typora/daliy_note/11.12/泛域名证书自签发.md

### 一、自签证书

- 生成CA Key证书

```bash
 openssl genrsa 2048 > ca-key.pem
```

- 生成CA Cert证书

```bash
openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca-cert.pem -subj=/C=CN/ST=Beijing/L=Beijing/O=ExampleO/OU=ExampleOU/CN=ExampleRootCA/emailAddress=admin@example.com
```

- 生成server证书签发请求和server private key证书；在此命令中修改CN（Common Name）用来创建域名证书请求

```bash
openssl req -newkey rsa:2048 -nodes -days 3650 -keyout server-key.pem -out server-req.pem -subj=/C=CN/ST=Beijing/L=Beijing/O=ExampleO/OU=ExampleOU/CN=*.example.com/emailAddress=admin@example.com
```

- 签发server证书请求，生成server cert证书；注意修改subjectAltName的值

```bash
openssl x509 -req -extfile <(printf "subjectAltName=DNS:*.example.com") -days 3650 -CAcreateserial -in server-req.pem -out server-cert.pem -CA ca-cert.pem -CAkey ca-key.pem
```

### 二、生成证书报错

``` bash
Can't load ./.rnd into RNG 10504:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto\rand\randfile.c:98:Filename=./.rnd
```

- 解决方案

  ```bash
  cd /root(你当前所使用的用户)
  openssl rand -writerand .rnd
  ```

  

### 三、Chrome On MacOS 信任证书

> https://segmentfault.com/a/1190000012394467

- chrome控制台，安全tab，查看证书
- 查看证书详细信息，导出下载证书
- 双击打开下载的证书，选择始终信任