来源:https://gist.github.com/liuguangw/4d4b87b750be8edb700ff94c783b1dd4
生成CA私钥
openssl genrsa -des3 -out myCA.key 2048
生成CA证书
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 7300 -out myCA.crt
把此证书导入需要部署的PC中即可,以后用此CA签署的证书都可以使用。
查看证书信息命令 openssl x509 -in myCA.crt -noout -text
创建ssl证书私钥
openssl genrsa -out localhost.key 2048
创建ssl证书CSR
openssl req -new -key localhost.key -out localhost.csr
创建域名附加配置文件
新建文件 cert.ext 输入如下内容保存
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
IP.2 = 127.0.0.1
DNS.3 = test.com
DNS.4 = *.test.com
使用CA签署ssl证书
openssl x509 -req -in localhost.csr -out localhost.crt -days 3650 \
-CAcreateserial -CA ../ca/myCA.crt -CAkey ../ca/myCA.key \
-CAserial serial -extfile cert.ext
此步骤需要输入CA私钥的密码。
查看证书内容 openssl x509 -in localhost.crt -noout -text
验证证书
openssl verify -CAfile ../ca/myCA.crt localhost.crt