使用 OpenSSL 制作自定义CA 并生成自签名证书

1. 生成CA私钥

openssl ecparam -genkey -name prime256v1 | openssl ec -out ca.key

2. 生成CA证书

openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

3. 准备两个配置文件

（1）openssl.cnf 下面的信息可以根据自己的实际需要进行修改，最关键的一项是：[alt_names]

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Jiangsu
localityName = Locality Name (eg, city)
localityName_default = Suzhou
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default  = FEIYU BLOG.
commonName = FEIYU BLOG.
commonName_max  = 64

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:TRUE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
IP.1 = 192.168.1.10

（2）v3.ext [alt_names] 须要和上面的保持一致

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage=digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName=@alt_names
[alt_names]
IP.1 = 192.168.1.10

4. 生成服务器私钥

openssl ecparam -genkey -name prime256v1 | openssl ec -out my.key

5. 生成服务器 CSR

openssl req -new -sha256 -key my.key -out my.csr -config openssl.cnf

6. 使用CA证书和CA私钥对CSR文件进行签名

openssl x509 -req -in my.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out my.crt -days 365 -sha256 -extfile v3.ext

7. 生成 pfx 格式的证书

openssl pkcs12 -export -out my.pfx -inkey my.key -in my.crt