使用openssl生成自签CA证书，并用其签发其他证书

本文大部分内容参考自：https://jamielinux.com/docs/openssl-certificate-authority/introduction.html

本文内容比较多，可以先看看目录，内容都是自己实践和总结的，有问题的朋友可以在底下评论或留言。

关于CA的一些相关知识：

1.证书管理机构

2.PKI（公钥基础设施）

3.x509 RFC5280

下面开始实践：

ROOT CA密钥和证书

正常情况下，根CA一般只用来签发下级的CA证书，不会直接签发服务端和客户端证书。

1.准备工作目录

我这里用的是mac环境，使用win或linux的朋友请自行调整。

创建一个文件夹用来存放所有的密钥和证书：

# mkdir /Users/imaginefei/Desktop/certificate/ca

创建目录结构，index.txt 和 serial 文件分别用作数据库和跟踪证书序列号：

# cd /Users/imaginefei/Desktop/certificate/ca
# mkdir certs crl newcerts private
# chmod 700 private
# touch index.txt
# echo 1000 > serial

2.准备配置文件

准备openssl的配置文件，可以在文章的附录中找到，并复制到/Users/imaginefei/Desktop/certificate/ca/openssl.cnf。

配置文件中的[ ca ]字段是必须的，这里告诉openssl去读取[ CA_default ]字段。

[ ca ]
# `man ca`
default_ca = CA_default

[ CA_default ] 字段都是些默认值，具体意思自己去Google或百度了，确保dir这个变量的值，是你第一步时创建的文件夹：

[ CA_default ]
# Directory and file locations.
dir               = /Users/imaginefei/Desktop/certificate/ca
certs             = $dir/certs
crl_dir           = $dir/crl
new_certs_dir     = $dir/newcerts
database          = $dir/index.txt
serial            = $dir/serial
RANDFILE          = $dir/private/.rand

# The root key and root certificate.
private_key       = $dir/private/ca.key.pem
certificate       = $dir/certs/ca.cert.pem

# For certificate revocation lists.
crlnumber         = $dir/crlnumber
crl               = $dir/crl/ca.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30

# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha256

name_opt          = ca_default
cert_opt          = ca_default
default_days      = 375
preserve          = no
policy            = policy_strict

我们这里选择policy_strict作为CA默认的签名策略（国家代码，组织名之类的），根CA只用来签发下级CA：

[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

policy_loose用来作为下级ca的默认签名策略，和上面差不多，具体配置参考附录就可以了。

[ req ]字段在创建证书和证书请求的时候会用到：

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only

# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha256

# Extension to add when the -x509 option is used.
x509_extensions     = v3_ca

[ req_distinguished_name ] 字段定义了生成证书请求时的某些默认值，你可以先默认写在配置文件里，或者执行openssl req 命令的时候自行输入：

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address

# Optionally, specify some defaults.
countryName_default             = CN
stateOrProvinceName_default     = GuangDong
localityName_default            = DongGuan
0.organizationName_default      = GuangDong HongYou Network Technology Co.,Ltd.
organizationalUnitName_default  = Service Operation Department.
#emailAddress_default           = imaginefei@163.com

下一个字段[ v3_ca ]，用作签发根证书时指定的x509拓展(基本约束)，命令行里对应的是-extensions v3_ca：

[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ v3_intermediate_ca ]是用来签发下级CA证书时指定的x509拓展，pathlen没看明白，具体去看x509的RFC规范吧- -！：

[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

剩下的[ usr_cert ]和[ server_cert ]分别对应客户端和服务端，就不详细解释了，[ crl_ext ]是用来创建证书撤销列表的，[ ocsp ]是用作在线查询证书状态的，具体的概念和术语太多，就不一一解释了。

3.创建Root ca密钥

# cd /Users/imaginefei/Desktop/certificate/ca
# openssl genrsa -aes256 -out private/ca.
4000
key.pem 4096
Generating RSA private key, 4096 bit long modulus
........................................++
.....................................................++
e is 65537 (0x10001)
Enter pass phrase for private/ca.key.pem:
Verifying - Enter pass phrase for private/ca.key.pem:
#

4.创建Root ca证书

创建根ca证书时，请设置长点的时间，一旦ca证书过期，由该证书签发的所有证书都将会过期。执行命令时，请加上-config指定配置文件，不然openssl默认会去读取/etc/pki/tls/openssl.cnf：

# cd /Users/imaginefei/Desktop/certificate/ca
# openssl req -config openssl.cnf \
-key private/ca.key.pem \
-new -x509 -days 7300 -sha256 -extensions v3_ca \
-out certs/ca.cert.pem
Enter pass phrase for private/ca.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name [GuangDong]:
Locality Name [DongGuan]:
Organization Name [GuangDong HongYou Network Technology Co.,Ltd.]:
Organizational Unit Name [Service Operation Department.]:
Common Name []:YouJiFen Root CA
Email Address []:
#
# chmod 444 certs/ca.cert.pem

5.查看和验证Root ca证书

# openssl x509 -noout -text -in certs/ca.cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
b0:37:bc:9d:13:cb:c4:f7
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=GuangDong, L=DongGuan, O=GuangDong HongYou Network Technology Co.,Ltd., OU=Service Operation Department., CN=YouJiFen Root CA
Validity
Not Before: Nov 15 04:31:29 2016 GMT
Not After : Nov 10 04:31:29 2036 GMT
Subject: C=CN, ST=GuangDong, L=DongGuan, O=GuangDong HongYou Network Technology Co.,Ltd., OU=Service Operation Department., CN=YouJiFen Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Modulus (4096 bit):
00:bb:14:d9:ec:95:93:52:44:a3:97:81:50:81:ed:
3c:53:23:d0:6e:8c:08:b2:dd:2e:a9:fc:e8:78:7d:
63:d1:23:e3:a0:4d:a8:04:5b:19:42:4a:ae:9d:bd:
30:90:e5:3d:0f:1b:b7:bd:2e:13:c3:b1:86:de:fb:
15:55:3e:7d:f5:35:cc:8c:3e:41:5c:60:c1:f7:20:
84:e5:2c:8b:87:7f:12:6f:52:7c:0e:a7:ee:62:92:
34:0b:b5:2a:c7:68:34:b2:b3:fc:5d:a9:2c:e4:fe:
ee:20:44:aa:48:f8:fb:1a:5f:a8:1e:b4:5a:cf:11:
0b:01:73:17:99:26:7f:52:1f:21:7a:ad:c4:22:63:
ac:cb:0e:50:01:16:f2:f3:19:6f:da:a9:5b:f5:20:
40:14:fa:c0:cb:18:a5:45:2f:31:71:0f:0e:98:0e:
7f:14:ba:e5:3a:ea:e6:c7:15:1f:39:c4:6b:30:62:
e5:c8:d2:d8:61:09:bb:5c:9f:7f:f8:0d:bd:9e:1c:
fe:6a:21:23:f8:68:99:18:46:05:f1:48:96:6d:fb:
af:d6:6b:38:80:da:45:e2:16:c9:e9:4d:2c:6d:23:
cf:a4:0d:3a:1f:39:21:98:7a:6a:4f:1c:a5:9d:06:
17:9b:3f:f6:95:74:9c:52:0a:a6:27:ba:34:1f:6e:
49:bd:43:06:3d:69:cd:7c:35:10:e0:08:8e:b0:f4:
a3:51:ee:1e:82:e1:74:ff:d0:5b:fe:43:45:5b:4b:
9d:5b:d9:6c:44:30:4a:da:0f:01:40:d6:4e:eb:13:
41:c5:d9:64:2c:21:25:b1:fe:09:a9:aa:a2:1b:0d:
af:e3:fd:3d:c1:1f:96:39:48:ca:e3:fe:0a:e1:5f:
0a:39:2c:d4:41:90:b8:f4:90:20:1f:21:76:81:52:
0a:f3:03:1c:87:cd:c8:3c:96:18:30:e1:d1:92:2a:
fe:33:42:9f:8c:1a:79:5b:3f:4d:98:56:c5:0f:28:
9b:96:a8:29:ec:7b:99:32:b3:b9:e0:3a:19:0f:e3:
3a:97:57:d5:0b:2d:5f:e3:74:63:74:8d:cf:35:f4:
3e:4a:fe:b5:f9:a9:21:df:41:bd:d3:51:bf:c9:4e:
f8:d9:bd:71:dd:eb:dd:29:f8:aa:af:56:84:d0:a9:
c9:1f:90:60:ab:cb:78:32:d7:4f:12:fb:14:d7:a8:
17:dc:6c:f7:d2:3b:9f:ab:09:61:ae:b3:e2:63:1c:
9d:a6:36:4c:22:07:04:74:12:16:d5:34:f5:09:f2:
bc:ab:f3:36:a3:e5:1d:9c:15:79:ce:fe:dc:f5:a4:
27:91:1c:4a:56:1f:76:6b:94:43:c
138f3
7:1e:11:a2:5f:
95:30:59
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
BA:A7:F7:0B:01:BE:DE:DD:53:94:06:54:58:F1:10:36:B0:EE:02:2B
X509v3 Authority Key Identifier:
keyid:BA:A7:F7:0B:01:BE:DE:DD:53:94:06:54:58:F1:10:36:B0:EE:02:2B

X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
a7:1b:f1:46:76:2b:c2:52:62:e6:ba:54:72:71:cc:fd:f1:24:
69:13:8a:73:dc:dc:8e:9d:bd:f7:32:14:04:4d:08:b9:fb:9c:
06:d6:e0:5e:4e:3a:8d:51:ea:31:f1:6c:5b:6f:dc:a2:ae:4f:
5b:28:44:3f:33:2d:67:59:ec:34:99:69:62:38:27:60:6a:1d:
4b:d6:d5:96:d8:f1:08:3d:4f:49:f8:5e:02:03:4e:07:55:3e:
86:7c:93:d4:31:9f:b0:30:b0:29:ad:15:9e:1a:c2:0c:9d:aa:
08:39:0b:d2:78:4c:3a:a2:a6:89:8b:2d:c8:f1:b7:40:a9:bb:
be:37:c2:52:b4:23:45:e4:ad:d8:7e:3b:4e:d9:9d:72:c1:2f:
90:1f:39:b1:00:e9:07:18:fe:04:05:34:24:a7:6a:bc:98:c5:
ed:cd:a1:90:ad:85:2c:88:bf:c1:05:a9:05:1e:9b:b9:b0:d4:
82:e5:1f:87:27:d9:16:25:cf:42:58:46:63:ea:b7:51:3e:4c:
ef:7f:ea:9a:bf:92:a2:ec:b0:7b:71:21:5e:f9:4e:d0:04:6d:
bb:91:5f:47:3d:cc:61:10:30:ff:16:53:49:f4:19:ba:c9:d3:
2e:a1:2a:54:d3:4e:e6:cc:81:de:7a:e9:ea:b2:1c:f2:8a:c5:
19:66:41:04:a7:3e:a4:35:72:b6:54:05:72:68:36:6c:77:a9:
3f:2b:02:4f:02:f8:4e:db:4b:b8:5a:77:bd:77:a8:54:4e:11:
86:9b:6d:80:58:bb:f1:d8:f6:ae:df:e9:71:42:d0:2b:dd:8f:
1c:8b:10:0a:eb:b5:e6:61:f4:56:e5:15:63:18:06:f4:f6:79:
32:14:7d:a2:c2:87:ac:2c:dc:77:e3:6e:8b:96:26:e4:fc:f0:
9a:d5:c4:8d:39:a1:df:9b:8f:75:eb:e3:36:54:db:64:eb:78:
96:08:8d:34:86:f9:1b:aa:86:f8:b0:dc:e1:7f:a1:7b:1b:f3:
2f:3e:71:b1:6b:d4:ad:bb:06:fe:bb:69:55:52:57:b5:61:92:
91:c6:86:58:56:f4:fc:51:72:b2:21:7b:5b:89:01:48:5a:07:
45:e5:e0:81:99:99:b0:63:29:94:3e:d1:2b:c8:d9:d1:b5:83:
73:77:3e:5c:42:4c:ba:c0:de:67:f9:3c:6c:94:9d:ab:e8:22:
19:b0:71:01:5b:60:4c:5d:93:07:ba:fd:29:15:57:b4:54:a3:
17:ec:6c:ae:b7:f0:46:bd:42:ad:b7:5e:11:c8:da:1f:3b:c1:
c7:b7:b9:f1:12:60:3a:62:92:3b:87:a3:be:ba:af:21:d1:d4:
d3:f5:c9:cc:13:97:af:1e

