查看证书相关指令
# 查看公钥数字证书
openssl x509 -in cacert.pem -noout -text
# 查看私钥数字证书
openssl pkcs12 -in client-cert.pfx -info
# 查看公钥,私钥
openssl rsa -in key.pem -noout -text
自建CA证书颁发
# CA私钥生成
openssl genrsa -out ca.key.pem 2048
# 自签名根证书生成
openssl req -new -x509 -days 3650 -subj "/CN=CA/OU=APEX/O=APEX/L=FZ/ST=FJ/C=CN" -key ca.key.pem -out ca.crt.pem
# 服务端证书(私钥)
openssl genrsa -out server.key.pem 2048
# 服务端证书请求
openssl req -new -subj "/CN=emqx.server/OU=APEX/O=APEX/L=FZ/ST=FJ/C=CN" -key server.key.pem -out server.req
# CA签发证书
openssl x509 -req -days 3650 -in server.req -CA ca.crt.pem -CAkey ca.key.pem -CAcreateserial -out server.crt.pem
# 客户端证书(私钥)
openssl genrsa -out client.key.pem 2048
# 客户端证书请求
openssl req -new -subj "/CN=emqx.client/OU=APEX/O=APEX/L=FZ/ST=FJ/C=CN" -key client.key.pem -out client.req
# CA签发证书
openssl x509 -req -days 3650 -in client.req -CA ca.crt.pem -CAkey ca.key.pem -CAcreateserial -out client.crt.pem
# 私钥格式转换为pkcs8,否则无法读取
openssl pkcs8 -topk8 -inform PEM -in client.key.pem -outform PEM -nocrypt -out client.key.pkcs8.pem
#公钥格式转换为pkcs12,需要合并ca根证书
openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12