使用openssl生成证书

一、生成证书步骤

1.先创建一个目录，我这边创建的目录是/var/myca，终端指向该目录

1.生成私钥(key文件)：openssl genrsa -des3 -out server.key 2048

2.去除key文件口令，不然每次读取key文件都要输入口令openssl rsa -in server.key -out server.key

3.key生成一个csr证书：openssl req -new -key server.key -out server.csr

5.csr证书需要CA签名才能形成证书，生成一个ca.key和根证书ca.crt

openssl req -new -x509 -days 10240 -keyout ca.key -out ca.crt

6.创建openssl配置文件，示例配置文件如下所示：

[ ca ]
default_ca = myca

[ myca ]
dir = /var/myca
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial

default_crl_days= 7
default_days = 365
default_md = md5

policy = myca_policy
x509_extensions = certificate_extensions

[ myca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = supplied
emailAddress = supplied
organizationName= supplied
organizationalUnitName = optional

[ certificate_extensions ]
basicConstraints= CA:false

[ req ]
default_bits = 2048
default_keyfile = /var/MyCA/private/cakey.pem
default_md = md5
prompt = no
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
[ root_ca_distinguished_name ]
commonName = My Test CA
stateOrProvinceName = HZ
countryName = CN
emailAddress = test@cert.com
organizationName = Root Certification Authority
[ root_ca_extensions ]
basicConstraints = CA:true

7.根据配置创建文件夹certs，private，创建index.txt文件，创建serial文件，写入01

8.用刚才生成的CA证书为server.csr进行文件签名：openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf

二、遇到的问题

对于出现下列问题yfailed to update databaseTXT_DB error number 2解决方法：

1.修改目录下的index.txt.attr文件，把unique_subject = yes改为unique_subject = no

2.删除目录下的index.txt文件，然后再生成一个