Intermediate CA(中间证书颁发机构)密钥和证书

1.准备文件夹

在ca的文件内，创建一个文件夹用于存放中间证书机构的文件：

# mkdir /Users/imaginefei/Desktop/certificate/ca/intermediate

在intermediate文件夹内创建和ca一样的目录结构，csr文件夹用来存放证书请求：

# cd /Users/imaginefei/Desktop/certificate/ca/intermediate
# mkdir certs crl csr newcerts private
# chmod 700 private
# touch index.txt
# echo 1000 > serial

添加crlnumber到intermediate文件夹，用来追踪证书撤销列表：

# echo 1000 > crlnumber

复制附录的intermediate openssl.cnf 到intermediate文件夹，其实就是把ca openssl.cnf复制过来，修改如下东西就可以了：

[ CA_default ]
dir             = /Users/imaginefei/Desktop/certificate/ca/intermediate
private_key     = $dir/private/intermediate.key.pem
certificate     = $dir/certs/intermediate.cert.pem
crl             = $dir/crl/intermediate.crl.pem
policy          = policy_loose

2.创建中间证书机构密钥

先定位到ca的文件夹内：

# cd /Users/imaginefei/Desktop/certificate/ca
# openssl genrsa -aes256 \
-out intermediate/private/intermediate.key.pem 4096
Generating RSA private key, 4096 bit long modulus
..................................................++
....++
e is 65537 (0x10001)
Enter pass phrase for intermediate/private/intermediate.key.pem:
Verifying - Enter pass phrase for intermediate/private/intermediate.key.pem:
#
# chmod 400 intermediate/private/intermediate.key.pem

3.创建中间证书机构证书

先创建证书请求，请使用intermediate/openssl.cnf：

# cd /Users/imaginefei/Desktop/certificate/ca
# openssl req -config intermediate/openssl.cnf -new -sha256 \
-key intermediate/private/intermediate.key.pem \
-out intermediate/csr/intermediate.csr.pem
Enter pass phrase for intermediate/private/intermediate.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name [GuangDong]:
Locality Name [DongGuan]:
Organization Name [GuangDong HongYou Network Technology Co.,Ltd.]:
Organizational Unit Name [Service Operation Department.]:
Common Name []:YouJiFen Intermediate CA
Email Address []:
#

