https://www.cnblogs.com/zhangmingcheng/p/18412749
https://www.cnblogs.com/suterfo/p/13693909.html
证书颁发
需要openssl 3.x以上。v1.1.1不可以。
CA证书(含私钥)生成,按提示操作输入国家、省份、公司等
网站证书(含私钥)生成,一定需要altname的IP或者域名(DNS)
openssl genrsa -out ./out/ca.key 2048
openssl req -x509 -new -nodes -key ./out/ca.key -subj "/CN=WSY" -days 1000 -out ./out/ca.crt
openssl genrsa -out ./out/server.key 2048
openssl req -new -key ./out/server.key -out ./out/server.csr -config csr.conf
openssl x509 -req -in ./out/server.csr -CA ./out/ca.crt -CAkey ./out/ca.key -CAcreateserial -out ./out/server.crt -days 10000 -extensions v3_ext -extfile csr.conf
openssl x509 -noout -text -in ./out/server.crt
openssl pkcs12 –export –in [用户证书文件] -certfile [CA根证书文件] -inkey [用户私钥文件] –passout pass:[P12文件的加密密码] –out [P12文件] -name [用户证书别名] –caname [CA证书别名]
openssl pkcs12 -export -in ./out/ca.crt -certfile ./out/ca.crt -inkey ./out/ca.key -password pass:12345 -out ./out/ca.pfx
openssl pkcs12 -export -in ./out/server.crt -certfile ./out/ca.crt -inkey ./out/server.key -password pass:12345 -out ./out/server.pfx
openssl pkcs12 -export -in ./out/client.crt -certfile ./out/ca.crt -inkey ./out/client.key -password pass:12345 -out ./out/client.pfx
openssl req -new -x509 -out ca.crt -noenc -keyout ca.pkey
openssl req -new -x509 -out ./out/web.crt -noenc -keyout ./out/web.pkey -CA ./out/ca.crt -CAkey ./out/ca.key -addext "subjectAltName = IP.0:10.161.22.84, DNS.1:naiya-dev.edu.cn"
openssl pkcs12 -export -in ./out/web.crt -certfile ./out/ca.crt -inkey ./out/web.pkey -password pass:12345 -out ./out/web.pfx
