#创建CA私钥文件:
openssl genrsa -des3 -out ca-secure.key 2048
#输入密码:
Enter PEM pass phrase:123456
#再次输入密码:
Verifying - Enter PEM pass phrase:123456
#密码证书转无密码(此步按需,比如配置到Apache或者Nginx中时不必每次启动时输入密码)
openssl rsa -in ca-secure.key -out ca.key
#输入上述密码:
Enter pass phrase for ca-secure.key:123456
#查看私钥内容:
openssl rsa -text -in ca-secure.key
#输入密码:
Enter pass phrase for server.key:123456
#生成CA自签名证书
openssl req -new -x509 -days 3650 -key ca.key -subj "/C=CN/ST=BJ/L=BJ/O=MyRootCA/OU=MyCA/CN=CA" -out ca.crt
#生成服务器私钥和证书申请文件CRS(此处CN代表web服务器主机名或IP地址)
openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=CN/ST=BJ/L=BJ/O=MyRootServer/OU=MyServer/CN=192.168.69.78" -out server.csr
#使用CA证书签名SSL证书,此处`-extfile <(printf "subjectAltName=IP:10.10.49.172[,DNS:,...]")`:扩展用于指定主体的备用名称
openssl x509 -req -extfile <(printf "subjectAltName=IP:192.168.69.78") -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
#查看证书内容
openssl x509 -text -noout -in server.crt
参考
不废话之使用openssl自建CA并生成自签名SSL证书
https://zhuanlan.zhihu.com/p/6358873266