I've just hacked together a few lines to set up your own PKI with BouncyCastle creating a root certificate, an intermediate certificate, a server certiifcate and a client certificate. In addition I've added an example with client certificate authentication.
This can be extended with CRL and/or OSCP to implement revocation checking, but I stripped that out. Also: when using CRL according to RFC one should host them over HTTP instead of HTTPS. As reason its explained that by PKI the integrity of the files is secured, so there's no need for secure transfer. In addition when use HTTPS this could lead to circular dependencies.
Lot of duplicated code could be extracted to methods or even helper classes. I've just stuck to the style of bouncycastle example documentation wich pretty much looks the same.
The overall mission is to change the world. When you've done that, then you can read this tiny ad: