1.签发根CA
openssl genrsa -des3 -out myrootca.key 1024
openssl req -new -key myrootca.key -out myrootca.req
openssl x509 -req -days 7305 -extfile rootca.conf -signkey myrootca.key -in myrootca.req -out myrootca.crt
2.签发中级CA
openssl genrsa -out subca.key 1024
openssl req -new -key subca.key -out subca.req
openssl x509 -req -days 3650 -sha1 -extfile subca.conf -CA myrootca.crt -CAkey myrootca.key -CAserial myrootca.srl -CAcreateserial -in subca.req -out subca.crt
1.使用中级CA签发一个服务器证书
openssl x509 -req -days 3650 -sha1 -extfile server.conf -CA subca.crt -CAkey subca.key -CAserial subca.srl -CAcreateserial -in certreq.txt -out serverbysubca.crt
1.使用根CA签发一个服务器证书
openssl x509 -req -days 3650 -sha1 -extfile server.conf -CA myrootca.crt -CAkey myrootca.key -CAserial myrootca.srl -CAcreateserial -in myhost.req -out myhost.crt
rootca.conf:
basicConstraints = CA:true
keyUsage = keyCertSign, cRLSign
subca.conf
basicConstraints = CA:true,pathlen:0
keyUsage = keyCertSign, cRLSign
nsCertType = sslCA, emailCA, objCA
server.conf
basicConstraints = CA:false
keyUsage=digitalSignature,keyEncipherment,dataEncipherment, keyAgreement
nsCertType = server
extendedKeyUsage = serverAuth, msSGC, nsSGC