http://threebit.net/mail-archive/tomcat-users/msg06848.html

1-create keystore for tomcat server

keytool -genkey -alias tomcat -keyalg RSA -keysize

1024 -keystore c:\tomcat.jks -storetype JKS

2-create certificate request for the web server

keytool -certreq -keyalg RSA -alias tomcat -keystore c:\tomcat.jks

copy the NEW CERTIFICATE REQUEST" to "CERTIFICATE REQUEST" – sign by MIMOS CA

			 
			3-import MIMOS CA cert to server keystore
		

 keytool -import -alias mimosca -keystore c:\tomcat.jks -trustcacerts –c:\MIMOSCA.crt

			4-import signed server cert to server keystore
			keytool -import -alias tomcat -keystore c:\tomcat.jks -trustcacerts –c:\tomcat.crt
		

			5-create a client keystore
			keytool -genkey -alias mykey -keyalg RSA -keysize
			1024 -keystore c:\identity.jks -storetype JKS
		

			
				6-create certificate request for the client
			
			keytool -certreq -keyalg RSA -alias mykey -keystore c:\identity.jks
		

			 
			copy the NEW CERTIFICATE REQUEST" to "CERTIFICATE REQUEST" – sign by MIMOS
		

			 
			7-create a truststore
			http://users.skynet.be/pascalbotte/art/clientcertconf.htm
			
				
					keytool -genkey -alias dummy -keyalg RSA -keystore c:\truststore.jks
				
			
			
				
			
			
				
					keytool -delete -alias dummy -keystore c:\truststore.jks
				
			
			
			
				8-import CA cert to a truststore
			
			
			
				
					keytool -import -v -trustcacerts -alias mimosca -file c:\MIMOSCA.crt -keystore c:\truststore.jks
				
			
			9-import client cert to a truststore
			keytool -import -alias mykey -keystore
			
				c:\truststore.jks
			
			-trustcacerts -file c:\IzyaniCert.crt
		

			10-generate PKCS12 file that containing client key and certificate
			Keytool –importkeystore –srckeystore c:\identity.jks –destkeystore c:\identity.p12 –srcstoretype JKS –deststoretype PKCS12 –srcstorepass 123456 –deststorepass 123456 –srcalias mykey –destalias mykey –srckeypass 123456 –destkeypass 123456 –noprompt
		

			11-import the client PKCS12 certificate to browser
			12-configure tomcat for SSL
		

<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->

<Connector port="8443" maxHttpHeaderSize="8192"

maxThreads="150" minSpareThreads="25" maxSpareThreads="75"

enableLookups="false" disableUploadTimeout="true"

acceptCount="100" scheme="https" secure="true"

clientAuth="true" sslProtocol="TLS"

keystoreFile="c:\tomcat.jks"

keystorePass="123456"

truststoreFile="c:\truststore.jks"

truststorePass="123456" />

			 
			13-set the environment variable for CATALINA_OPTS
		

			(http://wiki.openbravo.com/wiki/ERP_2.50:Openbravo_environment_installation)
		

Add CATALINA_HOME, CATALINA_BASE and CATALINA_OPTS environment variables:

Right-click on My Computer.

Select Properties. The system properties window appears.

Select the Advanced tab.

Click Environment Variables.

Click New. The New User Variable box appears.

In the Variable name field, type CATALINA_HOME .

In the Variable value field, type the path of the Apache Tomcat installation directory. This is usually C:\Apache Software Foundation\Tomcat 6.0 .

Click OK.

Click New. The New User Variable box appears.

In the Variable name field, type CATALINA_BASE .

In the Variable value field type the path of the Apache Tomcat installation directory.

Click OK

Click New. The New User Variable box appears.

In the Variable name field, type CATALINA_OPTS .

In the Variable value type

			-Djavax.net.ssl.trustStore=
			c:\truststore.jks
		

			-Djavax.net.ssl.trustStorePassword=
			123456
		

Select the PATH environment variable.

In the Variable value field, type the path of the Apache Tomcat installation's bin folder. This is usually C:\Apache Software Foundation\Tomcat 6.0\bin .

Copy the C:\Java\jdk1.6.0_<version>\bin\lib\tools.jar file from your Sun JDK installation to C:\Apache Software Foundation\Tomcat 6.0\lib\

my error msg is:
Secure Connection Failed
     
An error occurred during a connection to localhost:8443.

SSL peer cannot verify your certificate.

(Error code: ssl_error_bad_cert_alert)