使用openssl生成自签名证书为服务器证书签名

自签名证书生成

# 生成自签名证书的私钥ca.key
openssl genrsa -out ca.key 2048
# 生成自签名证书ca.crt
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

使用自签名证书签名服务器证书

# 生成服务器私钥server.key
openssl genrsa -out server.key 2048
# 生成服务器证书请求server.csr
openssl req -new -key server.key -out server.csr
# 生成服务器证书server.crt
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

验证证书有效性

openssl x509 -text -noout -in server.crt

openssl签名配置文件server.conf

[req]
default_bits = 2048
default_keyfile = server.key
distinguished_name = req_distinguished_name
encrypt_key = no
default_md  = sha256
req_extensions = req_ext

[req_distinguished_name]
commonName_default = www.xxx.com
commonName_max = 64
organizationName_default = xxx Co.,Ltd.
organizationalUnitName_default = IT Support Dept
localityName_default = City
stateOrProvinceName_default = Province
countryName_default = CN

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = www.xxx.com
IP.1 = xxx.xxx.xxx.xxx

使用配置文件生成server.crt证书

openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -extfile server.conf -set_serial 01 -out server.crt