openssl制作ssl证书

1. 生成4096位rsa私钥，采用des算法加密
openssl genrsa -des3 -out ca.key 4096

2.生成CA的自签名证书
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:QNNN
Organizational Unit Name (eg, section) []:DEV
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:

3.生成客户端证书私钥
openssl genrsa -des3 -out qncph.key 4096

4.需要签名的对象（服务端）生成证书签名请求
openssl req -new -key qncph.key -out qncph.csr

Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:QN
Organizational Unit Name (eg, section) []:DEV
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1111111
An optional company name []:

5.生成的签名请求进行签名
openssl x509 -req  -extfile v3.ext -days 3650 -in qncph.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out qncph.crt

6.合成 pfx
openssl pkcs12 -export -out qncph.pfx -inkey qncph.key -in qncph.crt    //-certfile my.crt

7.手工添加步骤（一定要执行，否则第8步绑定端口会失败）：
qncph.pfx 导入到mmc计算机，个人
ca.crt 导入到受信

8.运行命令：

netsh http add sslcert ipport=0.0.0.0:8097 certhash=a31ef651b8338435f18b533dc6a69a048aede44b appid={7a58db97-3581-46c7-bbbf-a2dafb56cfb7} clientcertnegotiation=enable

9‘查看：
netsh http show sslcert |findstr 8097

10.删除：
netsh http delete sslcert ipport=0.0.0.0:8097

 

第二种制作证书的方法：
1.
makecert -n "CN=CPhoneCA" -r -sv CPhoneCA.pvk CPhoneCA.cer
2.
makecert -sk CPhoneSignedByCA -iv CPhoneCA.pvk -n "CN=CPhoneSignedByCA" -ic CPhoneCA.cer CPhoneSignedByCA.cer -sr localmachine -ss My

netsh http add sslcert ipport=0.0.0.0:8097 certhash=8ef27202fc5e49fb48244779af0884c08e25b0cc appid={7a58db97-3581-46c7-bbbf-a2dafb56cfb7} clientcertnegotiation=enable