查看“CA证书”的源代码

== 生成root根证书 ==
<source lang="shell">
#确保系统中安装了OpenSSL，若没安装，可以通过以下命令安装：
sudo yum install openssl

#定位一下OpenSSL的配置文件openssl.cnf
locate openssl.cnf

#修改配置文件，修改其中的dir变量，重新设置SSL的工作目录：
vi /etc/pki/tls/openssl.cnf
    #dir            = /etc/pki/CA           # Where everything is kept
    dir             = /home/qingwyan/ca     # Where everything is kept

# 创建需要的文件
[qingwyan@qingwyan ca]$ mkdir certs
[qingwyan@qingwyan ca]$ mkdir newcerts
[qingwyan@qingwyan ca]$ mkdir private
[qingwyan@qingwyan ca]$ mkdir crl
[qingwyan@qingwyan ca]$ touch index.txt
[qingwyan@qingwyan ca]$ echo 01>serial
[qingwyan@qingwyan ca]$ ls
certs  crl  index.txt  newcerts  private  serial

# 生成证书之前，需要先生成一个随机数：
openssl rand -out private/.rand 1000

# 生成根证书私钥(pem文件)
openssl genrsa -aes256 -out private/cakey.pem 1024

# 生成根证书签发申请文件(csr文件)
openssl req -new -key private/cakey.pem -out private/ca.csr -subj \
"/C=CN/ST=myprovince/L=mycity/O=myorganization/OU=mygroup/CN=myname"

# 自签发根证书(cer文件)
openssl x509 -req -days 365 -sha1 -extensions v3_ca -signkey \
private/cakey.pem -in private/ca.csr -out certs/ca.cer
</source>

== 用根证书签发server端证书 ==
<source lang="shell">
# 生成服务端私钥
openssl genrsa -aes256 -out private/server-key.pem 1024

# 生成证书请求文件
openssl req -new -key private/server-key.pem -out private/server.csr -subj \
> "/C=CN/ST=Shanghai/L=Shanghai/O=CABU/CN=qingwyan.cisco.com"

# 使用根证书签发服务端证书
openssl x509 -req -days 365 -sha1 -extensions v3_req -CA certs/ca.cer -CAkey private/cakey.pem \
-CAserial ca.srl -CAcreateserial -in private/server.csr -out certs/server.cer
</source>
== cmd ==
=== 查看pem ===
<source lang="shell">
openssl x509 -noout -subject -in /opt/tyk-gateway/cert.pem
</source>
=== pem转crt ===
<source lang="shell">
openssl x509 -outform der -in cert.pem -out cert.crt
</source>