如何创建一个自签名的SSL证书(X509)

如果你想创建自测用的ssl证书，只需要简单一条命令搞定（不包括CA根证书）。

req 是openssl证书请求和证书生成命令。
x509 输出证书而不是证书请求。
newkey [rsa:]nbits生成大小为nbits的rsa私钥。
keyout 生成的私钥会写入到该文件中。
out 生成的证书会写入到该文件中。

 openssl req -x509 -newkey rsa:2048 -keyout key.pem -out req.pem

$ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out req.pem
Generating a 2048 bit RSA private key
..................+++
..............+++
writing new private key to 'key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) []:tantan
Organizational Unit Name (eg, section) []:momo
Common Name (eg, fully qualified host name) []:xiaoyi
Email Address []:861072742@qq.com

openssl 官方命令demo

image.png

openssl 生成证书相关文档

文档

生成证书以及CA根证书

1.生成CA私钥
2.生成CA根证书
3.生成私钥
4.生成证书请求
5.根据证书请求、CA根证书、CA私钥生成证书（pem格式）。

openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem -subj "/C=US/ST=Utah/L=Lehi/O=Your Company, Inc./OU=IT/CN=rootca.com"
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr -subj "/C=US/ST=Utah/L=Lehi/O=Your Company, Inc./OU=IT/CN=test-redis"
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.pem -days 1000 -sha256

server.pem证书
server.key 证书私钥
rootCA.pem CA根证书
rootCA.key CA根证书私钥