(1)自签CA证书
#生成根证书私钥(pem文件)
openssl genrsa -out cakey.pem 2048
#生成根证书签发申请文件(csr文件)
openssl req -new -key cakey.pem -out ca.csr -subj “/C=CN/ST=myprovince/L=mycity/O=myorganization/OU=mygroup/CN=myCA”
#自签发根证书(cer文件)
openssl x509 -req -days 365 -sha1 -extensions v3_ca -signkey cakey.pem -in ca.csr -out cacert.pem
(2)服务端私钥和证书
#生成服务端私钥
openssl genrsa -out serverkey.pem 2048
#生成证书请求文件
openssl req -new -key serverkey.pem -out server.csr -subj “/C=CN/ST=myprovince/L=mycity/O=myorganization/OU=mygroup/CN=myServer”
#使用根证书签发服务端证书
openssl x509 -req -days 365 -sha1 -extensions v3_req -CA ./cacert.pem -CAkey ./cakey.pem -CAserial ca.srl -CAcreateserial -in server.csr -out servercert.pem
#使用CA证书验证server端证书
openssl verify -CAfile ./cacert.pem servercert.pem
(3)客户端私钥和证书
#生成客户端私钥
openssl genrsa -out cli