废话不多说,直接上命令
CA_SUBJ="/C=CN/ST=ShanDong/L=JiNan/O=sec/OU=sec/CN=www.hxy.com/emailAddress=hxy@example.com" #证书subject
# rsa自签CA
openssl req -x509 -newkey rsa:2048 -keyout raw.key -out ca.crt -days 3650 -nodes -subj $CA_SUBJ
# sm2自签CA (以下也可以使用openssl 1.1.x以上版本)
gmssl ecparam -genkey -name SM2 -text -out raw.key
gmssl req -new -key raw.key -out ca.csr -subj $CA_SUBJ
gmssl x509 -req -days 3650 -sm3 -in ca.csr -signkey raw.key -out ca.crt
# ec自签CA
openssl ecparam -out raw.key -name prime256v1 -genkey
openssl req -key raw.key -new -out ca.csr -subj $CA_SUBJ
openssl x509 -req -in ca.csr -signkey raw.key -out ca.crt -days 3650
# 生成pkcs8格式的私钥(用于保护根私钥,raw.key是明文形式)
openssl pkcs8 -topk8 -in raw.key -passin pass:123456 -out ca.key -v1 PBE-SHA1-3DES
原文:https://www.cnblogs.com/informatics/p/14626651.html