步骤
1.openssl genrsa -aes256 -out ca-key.pem 4096
2.openssl req -new -x509 -days 3650 -key ca-key.pem -sha256 -out ca.pem
3.openssl genrsa -out server-key.pem 4096
4.openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr
5.echo extendedKeyUsage = serverAuth >> extfile.cnf
6.echo subjectAltName = DNS:$HOST,IP:10.10.10.20,IP:127.0.0.1,IP:公网IP >> extfile.cnf
7.openssl x509 -req -days 3650 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
8.openssl genrsa -out key.pem 4096
9.openssl req -subj '/CN=$CLIENT_HOST' -new -key key.pem -out client.csr
10.mv extfile.cnf extfile.cnf.old
11.echo extendedKeyUsage = clientAuth >> extfile.cnf
12.openssl x509 -req -days 3650 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out cert.pem -extfile extfile.cnf
13.rm -v client.csr server.csr
14.chmod -v 0400 ca-key.pem k