$ vim /etc/pki/tls/openssl.cnf
#修改CA_default 下的 dir选项 :
dir = /data/www/ca/demoCA # Where everything is kept
$ mkdir -p ./demoCA/{private,newcerts} && \
> touch ./demoCA/index.txt && \
> touch ./demoCA/serial && \
> echo 01 > ./demoCA/serial && \
> mkdir cacart && mkdir -p client/czg
$ openssl genrsa -out ./cacart/ca.key 2048
$ openssl req -new -out ./cacart/ca.csr -key ./cacart/ca.key -config /etc/pki/tls/openssl.cnf -extensions v3_req
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ShangHai
Locality Name (eg, city) [Default City]:pudong
Organization Name (eg, company) [Default Company Ltd]:ca.czg
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:baidu
Email Address []:
$ openssl x509 -req -days 3650 -in ./cacart/ca.csr -signkey ./cacart/ca.key -out ./cacart/ca.crt -sha256 -extfile /etc/pki/tls/openssl.cnf
$ openssl genrsa -out ./client/czg/czg.key 2048
$ openssl req -new -key ./client/czg/czg.key -out ./client/czg/czg.csr -config /etc/pki/tls/openssl.cnf -extensions v3_req
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ShangHai
Locality Name (eg, city) [Default City]:pudong
Organization Name (eg, company) [Default Company Ltd]:czgs company
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:baidu.com
Email Address []:ch_zg@163.com
$ vim ./client/czg/v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.baidu.com
DNS.2 = baidu.com
DNS.3 = test.baidu.com
#IP.1 = 1.1.1.1
#IP.2 = 2.2.2.2
#IP.3 = 3.3.3.3
$ openssl x509 -req -days 3650 -CA ./cacart/ca.crt -CAkey ./cacart/ca.key -CAcreateserial -in ./client/czg/czg.csr -out ./client/czg/czg.crt -sha256 -extfile ./client/czg/v3.ext
$ openssl req -text -noout -in ./client/czg/czg.csr
#安装 cacart/ca.crt 到访问域名的设备上,pc为受信任的根证书颁发机构