签发证书，请使用ca文件夹内的openssl.cnf，命令选项用v3_intermediate_ca：

# cd /Users/imaginefei/Desktop/certificate/ca
# openssl ca -config openssl.cnf -extensions v3_intermediate_ca \
-days 3650 -notext -md sha256 \
-in intermediate/csr/intermediate.csr.pem \
-out intermediate/certs/intermediate.cert.pem
Using configuration from openssl.cnf
Enter pass phrase for /Users/imaginefei/Desktop/certificate/ca/private/ca.key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Nov 15 05:54:06 2016 GMT
Not After : Nov 13 05:54:06 2026 GMT
Subject:
countryName               = CN
stateOrProvinceName       = GuangDong
organizationName          = GuangDong HongYou Network Technology Co.,Ltd.
organizationalUnitName    = Service Operation Department.
commonName                = YouJiFen Intermediate CA
X509v3 extensions:
X509v3 Subject Key Identifier:
4A:8E:63:5D:14:71:4D:BD:A8:F8:6B:79:8B:57:B7:E0:4A:9E:EF:1C
X509v3 Authority Key Identifier:
keyid:BA:A7:F7:0B:01:BE:DE:DD:53:94:06:54:58:F1:10:36:B0:EE:02:2B

X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Certificate is to be certified until Nov 13 05:54:06 2026 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#
# chmod 444 intermediate/certs/intermediate.cert.pem

4.查看和验证Intermediate CA证书

查看:
# openssl x509 -noout -text \
-in intermediate/certs/intermediate.cert.pem

验证：

openssl verify -CAfile certs/ca.cert.pem \
intermediate/certs/intermediate.cert.pem
intermediate/certs/intermediate.cert.pem: OK
#

5.创建证书链

# cat intermediate/certs/intermediate.cert.pem \
certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
# chmod 444 intermediate/certs/ca-chain.cert.pem

签发服务端证书

1.创建服务端密钥

# cd /Users/imaginefei/Desktop/certificate/ca
# openssl genrsa -aes256 \
-out intermediate/private/www.51ujf.cn.key.pem 2048
Generating RSA private key, 2048 bit long modulus
......................................................................................................................................................+++
....+++
e is 65537 (0x10001)
Enter pass phrase for intermediate/private/www.51ujf.cn.key.pem:
Verifying - Enter pass phrase for intermediate/private/www.51ujf.cn.key.pem:
# chmod 400 intermediate/private/www.51ujf.cn.key.pem

2.创建服务端证书请求

# cd /Users/imaginefei/Desktop/certificate/ca
# openssl req -config intermediate/openssl.cnf \
-key intermediate/private/www.51ujf.cn.key.pem \
-new -sha256 -out intermediate/csr/www.51ujf.cn.csr.pem
Enter pass phrase for intermediate/private/www.51ujf.cn.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name [GuangDong]:
Locality Name [DongGuan]:
Organization Name [GuangDong HongYou Network Technology Co.,Ltd.]:
Organizational Unit Name [Service Operation Department.]:
Common Name []:www.51ujf.cn
Email Address []:
#

3.签发服务端证书

# cd /Users/imaginefei/Desktop/certificate/ca
# openssl ca -config intermediate/openssl.cnf \
-extensions server_cert -days 375 -notext -md sha256 \
-in intermediate/csr/www.51ujf.cn.csr.pem \
-out intermediate/certs/www.51ujf.cn.cert.pem
Using configuration from intermediate/openssl.cnf
Enter pass phrase for /Users/imaginefei/Desktop/certificate/ca/intermediate/private/intermediate.key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Nov 15 06:17:17 2016 GMT
Not After : Nov 25 06:17:17 2017 GMT
Subject:
countryName               = CN
stateOrProvinceName       = GuangDong
localityName              = DongGuan
organizationName          = GuangDong HongYou Network Technology Co.,Ltd.
organizationalUnitName    = Service Operation Department.
commonName                = www.51ujf.cn
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
9D:DF:B8:25:96:CB:8F:EF:E7:88:0F:DE:8C:A8:4A:66:EA:44:3B:A6
X509v3 Authority Key Identifier:
keyid:4A:8E:63:5D:14:71:4D:BD:A8:F8:6B:79:8B:57:B7:E0:4A:9E:EF:1C
DirName:/C=CN/ST=GuangDong/L=DongGuan/O=GuangDong HongYou Network Technology Co.,Ltd./OU=Service Operation Department./CN=YouJiFen Root CA
serial:10:00

