Create a Certificate Authority private key (this is your most important key):
$ openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
Create your CA self-signed certificate:
$ openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem
Issue a client certificate by first generating the key, then request (or use one provided by external system) then sign the certificate using private key of your CA:
$ openssl genrsa -out client.key 1024 $ openssl req -new -key client.key -out client.csr $ openssl ca -in client.csr -out client.cer
(You may need to add some options as I am using these commands together with my openssl.conf file. You may need to setup your own .conf file first.)
Reference:
https://jamielinux.com/articles/2013/08/create-an-intermediate-certificate-authority/
原文:http://www.cnblogs.com/Security-Darren/p/4077473.html