mkdir test
cd test
# 根据 /usr/lib/ssl/openssl.cnf 配置文件中目录结构可知有个demoCA目录，目录下有各种文件。
mkdir ./demoCA ./demoCA/newcerts ./demoCA/private
sudo chmod 777 -R ./demoCA/
echo '01' > ./demoCA/serial
touch ./demoCA/index.txt
# /usr/lib/ssl/openssl.cnf 把 subjectAltName 改为下面
sudo vim /usr/lib/ssl/openssl.cnf 放在 [ v3_req ] 下面
subjectAltName         = DNS:localhost, DNS:proxy.com, DNS:www.proxy.com, IP:192.168.5.116
# 生成根证书
openssl genrsa -out ca.key 2048 # 生成CA私钥
openssl req -new -x509 -key ca.key -out ca.crt -subj "/C=US/ST=State/L=City/O=Organization/OU=Organizational Unit/CN=RootCA" # 生成CA证书

openssl genrsa -out server.key 2048 # 生成服务器私钥
openssl req -new -key server.key -out server.csr -subj "/C=US/ST=California/L=San Francisco/O=My Company/OU=IT Department/CN=localhost" # 生成服务器证书签名请求（CSR）
cp ca.key ./demoCA/private/cakey.pem
cp ca.crt ./demoCA/cacert.pem
# openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt # 使用CA证书签署服务器证书
openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -extensions v3_req # 使用CA证书签署服务器证书

echo '00' >./demoCA/crlnumber
# 如果想生成 pem 格式，名字改为 server.pem 即可
openssl ca -gencrl -out server.crl
# 吊销证书
openssl ca -revoke server.crt
# 生成吊销列表
openssl ca -gencrl -out server.crl

windows下打开查看