OpenSSL 生成自簽證書

1. 建立根證書的私匙（ca.key）

openssl genrsa -out ca.key 2048

2. 建立根證書(ca.crt)

openssl req -new -x509 -days 36500 -key ca.key -out ca.crt -subj "/C=CN/ST=ShiChuan/L=ChengDu/O=Your Company Name/OU=Your Root CA"

3. 建立SSL證書私匙(網站證書)(server.key)

openssl genrsa -out server.key 2048

4. 建立SSL證書(網站證書)(server.crt)

openssl req -new -key server.key -out server.csr -subj  "/C=CN/ST=ShiChuan/L=ChengDu/O=Your Company Name/OU=wangye.org/CN=wangye.org"
/O字段內容必須與剛纔的CA根證書相同；/CN字段爲公用名稱(Common Name)，必須爲網站的域名(不帶www)；/OU字段最好也與爲網站域名

5. 用CA根證書籤署SSL自建證書

openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
報錯：unable to open '/etc/pki/CA/index.txt'
[root@localhost tmp]#  touch /etc/pki/CA/index.txt
報錯：error while loading serial number
140515054446496:error:02001002:system library:
fopen:No such file or directory:bss_file.c:398:fopen('/etc/pki/CA/serial','r')
[root@localhost tmp]# echo 00 > /etc/pki/CA/serial 
[root@localhost tmp]# openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key                                                               
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Feb  7 02:13:45 2017 GMT
            Not After : Feb  7 02:13:45 2018 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = ShiChuan
            organizationName          = Your Company Name
            organizationalUnitName    = wangye.org
            commonName                = wangye.org
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                5E:D1:22:95:85:87:DF:FC:0C:C8:C9:BC:7F:73:A6:20:B9:80:83:8C
            X509v3 Authority Key Identifier: 
                keyid:24:C0:24:B4:A9:E6:84:B6:9D:1B:DF:64:C0:52:96:C2:3D:FA:9C:85
Certificate is to be certified until Feb  7 02:13:45 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

服務器須要的證書：server.crt和server.key 備註：因爲是自簽名證書，因此客戶端須要安裝根證書，將剛纔第2步建立的根證書ca.crt下載到客戶端，而後雙擊導入，不然會提示不受信任的證書發佈商問題