如何新建自签名SSL证书

  1. 准备工作:
mkdir ca
cd ca
mkdir demoCA
mkdir demoCA/newcerts
touch demoCA/index.txt
echo "01" > demoCA/serial

2. 生成CA证书

openssl genrsa -des3 -out ca.key 2048

3. 生成CA公钥

openssl req -new -x509 -days 7305 -key ca.key -out ca.crt

4. 生成域名证书私钥

openssl genrsa -des3 -out *.njduck.com.pem 1024

5. 将域名私钥解密生成key

openssl rsa -in *.njduck.com.pem -out *.njduck.com.key

6. 生成证书请求

openssl req -new -key *.njduck.com.pem -out *.njduck.com.csr

7. 证书签名

openssl ca -policy policy_anything -days 1460 -cert ca.crt -keyfile ca.key\
    -in *.njduck.com.csr -out *.njduck.com.crt

CA证书生成后可以直接从第4步开始给其他域名生成证书