These instructions are for Windows
Modify the paths as approptiate for your OS.

Create a CA
===========

1. Create the directory structure

   mkdir demoCA
   mkdir demoCA\newcerts demoCA\private demoCA\csr demoCA\keystores
   echo 1000 > demoCA\serial
   echo 2>demoCA\index.txt
   
2. Create the CA
   openssl req -config openssl.cnf -new -x509 -days 3650 -extensions v3_ca -keyout demoCA\private\cakey.pem -out demoCA\cacert.pem

Create an APR/native key and certificate for localhost
======================================================
   
1. Create the private key and the certificate signing request
   openssl req -config openssl.cnf -new -nodes -out demoCA\csr\localhost-req.pem -keyout demoCA\private\localhost-key.pem

2. Sign the certifcate
   openssl ca -config openssl.cnf -days 730 -out demoCA\newcerts\localhost-cert.pem -infiles demoCA\csr\localhost-req.pem

3. Create the certificate chain file
   Just the CA certificate

4. Install key, certificate and chain files
   <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
              maxThreads="150" SSLEnabled="true" >
       <SSLHostConfig>
           <Certificate certificateKeyFile="conf/localhost-key.pem"
                        certificateFile="conf/localhost-cert.pem"
                        certificateChainFile="conf/localhost-chain.pem"
                        type="RSA" />
       </SSLHostConfig>
   </Connector>

Create a Java Keystore for localhost
====================================

1. Ensure keytool is on the path
   set JAVA_HOME=C:\java\jdk1.8.0_72_x64
   set PATH=%PATH%;%JAVA_HOME%\bin

2. Create the private key
   keytool -genkey -alias tomcat -keyalg RSA -keystore demoCA\keystores\localhost2.jks -dname CN=localhost,OU=B,O=ASF,ST=MD,C=US
   
3. Create the certificate signing request
   keytool -certreq -keyalg RSA -alias tomcat -file demoCA\csr\localhost2-req.pem -keystore demoCA\keystores\localhost2.jks
   
4. Sign the certificate
   openssl ca -config openssl.cnf -days 730 -out demoCA\newcerts\localhost2-cert.pem -infiles demoCA\csr\localhost2-req.pem
   Java uses PRINTABLESTRING. OpenSSL expects UTF8STRING.
   openssl ca -policy policy_anything -config openssl.cnf -days 730 -out demoCA\newcerts\localhost2-cert.pem -infiles demoCA\csr\localhost2-req.pem

5. Import the certificate chain
   keytool -import -alias ca -keystore demoCA\keystores\localhost2.jks -trustcacerts -file demoCA\cacert.pem
   
6. Import the signed certificate
   keytool -import -alias tomcat -keystore demoCA\keystores\localhost2.jks -file demoCA\newcerts\localhost2-cert.pem
   
7. Install keystore
   <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
              maxThreads="150" SSLEnabled="true">
       <SSLHostConfig>
           <Certificate certificateKeystoreFile="conf/localhost2.jks"
                        type="RSA" />
       </SSLHostConfig>
   </Connector>