# 创建根证书

在这里我们要利用前面的私钥和证书请求来创建根证书

# 命令

openssl x509 -req 
    -days 7300 
    -sha256
    -in ca2.csr 
    -signkey ca.key
    -extensions v3_ca 
    -out ca.crt
    -extfile ca.cnf
参数 描述
x509 生成x509格式证书
-req 输入csr文件
-days 证书的有效期(天)
-sha256 证书摘要采用sha256算法
-extensions 按照配置文件中配置的v3_ca项添加扩展
-signkey 签发证书的私钥
-in 要输入的csr文件
-out 输出的cer证书文件
-extfile 配置文件

需要验证私钥的密码

Signature ok
subject=/C=CN/ST=JiangSu/L=SuZhou/O=MyComponent/OU=MyComponent Zuzhi/CN=MyComponent Root CA/emailAddress=test@test.com
Getting Private key
Enter pass phrase for ca.key:123123

# 证书内容

证书内容,实际内容比这个长

-----BEGIN CERTIFICATE-----
MIIDmDCCAoACCQCqK8tNlYju7DANBgkqhkiG9w0BAQsFADCBjTELMAkGA1UEBhMC
Q04xEDAOBgNVBAgMB0ppYW5nU3UxDzANBgNVBAcMBlN1WmhvdTERMA8GA1UECgwI
emzI6lB2OIotO765S2+03qUXk0/yKldPB2n1okKqdRmDdRkLx27cD7Y0fdncVhCI
KA1VXW0CkerNpdNhcZa2qq1ezyWCinATrN9B7ZYDO5v18rrvpxmExmpc4EITGCdD
F8ZgI552Y4emaju1wCfcAWRvKI1mrMvcxHWoOOB9h2ZaaGlJfBpig8dREPXYecYD
vR78Oxjslw5k39We
-----END CERTIFICATE-----

# 验证证书

openssl x509 -text -noout -in ca.crt

# 配置

[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign