如何通过openssl生成自签证书

发表于 2025-07-16 更新于 2025-07-17 分类于 Browser

基础准备

mkdir ca
cd ca
mkdir newcerts private

需要的配置文件：openssl.cnf/openssl2.cnf

创建普通自签证书

openssl req -new -x509 -keyout cert.key -out cert.pem -days 3650 -config ./openssl.cnf

创建自签根证书

#自签根证书
echo '01' > serial
touch index.txt
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf

创建二级证书

#二级CA证书，方法1
echo '01' > serial2
touch index2.txt
openssl req -new -extensions v3_ca -out ca2req.pem -keyout private/ca2key.pem -config ./openssl.cnf
openssl ca -extensions v3_ca -out ca2cert.pem -config ./openssl.cnf -infiles ca2req.pem


#二级CA证书，方法2
openssl genrsa 2048 > private/ca2key.pem
openssl req -new -key private/ca2key.pem -out ca2cert.csr -config ./openssl.cnf
openssl ca -extensions v3_ca -in ca2cert.csr -out ca2cert.pem -config ./openssl.cnf

签发三级证书

#二级CA签发三级证书，方法1
openssl req -new -out req.pem -config ./openssl.cnf
openssl ca -cert ca2cert.pem -keyfile private/ca2key.pem -in req.pem -out cert.pem -config ./openssl.cnf


#二级CA签发三级证书，方法2
openssl req -new -out req.pem -config ./openssl.cnf
openssl x509 -req -in req.pem -CA ca2cert.pem -CAkey private/ca2key.pem -CAserial serial2 -out cert.pem


#二级CA签发三级证书，方法3
openssl genrsa 2048 > key.pem
openssl req -new -key key.pem -out cert.csr -config ./openssl2.cnf
openssl ca -in cert.csr -out cert.pem -config ./openssl2.cnf


#二级CA签发三级证书，方法4
openssl genrsa 2048 > key2.pem
openssl req -new -key key2.pem -out cert.csr -config ./openssl.cnf
openssl ca -cert ca2cert.pem -keyfile private/ca2key.pem -in cert.csr -out cert.pem -config ./openssl.cnf

openssl.cnf

dir = .

[ req ]
default_bits = 2048 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = sha256 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req

[ req_distinguished_name ]
# Variable name   Prompt string
#----------------------   ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64

# Default values for the above , for consistency and less typing. 
# Variable name   Value
#------------------------------   ------------------------------
0.organizationName_default = Erayt Company
localityName_default = Hangzhou
stateOrProvinceName_default = Zhejiang
countryName_default = CN

[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always

[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash

[ ca ]
default_ca = CA_default

[ CA_default ]
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 3650
default_md = sha256
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match

[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

openssl2.cnf

dir = .

[ req ]
default_bits = 2048 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = sha256 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req

[ req_distinguished_name ]
# Variable name   Prompt string
#----------------------   ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64

# Default values for the above , for consistency and less typing. 
# Variable name   Value
#------------------------------   ------------------------------
0.organizationName_default = Erayt Company
localityName_default = Hangzhou
stateOrProvinceName_default = Zhejiang
countryName_default = CN

[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always

[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash

[ ca ]
default_ca = CA_default

[ CA_default ]
serial = $dir/serial2
database = $dir/index2.txt
new_certs_dir = $dir/newcerts
certificate = $dir/ca2cert.pem
private_key = $dir/private/ca2key.pem
default_days = 3650
default_md = sha256
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match

[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

说明

服务端只需要cert.pem(三级证书)
客户端需导入cacert.pem(CA根证书)/ca2cert.pem(二级CA证书)