OpenSSL 生成自签证书

1. 建立根证书的私匙（ca.key）

openssl genrsa -out ca.key 2048

2. 建立根证书(ca.crt)

openssl req -new -x509 -days 36500 -key ca.key -out ca.crt -subj "/C=CN/ST=ShiChuan/L=ChengDu/O=Your Company Name/OU=Your Root CA"

3. 建立SSL证书私匙(网站证书)(server.key)

openssl genrsa -out server.key 2048

4. 建立SSL证书(网站证书)(server.crt)

openssl req -new -key server.key -out server.csr -subj  "/C=CN/ST=ShiChuan/L=ChengDu/O=Your Company Name/OU=wangye.org/CN=wangye.org"
/O字段内容必须与刚才的CA根证书相同；/CN字段为公用名称(Common Name)，必须为网站的域名(不带www)；/OU字段最好也与为网站域名

5. 用CA根证书签署SSL自建证书

openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
报错：unable to open '/etc/pki/CA/index.txt'
[root@localhost tmp]#  touch /etc/pki/CA/index.txt
报错：error while loading serial number
140515054446496:error:02001002:system library:
fopen:No such file or directory:bss_file.c:398:fopen('/etc/pki/CA/serial','r')
[root@localhost tmp]# echo 00 > /etc/pki/CA/serial 
[root@localhost tmp]# openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key                                                               
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Feb  7 02:13:45 2017 GMT
            Not After : Feb  7 02:13:45 2018 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = ShiChuan
            organizationName          = Your Company Name
            organizationalUnitName    = wangye.org
            commonName                = wangye.org
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                5E:D1:22:95:85:87:DF:FC:0C:C8:C9:BC:7F:73:A6:20:B9:80:83:8C
            X509v3 Authority Key Identifier: 
                keyid:24:C0:24:B4:A9:E6:84:B6:9D:1B:DF:64:C0:52:96:C2:3D:FA:9C:85
Certificate is to be certified until Feb  7 02:13:45 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

服务器须要的证书：server.crt和server.key 备注：因为是自签名证书，因此客户端须要安装根证书，将刚才第2步建立的根证书ca.crt下载到客户端，而后双击导入，不然会提示不受信任的证书发布商问题