
时间:2025-03-18 11:16:03




1. 创建一个秘钥,这个便是CA证书的根本,之后所有的东西都来自这个秘钥

[root@localhost testCA]# openssl genrsa -out  2048
Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)

2. 通过秘钥加密机构信息形成公钥

[root@localhost testCA]# openssl req -new -x509 -key  -out  -days 36500
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [Default City]:ShenZhen
Organization Name (eg, company) [Default Company Ltd]:leaderchain
Organizational Unit Name (eg, section) []:xraremeta
Common Name (eg, your name or your server's hostname) []:
Email Address []:381151367@


1. 通过openssl工具创建服务器的秘钥

[root@localhost testCA]# openssl genrsa -out  2048

2. 创建一个签名请求


[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = XX
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
#stateOrProvinceName_default    = Default Province

localityName                    = Locality Name (eg, city)
localityName_default            = Default City

              = Organization Name (eg, company)
0.organizationName_default      = Default Company Ltd

# we can do this but it is not needed normally :-)
#             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
#organizationalUnitName_default =

commonName                      = Common Name (eg, your name or your server\'s hostname)
commonName_max                  = 64

emailAddress                    = Email Address
emailAddress_max                = 64

# SET-ex3                       = SET extension number 3

[ v3_req ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = *.
IP.1 =
IP.2 =


[root@localhost testCA]# openssl req -config  -new -out  -key 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BeiJing]:
Locality Name (eg, city) []:
Organization Name (eg, company) [myca]:
Organizational Unit Name (eg, section) []:
Common Name (. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3. 通过CA机构证书对服务器证书进行签名认证

[root@localhost testCA]# openssl x509 -req  -extfile  -extensions v3_req -in  -out  -CAkey  -CA  -days 36500 -CAcreateserial -CAserial serial
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd
Getting CA Private Key

4. 部署证书




  1. 双击证书,点击“安装证书”
  2. 选择“本地计算机”,点击“下一步”,同意
  3. 选择“将所有的证书放入下列存储”,点击“浏览”
  4. 选择“受信任的根证书颁发机构”,点击"确定"
  5. 点击“下一页”
  6. 点击“完成”
  7. 重启浏览器,可以看到URL的红色叹号消失了