生成密钥对→生成CSR→自签名证书

生成密钥

• 生成RSA密钥

openssl genrsa -out rsa.key

• 生成DSA密钥

openssl dsaparam -genkey 2048 | openssl dsa -out dsa.key

• 生成ECDSA密钥

openssl ecparam -genkey -name secp256r1 | openssl ec -out ec.key

• 查看密钥内容

openssl rsa -text -in rsa.key
openssl dsa -text -in dsa.key
openssl ec  -text -in ec.key

生成证书签名申请CSR

req - PKCS#10 certificate request and certificate generating utility.

req - PKCS#10 证书请求和证书生成工具

openssl req -new -config fd.cnf -key fd.key -out fd.csr

-new

​ this option generates a new certificate request. It will prompt the user for the relevant field values. The actual fields prompted for and their maximum and minimum sizes are specified in the configuration file and any requested extensions.

该选项生成一个新的证书请求。它将提示用户相关字段的值。所提示的实际字段及其最大和最小size在配置文件和任何请求的扩展中指定。

If the -key option is not used it will generate a new RSA private key using information specified in the configuration file.

如果不使用-key选项，它将使用配置文件中指定的信息生成一个新的RSA私钥。

自签CA证书

x509 - Certificate display and signing utility

x509 - 证书显示和签署工具

openssl x509 -req -days 36524 -in ca.csr -out ca.crt -signkey ca.key 

-req

​ by default a certificate is expected on input. With this option a certificate request is expected instead.

默认情况下，输入时需要一个证书。有了这个选项，就需要一个证书请求来代替。

CA签发证书

openssl x509 -req -days 365 -in fd.csr -out fd.crt \
    -CA ca.crt -CAkey ca.key -CAcreateserial -extfile fd.ext

-CAcreateserial

​ with this option the CA serial number file is created if it does not exist: it will contain the serial number "02" and the certificate being signed will have the 1 as its serial number. Normally if the -CA option is specified and the serial number file does not exist it is an error.

使用该选项，如果 CA 序列号文件不存在，则会创建该文件：它将包含序列号 "02"，被签署的证书将以 1 作为其序列号。通常情况下，如果指定了 -CA 选项，而序列号文件不存在，则是一个错误。