使用openssl创建自签名证书

创建根证书

#创建ca目录
mkdir ca
#创建根密钥 ca.key
openssl genrsa -out ca/ca.key 2048
#创建根证书 ca.crt
openssl req -x509 -new -nodes -key ca/ca.key -subj "/C=CN/ST=Heibei/L=Shijiazhuang/CN=WuLong" -days 3650 -out ca/ca.crt
#查看根证书
openssl x509 -noout -text -in ca/ca.crt

创建服务器证书

现在让我们使用上面创建的根证书，创建一个我们可以使用的 https 证书。

#创建配置文件server.ini
cat > ssl_conf.ini <<EOF
[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
countryName_default         = CN
stateOrProvinceName         = Heibei
stateOrProvinceName_default = Heibei
localityName                = Locality Name (eg, city)
localityName_default        = Shijiazhuang
organizationName            = Organization Name (eg, company)
organizationName_default    = WuXixi
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64
commonName_default          = wuxixi.site

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1 = *.wuxixi.site
DNS.2 = wuxixi.site
EOF

#创建server目录
mkdir server
#创建服务器密钥 server.key
openssl genrsa -out server/server.key 2048
#生成服务器端证书请求文件 server.csr
openssl req -sha256 -new -key server/server.key -config ssl_conf.ini -out server/server.csr
#生成服务器端证书 server.crt
openssl x509 -req -days 3650 \
  -CA ca/ca.crt -CAkey ca/ca.key -CAcreateserial \
  -in server/server.csr -out server/server.crt \
  -extensions req_ext -extfile ssl_conf.ini

#查看服务器端请求文件
openssl x509 -noout -text -in server/server.crt