1创建私钥(.key)
openssl genrsa -out server.key 2048
2基于私钥(.key)创建证书签名请求(.csr)
openssl req -new -key server.key -out server.csr -config ./…/ssl.cnf
3.生成CA私钥(ca.key)和CA自签名证书(ca.crt)
openssl req -x509 -newkey rsa:2048 -nodes -keyout ca.key -out ca.crt -days 36500 -config ./…/sslCa.cnf
4使用CA证书(ca.crt)与密钥(ca.key)签署服务器的证书签名请求(server.csr),生成私有CA签名的服务器证书(server.crt)
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 36500
5.验证证书
openssl verify -CAfile ca.crt server.crt
openssl pkcs8 -topk8 -in server.key -out pkcs8_server.pk8 -nocrypt
ssl.cnf
[ req ]
distinguished_name = req_distinguished_name
prompt = no
[ req_distinguished_name ]
C = CN
ST = Zhejiang
L = Ningbo
O = 浙江呵呵集团有线公司
OU = IT Dept
CN = hehe.com