1. 创建工作目录

cd /etc/pki/CA/ && umask 0077 && mkdir -p /etc/pki/CA/{private,certs,crl,csr,newcerts,private} && touch index.txt && echo '00'>serial

2.创建配置文件 vim /etc/pki/CA/openssl.cnf

############################ /etc/pki/CA/openssl.cnf ##########################
HOME            = .
RANDFILE        = $ENV::HOME/.rnd
oid_section     = new_oids

[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7

[ ca ]

default_ca  = CA_default        # The default ca section
[ CA_default ]
dir     = /etc/pki/CA       # Where everything is kept
certs       = $dir/certs        # Where the issued certs are kept
crl_dir     = $dir/crl      # Where the issued crl are kept
database    = $dir/index.txt    # database index file.
                    # several ctificates with same subject.
new_certs_dir   = $dir/newcerts     # default place for new certs.
certificate = $dir/certs/ca.crt     # The CA certificate
serial      = $dir/serial       # The current serial number
crlnumber   = $dir/crlnumber    # the current crl number
                    # must be commented out to leave a V1 CRL
crl     = $dir/crl/crl.pem      # The current CRL
private_key = $dir/private/ca.key   # The private key
RANDFILE    = $dir/private/.rand    # private random number file
x509_extensions = usr_cert      # The extentions to add to the cert
name_opt    = ca_default        # Subject Name options
cert_opt    = ca_default        # Certificate field options
default_days    = 3650          # how long to certify for
default_crl_days= 30            # how long before next CRL
default_md  = sha256        # use public key default MD
preserve    = no            # keep passed DN ordering
policy      = policy_dn

[ policy_match ]
countryName     = match
stateOrProvinceName = match
organizationName    = match
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional

[ policy_anything ]
countryName     = optional
stateOrProvinceName = optional
localityName        = optional
organizationName    = optional
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional

[ policy_dn ]
countryName             = supplied              # required parameter, any value allowed
stateOrProvinceName     = optional
localityName            = optional
organizationName        = match                 # required, and must match root certificate
organizationalUnitName  = optional
commonName              = supplied              # required parameter, any value allowed
emailAddress            = optional              # email in DN is deprecated, use subjectAltName

[ req ]
default_bits        = 2048
default_md      = sha256
encrypt_key             = no
prompt                  = yes
default_keyfile     = client.key
distinguished_name  = req_distinguished_name
#attributes     = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = utf8only

[ req_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default     = CN
countryName_min         = 2
countryName_max         = 2
stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = Beijing
localityName            = Locality Name (eg, city)
localityName_default        = Beijing
0.organizationName      = Organization Name (eg, company)
0.organizationName_default  = Your company Co.,Ltd.
organizationalUnitName      = Organizational Unit Name (eg, section)
organizationalUnitName_default  = IT Operation Management
commonName          = Common Name (eg, your name or your server\'s hostname)
commonName_max          = 64
emailAddress            = Email Address
emailAddress_max        = 64
emailAddress_default        = your@email.com

[ req_attributes ]
challengePassword       = A challenge password
challengePassword_min       = 4
challengePassword_max       = 20
unstructuredName        = An optional company name

[ usr_cert ]
basicConstraints    = CA:FALSE
nsComment       = "CCIGCA Generated Certificate"
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer

[ v3_req ]
basicConstraints    = CA:FALSE
keyUsage        = digitalSignature, keyEncipherment
extendedKeyUsage        = serverAuth, clientAuth
subjectKeyIdentifier    = hash
subjectAltName      = @alt_names



[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
keyUsage        = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign
extendedKeyUsage        = serverAuth, clientAuth, codeSigning, timeStamping, emailProtection, msEFS, 1.3.6.1.4.1.311.10.3.11, 1.3.6.1.4.1.311.20.2.2
basicConstraints = CA:true

[ X509_ca ]
basicConstraints        = CA:TRUE
nsCertType              = sslCA                 # restrict the usage
keyUsage                = keyCertSign, cRLSign  # restrict the usage
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer:always

[ X509_server ]
basicConstraints        = CA:FALSE
nsCertType              = server                # restrict the usage
keyUsage                = digitalSignature, keyEncipherment
extendedKeyUsage        = serverAuth            # restrict the usage
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer

