解决方式,生成带证书链的证书,进行导入:
- 生成根CA私钥和证书
"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" genrsa -out rootCA.key 2048
"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.crt
- 生成中间CA私钥和证书签名请求
"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" genrsa -out intermediate.key 2048
"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" req -new -key intermediate.key -out intermediate.csr
- 用根CA签名中间CA证书
echo keyUsage=critical,keyCertSign,cRLSign > intermediate_ext.cnf
echo basicConstraints=critical,CA:TRUE > intermediate_ext.cnf
"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" x509 -req -in intermediate.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out intermediate.crt -days 3650 -extfile intermediate_ext.cnf
- 生成域证书私钥和证书签名请求
"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" genrsa -out domain.key 2048
"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" req -new -key domain.key -out domain.csr
- 创建subjectAltName扩展文件
echo subjectAltName=IP:192.168.199.2,DNS:*.fengzii.com > extfile.cnf
- 用中间CA签发域证书
"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" x509 -req -in domain.csr -CA intermediate.crt -CAkey intermediate.key -CAcreateserial -out domain.crt -days 1750 -extfile extfile.cnf
- 验证证书链
"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" verify -CAfile rootCA.crt intermediate.crt domain.crt
这应该是完整的包含中间CA的证书签发流程,请您查看确认下命令是否都正确。如有任何问题,请随时回复指出,我会进行修改完善。
将OpenSSL生成的证书和私钥转换成PKCS#12格式(.p12或.pfx)的步骤是:
"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" pkcs12 -export -out domain.p12 -inkey domain.key -in domain.crt