本文生成的所有证书有效期为 7305天(20年),算法为 ECC(256Bits)
准备环境
- Linux
- OpenSSL
生成CA证书
- 生成CA证书的私钥
openssl ecparam -genkey -name prime256v1 -out ca.key
- 生成CA证书的公钥
openssl req -new -x509 -days 7305 -key ca.key -out ca.crt
生成自签名证书的签名请求
- 生成自签名证书的私钥
openssl ecparam -genkey -name prime256v1 -out example.com.key
- 生成自签名证书的签名请求(CSR)
openssl req -new -sha256 -key example.com.key -out example.com.csr
使用CA证书签发自签名证书
- 新建
extended.ext文件,最后一行的subjectAltName字段为证书的域名
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = san
extensions = san
[ req_distinguished_name ]
countryName = CN
stateOrProvinceName = Tianjin
localityName = Tianjin
[ SAN ]
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = DNS:example.com,DNS:*.example.com
- 使用CA证书对
extended.ext文件执行签名
openssl x509 -req \
-days 7305 \
-sha256 \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in example.com.csr -out cert.crt \
-extfile extended.ext -extensions SAN
- 合并证书链
cat cert.crt ca.crt > fullchain.crt