不就是個blog

mkdir demoCA
mkdir demoCA/certs
mkdir demoCA/crls
mkdir demoCA/newcerts
mkdir demoCA/private
touch demoCA/index.txt
echo 01 > demoCA/serial

# generate private key
openssl genrsa -out demoCA/private/cakey.pem 2048
# generate certificate signing request
openssl req -new -key demoCA/private/cakey.pem -out cacsr.pem
# generate self-signed certificate
openssl req -in cacsr.pem -out cacert.pem -key demoCA/private/cakey.pem -x509 -days 3652
# generate certificate revocation list
openssl ca -gencrl -out demoCA/crl.pem
# convert certificate to DER format
openssl x509 -in demoCA/cacert.pem -inform PEM -out emoCA/cacert.der -outform DER
# convert to pkcs12 format
openssl pkcs12 -export -in demoCA/cacert.pem -inkey emoCA/private/cakey.pem -out cert.p12 -name "Forth Root CA" 

# generate certificate signing request
openssl req -new -key mykey.pem -out mycsr.pem
# generate cretificate
openssl ca -in mycsr.pem -out mycert.pem -days 3652 -policy policy_anything