# 生成根证书 openssl genrsa -out admin.com.key 2048 openssl req -x509 -new -nodes -key admin.com.key -subj "/C=US/ST=Utah/L=Lehi/O=ABC Company,Inc./OU=IT/CN=admin.com" -days 5000 -out admin.com.crt # 生成服务证书请求 openssl genrsa -out abc.admin.com.key 2048 openssl req -new -key abc.admin.com.key -subj "/C=US/ST=Utah/L=Lehi/O=ABC Company,Inc./OU=IT/CN=abc.admin.com" -out abc.admin.com.csr # 用根证书签发服务器证书 openssl x509 -req -in abc.admin.com.csr -CA admin.com.crt -CAkey admin.com.key -CAcreateserial -out abc.admin.com.crt -days 5000 -extfile <(printf "subjectAltName=IP:127.0.0.1,IP:192.168.1.1,IP:192.168.0.252,DNS:abc.admin.com,DNS:mx.admin.com,DNS:localhost") # extfile可选,可以为服务器证书关联多个IP或者域名 openssl req -x509 -new -nodes -key admin.com.key -sha256 -days 36500 -out admin.com.pem -subj "/C=US/ST=Utah/L=Lehi/O=ABC Company,Inc./OU=IT/CN=admin.com" openssl x509 -req -in abc.admin.com.csr -CA admin.com.pem -CAkey admin.com.key -CAcreateserial -out abc.admin.com.pem -days 36500 -sha256