1. 使用中级CA签发一个服务器证书
openssl x509 -req -days 3650 -sha1 -extfile server.conf -CA subca.crt -CAkey subca.key -CAserial subca.srl -CAcreateserial -in certreq.txt -out serverbysubca.crt
1. 使用根CA签发一个服务器证书
openssl x509 -req -days 3650 -sha1 -extfile server.conf -CA myrootca.crt -CAkey myrootca.key -CAserial myrootca.srl -CAcreateserial -in myhost.req -out myhost.crt
rootca.conf:
basicConstraints = CA:true
keyUsage = keyCertSign, cRLSign
subca.conf
basicConstraints = CA:true,pathlen:0
keyUsage = keyCertSign, cRLSign
nsCertType = sslCA, emailCA, objCA
server.conf
basicConstraints = CA:false
keyUsage=digitalSignature,keyEncipherment,dataEncipherment, keyAgreement
nsCertType = server
extendedKeyUsage = serverAuth, msSGC, nsSGC