使用OpenSSL生成自签名证书

本文生成的所有证书有效期为 7305天(20年),算法为 ECC(256Bits)

准备环境

生成CA证书

openssl ecparam -genkey -name prime256v1 -out ca.key
openssl req -new -x509 -days 7305 -key ca.key -out ca.crt

生成自签名证书的签名请求

openssl ecparam -genkey -name prime256v1 -out example.com.key
openssl req -new -sha256 -key example.com.key -out example.com.csr

使用CA证书签发自签名证书

[ req ]
default_bits        = 2048
distinguished_name  = req_distinguished_name
req_extensions      = san
extensions          = san

[ req_distinguished_name ]
countryName         = CN
stateOrProvinceName = Tianjin
localityName        = Tianjin

[ SAN ]
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = DNS:example.com,DNS:*.example.com
openssl x509 -req \
    -days 7305 \
    -sha256 \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in example.com.csr -out cert.crt \
    -extfile extended.ext -extensions SAN
cat cert.crt ca.crt > fullchain.crt
Top