Ref:
http://colinzhouyj.blog.51cto.com/2265679/1566438
openssl genrsa -out zy_ca.key 2048
openssl req -new -x509 -days 3650 -key private/zy_ca.key -sha256 -out zy_ca.crt \
-config /usr/local/etc/openssl/openssl.cnf
openssl genrsa -out zy1.key 2048
openssl req -new -out zy1.csr -key zy1.key \
-config /usr/local/etc/openssl/openssl.cnf
openssl ca -in zy1.csr -out zy1.crt \
-cert /usr/local/etc/openssl/ZhangYangCA/zy_ca.crt \
-keyfile /usr/local/etc/openssl/ZhangYangCA/private/zy_ca.key \
-extensions v3_req \
-config /usr/local/etc/openssl/openssl.cnf
openssl pkcs12 -in charles.p12 -nocerts -out charles.key -passout pass:
openssl pkcs12 -in charles.p12 -clcerts -nokeys -out charles.crt
openssl ca -revoke /usr/local/etc/openssl/newcerts/02.pem -config /usr/local/etc/openssl/openssl.cnf
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /usr/local/etc/openssl/ZhangYangCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/zy_ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/zy_ca.key # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use public key default MD
preserve = no # keep passed DN ordering
policy = policy_anything
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = utf8only
req_extensions = v3_req # The extensions to add to a certificate request
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.albertzhang.com
DNS.2 = *.albertzhang.cool
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
keyUsage = critical,keyCertSign