证书签发

在进行测试时，我们可以自己生成根证书和服务端证书

生成根证书

# 生成私钥
openssl genrsa -out ca.key
# 生成请求
openssl req -new -key ca.key -out ca.csr -subj "/C=CN/ST=XXXX/L=XXXX/O=XXXX/OU=XXXX/CN=XXXX/emailAddress=XXX@XXX.com"
# 生成根证书
openssl x509 -req -days 36500 -sha256 -signkey ca.key -in ca.csr -out ca.cer -extfile <(printf "subjectKeyIdentifier=hash\nauthorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:TRUE")

生成单域名证书

# 生成单域名证书
domain=$1
# 创建文件夹
mkdir -p $domain
# 生成秘钥
openssl genrsa -out $domain/$domain.key
# 生成请求
openssl req -new -key $domain/$domain.key -out $domain/$domain.csr -subj "/C=CN/ST=XXX/L=XXX/O=XXX/OU=XXX/CN=$domain/emailAddress=XXX@XXX.com" -addext "subjectAltName=DNS:$domain"
# 生成证书
openssl x509 -req -in $domain/$domain.csr -CA ../rootca/root.cer -CAkey ../rootca/root.key -CAcreateserial -out $domain/$domain.crt -days 730 -extfile <(printf "subjectKeyIdentifier=hash\nauthorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nkeyUsage=digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment\nextendedKeyUsage=serverAuth,OCSPSigning\nsubjectAltName=DNS:$domain")

生成泛域名证书

# 生成泛域名证书
domain=$1
# 创建文件夹
mkdir -p $domain
# 生成秘钥
openssl genrsa -out $domain/$domain.key
# 生成请求
openssl req -new -key $domain/$domain.key -out $domain/$domain.csr -subj "/C=CN/ST=XXX/L=XXX/O=XXX/OU=XXX/CN=$domain/emailAddress=XXX@XXX.com" -addext "subjectAltName=DNS:*.$domain,DNS:$domain"
# 生成证书
openssl x509 -req -in $domain/$domain.csr -CA ../rootca/root.cer -CAkey ../rootca/root.key -CAcreateserial -out $domain/$domain.crt -days 730 -extfile <(printf "subjectKeyIdentifier=hash\nauthorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nkeyUsage=digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment\nextendedKeyUsage=serverAuth,OCSPSigning\nsubjectAltName=DNS:*.$domain,DNS:$domain")