#!/bin/sh
#================================生成CA===============================
#生成ca和私钥
openssl genrsa -aes256 -passout pass:****** -out ca.key 2048
#openssl rsa -in ca.key -pubout -out ca_pub.key
#生成ca证书请求and自签名
openssl req -new -x509 -sha256 -days 90 -key ./ca.key -out ./ca.crt
#error while loading serial number
echo "01" > /etc/pki/CA/serial
#=============================生成证书==================================+
#openssl req -x509 -sha256 -nodes -days 90 -newkey rsa:2048 -keyout self.key -out self.crt -subj /CN=*.abc.com
openssl genrsa -aes256 -passout pass:****** -out server.key 2048
#生成证书请求文件
openssl req -sha256 -new -days 90 -key ./server.key -out ./server.csr
#对证书签名
openssl ca -md sha256 -days 90 -key ****** -keyfile ./ca.key -cert ./ca.crt -in ./server.csr -out ./server.crt
#failed to update database TXT_DB error number 2
vi /etc/pki/CA/index.txt.attr #将unique_subject = yes 改为 no
#查看证书
openssl x509 -in ./servercert.pem -text -noout
#生成pfx(windows证书格式)
openssl pkcs12 -export -out server.pfx -inkey ./server.key -in ./server.crt
#生成p7b证书链
openssl crl2pkcs7 -certfile ./ca.crt -certfile ./server.crt -outform DER -out server.p7b -nocrl
注意:本文归作者所有,未经作者允许,不得转载
原文地址: http://blog.wsmee.com/post/98
版权声明:非商用-非衍生-保持署名| Creative Commons BY-NC-ND 3.0
