$ cd /CA
# 根证书的私钥,即 key 文件,长度为 4096 bit
$ openssl genrsa -out cakey.pem 4096
$ mv cakey.pem ./private/
# 用刚才生成的私钥签发证书
$ openssl req -new -x509 -key ./private/cakey.pem -out ./cacert.pem
# 根据需求输入证书信息
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Liaoning
Locality Name (eg, city) []:Dandong
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Inc
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:Skill Global Root CA
Email Address []:
# 生成一个私钥
$ openssl genrsa -out server01key.pem 4096
# 使用私钥生成一个证书签发请求
$ openssl req -new -key server01key.pem -out server01.csr
ou are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Liaoning
Locality Name (eg, city) []:Dandong
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Inc
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:server01.sdskills.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# 用根证书与私钥签发证书
$ openssl ca -in server01.csr -out server01.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Mar 28 14:36:39 2021 GMT
Not After : Mar 28 14:36:39 2022 GMT
Subject:
countryName = CN
stateOrProvinceName = Liaoning
organizationName = Inc
commonName = server01.sdskills.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
29:55:53:D7:48:A6:93:6A:56:9C:E5:38:C3:92:6A:2F:3C:AC:B7:06
X509v3 Authority Key Identifier:
keyid:18:D9:48:2B:0E:D2:F4:FF:0C:0D:67:E8:CB:26:4C:30:CE:F2:6D:60
Certificate is to be certified until Mar 28 14:36:39 2022 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated