如何制作ca证书

制作证书：

准备环境
$ mkdir -p CA/{certs,crl,newcerts,private}
$
$ touch CA/index.txt
$
$ echo 00 > CA/serial

生成CA秘钥

$ openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
...........................................................+++
...............+++
e is 65537 (0x10001)
$

签署CA
$ openssl req -sha256 -new -x509 -days 3650 -key ca.key -out ca.crt -newkey rsa:2048
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:home
Organizational Unit Name (eg, section) []:desk
Common Name (e.g. server FQDN or YOUR name) []:www.home.desk.com
Email Address []:home@hm.com
$

查看证书内容
$ openssl x509 -noout -text -in ca.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 12914197379374815003 (0xb33872181cea971b)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=BJ, L=BJ, O=home, OU=desk, CN=www.home.desk.com/emailAddress=home@hm.com
Validity
Not Before: May 17 09:12:47 2019 GMT
Not After : May 14 09:12:47 2029 GMT
Subject: C=CN, ST=BJ, L=BJ, O=home, OU=desk, CN=www.home.desk.com/emailAddress=home@hm.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:

$ ls
CA ca.crt ca.key
$

生成服务器秘钥
$ openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.................................................+++
............................................................................................+++
e is 65537 (0x10001)
$

生成服务器证书请求，注意Country Name、State、Locality Name和Organization Name最好与CA证书填写的内容一致。
$ openssl req -new -sha256 -key server.key -reqexts v3_req -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:home
Organizational Unit Name (eg, section) []:desk
Common Name (e.g. server FQDN or YOUR name) []:www.home.desk
Email Address []:home@desk.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:111111
An optional company name []:.
$

使用上一节的CA证书和秘钥签发服务器证书
$ openssl ca -in server.csr -md sha256 -keyfile ca.key -cert ca.crt -extensions v3_req -out server.crt
Using configuration from /usr/lib/ssl/openssl.cnf
I am unable to access the ./demoCA/newcerts directory
./demoCA/newcerts: No such file or directory
$

如果遇到以上问题，执行以下操作：

$ mkdir -p demoCA/newcerts
$
$ touch demoCA/index.txt
$
$ echo 00 > demoCA/serial

在次运行签发命令：
$ openssl ca -in server.csr -md sha256 -keyfile ca.key -cert ca.crt -extensions v3_req -out server.crt
Using configuration from /usr/lib/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
The organizationName field needed to be the same in the
CA certificate (home) and the request (server)
$

以上提示CA证书和服务端的证书请求中的组织名称不相同，最好设置为相同的。

$ openssl ca -in server.csr -md sha256 -keyfile ca.key -cert ca.crt -extensions v3_req -out server.crt
Using configuration from /usr/lib/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: May 17 09:49:08 2019 GMT
Not After : May 16 09:49:08 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = BJ
organizationName = home
organizationalUnitName = desk
commonName = www.home.desk
emailAddress = home@desk.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Certificate is to be certified until May 16 09:49:08 2020 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
$

完成之后的目录结构：
$ ls
CA ca.crt ca.key demoCA server.crt server.csr server.key
$

错误处理：
如果报“failed to update database TXT_DB error number 2”错误
修改demoCA下 index.txt.attr
将unique_subject = yes
改为：
unique_subject = no

生成pfx文件
openssl pkcs12 -export -in client.crt -inkey client.key -out client.pfx