openssl自签名证书 - Web - 首广信息-我的生活记录

根证书

openssl ecparam -out root.key -name secp384r1 -genkey
openssl req -new -sha384 -key root.key -out root.csr -config root.cnf
openssl x509 -req -extfile root.cnf -extensions v3_req -extensions v3_ca -sha384 -days 10950  -in root.csr -signkey root.key -out root.crt

中间证书

openssl ecparam -out mid.key -name prime256v1 -genkey
openssl req -new -sha256 -key mid.key -out mid.csr -config mid.cnf
openssl x509 -req  -CA root.crt -CAkey root.key -days 3650 -in mid.csr -out mid.crt -sha256 -CAserial root.srl -CAcreateserial -extensions v3_req -extensions v3_ca -extfile mid.cnf

服务器证书

openssl ecparam -out server.key -name prime256v1 -genkey
openssl req -new -sha256 -key server.key -out server.csr -config server.cnf
openssl x509 -req -extfile server.cnf -extensions v3_req -in server.csr -CA mid.crt -CAkey mid.key -CAserial root.srl -CAcreateserial -out server.pem -days 730 -sha256

root.cnf

[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[ req_distinguished_name ]
C = CN
O = 
OU = 
CN = 

[ v3_req ]
# Extensions to add to a certificate request
keyUsage = critical, keyCertSign, cRLSign
subjectKeyIdentifier = hash
basicConstraints = CA:true

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true

mid.cnf

[ req ]
default_bits = 256
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[ req_distinguished_name ]
C = CN
O = 
OU = 
CN = 

[ v3_req ]
# Extensions to add to a certificate request
keyUsage = critical, keyCertSign, cRLSign
subjectKeyIdentifier = hash
basicConstraints = CA:true

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true

server.cnf

[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[ req_distinguished_name ]
CN = 

[ v3_req ]
# Extensions to add to a certificate request
authorityKeyIdentifier = keyid
subjectKeyIdentifier = hash
subjectAltName = @alternate_names
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
basicConstraints = CA:FALSE

[ alternate_names ]
DNS.1 = 
DNS.2 = 
IP.1 = 
IP.2 =