for the server

keytool -genkey -alias Server -keyalg RSA -keystore serverKeyStore.p12 -keysize 2048 -storeType PKCS12

4. Export the public cert of the server

keytool -export -keystore serverKeyStore.p12 -alias Server -file server.crt

5. Create a truststore for the client

keytool -genkey -alias ClientTrust -keyalg RSA -keystore clientTrustStore.p12 -keysize 2048 -storeType PKCS12

6. Create a truststore for the server

keytool -genkey -alias ServerTrust -keyalg RSA -keystore serverTrustStore.p12 -keysize 2048 -storeType PKCS12

7. Import the client public cert into the server truststore

keytool -import -keystore serverTrustStore.p12 -alias Client -file

8. Import the server public cert into the client truststore

keytool -import -keystore clientTrustStore.p12 -alias Server -file

9. Delete the existing private key of the server truststore

keytool -delete -alias serverTrust -keystore serverTrustStore.p12 -storepass

10. Delete the existing private key of the client truststore

keytool -delete -alias clientTrust -keystore clientTrustStore.p12 -storepass

ZooKeeper SSL User Guidehttps://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+GuideCertificate for doesn't match any of the subject alternative nameshttps://stackoverflow.com/questions/50928061/certificate-for-localhost-doesnt-match-any-of-the-subject-alternative-names