- 准备工作:
mkdir ca
cd ca
mkdir demoCA
mkdir demoCA/newcerts
touch demoCA/index.txt
echo "01" > demoCA/serial
2. 生成CA证书
openssl genrsa -des3 -out ca.key 2048
3. 生成CA公钥
openssl req -new -x509 -days 7305 -key ca.key -out ca.crt
4. 生成域名证书私钥
openssl genrsa -des3 -out *.njduck.com.pem 1024
5. 将域名私钥解密生成key
openssl rsa -in *.njduck.com.pem -out *.njduck.com.key
6. 生成证书请求
openssl req -new -key *.njduck.com.pem -out *.njduck.com.csr
7. 证书签名
openssl ca -policy policy_anything -days 1460 -cert ca.crt -keyfile ca.key\
-in *.njduck.com.csr -out *.njduck.com.crt
CA证书生成后可以直接从第4步开始给其他域名生成证书