[ X509_client ]
basicConstraints        = CA:FALSE
nsCertType              = client                # restrict the usage
keyUsage                = digitalSignature      # restrict the usage
extendedKeyUsage        = clientAuth            # restrict the usage
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer

[ crl_ext ]
authorityKeyIdentifier=keyid:always

[ proxy_cert_ext ]
basicConstraints=CA:FALSE
nsComment           = "CCIGCA Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

[ tsa ]
default_tsa = tsa_config1   # the default TSA section

[ tsa_config1 ]
dir     = ./demoCA      # TSA root directory
serial      = $dir/tsaserial    # The current serial number (mandatory)
crypto_device   = builtin       # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem  # The TSA signing certificate
                    # (optional)
certs       = $dir/cacert.pem   # Certificate chain to include in reply
                    # (optional)
signer_key  = $dir/private/tsakey.pem # The TSA private key (optional)
default_policy  = tsa_policy1       # Policy if request did not specify it
                    # (optional)
other_policies  = tsa_policy2, tsa_policy3  # acceptable policies (optional)
digests     = md5, sha1     # Acceptable message digests (mandatory)
accuracy    = secs:1, millisecs:500, microsecs:100  # (optional)
clock_precision_digits  = 0 # number of digits after dot. (optional)
ordering        = yes   # Is ordering defined for timestamps?
                # (optional, default: no)
tsa_name        = yes   # Must the TSA name be included in the reply?
                # (optional, default: no)
ess_cert_id_chain   = no    # Must the ESS cert id chain be included?
                # (optional, default: no)

# 配置多域名,签发的时候 comman name 可以设为例如:*.jslink.org
[ alt_names ]
DNS.1 = jslink.org
DNS.2 = *.jslink.org
DNS.3 = *.vpn.jslink.org
DNS.4 = *.home.jslink.org

3. 创建CA证书

openssl genrsa -out private/ca.key 2048
openssl req -days 177121 -new -sha256 -x509 -key private/ca.key -out certs/ca.crt -config openssl.cnf

4. 创建域名证书

## 创建key
openssl genrsa -out private/jslink.org.key 2048  
## 生成csr文件
openssl req -new -sha256 -key private/jslink.org.key -out csr/jslink.org.csr -extensions v3_req -config openssl.cnf
## 签名证书
openssl ca -days 30659 -in csr/jslink.org.csr -out certs/jslink.org.crt -extensions v3_req -config openssl.cnf

Nginx配置ssl证书的配置

ssl                       on;
ssl_protocols             TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers               'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';
ssl_prefer_server_ciphers on;
#ssl_dhparam               certs/dhparam.pem;
ssl_session_cache         shared:SSL:50m;
ssl_session_timeout       10m;
ssl_session_tickets       off;
ssl_stapling              off;              # 自签的证书这两项要关闭,购买证书要设为on
ssl_stapling_verify       off;              # 自签的证书这两项要关闭,购买证书要设为on
ssl_certificate       cert/jslink.org.crt;  # cert和key放在nginx的cert目录
ssl_certificate_key   cert/jslink.org.key;
ssl_trusted_certificate cert/ca.crt;        # 自签的CA证书

5. 创建OpenVPN 服务端证书

openssl genrsa -out private/VPNSERVER.key 2048
openssl req -new -sha256 -key private/VPNSERVER.key -out csr/VPNSERVER.csr -extensions X509_server -config openssl.cnf
openssl ca -days 30660 -cert certs/ca.crt -keyfile private/ca.key -in csr/VPNSERVER.csr -out certs/VPNSERVER.crt -extensions X509_server -config openssl.cnf

6. 创建OpenVPN 客户端证书

openssl genrsa -out private/VPNCLIENT.key 2048
openssl req -new -sha256 -key private/VPNCLIENT.key -out csr/VPNCLIENT.csr -extensions X509_client -config openssl.cnf
openssl ca -days 30660 -cert certs/ca.crt -keyfile private/ca.key -in csr/VPNCLIENT.csr -out certs/VPNCLIENT.crt -extensions X509_client -config openssl.cnf