X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
Certificate is to be certified until Nov 25 06:17:17 2017 GMT (375 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# chmod 444 intermediate/certs/www.51ujf.cn.cert.pem

4.查看和验证证书

# openssl x509 -noout -text \
-in intermediate/certs/www.51ujf.cn.cert.pem

# openssl verify -CAfile intermediate/certs/ca-chain.cert.pem \
intermediate/certs/www.51ujf.cn.cert.pem
intermediate/certs/www.51ujf.cn.cert.pem: OK

5.部署配置证书

如果部署在apache服务器，需要以下几个文件：

ca-chain.cert.pem

www.51ujf.cn.key.pem

www.51ujf.cn.cert.pem

如果部署在nginx，估计要把ca-chain.cert.pem和www.51ujf.cn.cert.pem合并在一个文件，做成证书链。

附录

1.root ca openssl.cnf

# OpenSSL root CA configuration file.
# Copy to `Users/imaginefei/Desktop/certificate/ca/openssl.cnf`.

[ ca ]
# `man ca`
default_ca = CA_default

[ CA_default ]
# Directory and file locations.
dir               = /Users/imaginefei/Desktop/certificate/ca
certs             = $dir/certs
crl_dir           = $dir/crl
new_certs_dir     = $dir/newcerts
database          = $dir/index.txt
serial            = $dir/serial
RANDFILE          = $dir/private/.rand

# The root key and root certificate.
private_key       = $dir/private/ca.key.pem
certificate       = $dir/certs/ca.cert.pem

# For certificate revocation lists.
crlnumber         = $dir/crlnumber
crl               = $dir/crl/ca.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30

# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha256

name_opt          = ca_default
cert_opt          = ca_default
default_days      = 375
preserve          = no
policy            = policy_strict

[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only

# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha256

# Extension to add when the -x509 option is used.
x509_extensions     = v3_ca

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address

# Optionally, specify some defaults.
countryName_default             = CN
stateOrProvinceName_default     = GuangDong
localityName_default            = DongGuan
0.organizationName_default      = GuangDong HongYou Network Technology Co.,Ltd.
organizationalUnitName_default  = Service Operation Department.
#emailAddress_default           = imaginefei@163.com

[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always

[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning

2.intermediate openssl.cnf

# OpenSSL root CA configuration file.
# Copy to `/Users/imaginefei/Desktop/certificate/intermediate/openssl.cnf`.

[ ca ]
# `man ca`
default_ca = CA_default

[ CA_default ]
# Directory and file locations.
dir               = /Users/imaginefei/Desktop/certificate/ca/intermediate
certs             = $dir/certs
crl_dir           = $dir/crl
new_certs_dir     = $dir/newcerts
database          = $dir/index.txt
serial            = $dir/serial
RANDFILE          = $dir/private/.rand

# The root key and root certificate.
private_key       = $dir/private/intermediate.key.pem
certificate       = $dir/certs/intermediate.cert.pem

# For certificate revocation lists.
crlnumber         = $dir/crlnumber
crl               = $dir/crl/intermediate.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30

# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha256

name_opt          = ca_default
cert_opt          = ca_default
default_days      = 375
preserve          = no
policy            = policy_loose

[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only

# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha256

# Extension to add when the -x509 option is used.
x509_extensions     = v3_ca

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address

# Optionally, specify some defaults.
countryName_default             = CN
stateOrProvinceName_default     = GuangDong
localityName_default            = DongGuan
0.organizationName_default      = GuangDong HongYou Network Technology Co.,Ltd.
organizationalUnitName_default  = Service Operation Department.
#emailAddress_default           = imaginefei@163.com

[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always

[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning