1. 生成CA证书
mkdir ca
##创建根证书私钥
openssl genrsa -out ca/root-key.pem 1024
#创建证书请求
openssl req -new -out ca/ca-req.csr -key ca/root-key.pem
#按照提示输入对应的内容
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:ZheJiang
Locality Name (eg, city) []:Hangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:test
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
#自签署根证书
openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey ca/root-key.pem -days 3650
Signature ok
subject=/C=CN/ST=ZheJiang/L=Hangzhou/O=test
Getting Private key
#导出这PKCS12格式的证书
openssl pkcs12 -export -clcerts -in ca/ca-cert.pem -inkey ca/root-key.pem -out ca/root.pfx
Enter Export Password:123456
Verifying - Enter Export Password:123456
2. 创建服务器证书
mkdir test
openssl genrsa -out test/test-key.pem 1024
##创建私钥
openssl req -new -out test/test-req.csr -key test/test-key.pem
##创建证书请求
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Zhejiang
Locality Name (eg, city) []:Hangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:test
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
##签署服务器证书
openssl x509 -req -in test/test-req.csr -out test/test-cert.pem -signkey test/test-key.pem -CA ca/ca-cert.pem -CAkey ca/root-key.pem -CAcreateserial -days 3650
Signature ok
subject=/C=CN/ST=Zhejiang/L=Hangzhou/O=test
Getting Private key
Getting CA Private Key
#这个是商户的私钥
openssl pkcs12 -export -clcerts -in test/test-cert.pem -inkey test/test-key.pem -out test/test.pfx
Enter Export Password:123456
Verifying - Enter Export Password:123456
#提取公钥,这个是商户的公钥,发给对方
openssl rsa -in test-key.pem -pubout -out test-pubkey.pem
writing RSA key
