openssl jia adress

？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？
openssl证IP
首先创建openssl.cnf, 内容如下. 其中organizationalUnitName_default是你的组织名，commonName_default是域名，IP.1，IP.2则是想要加进来的IP列表了。
[req]
 distinguished_name = req_distinguished_name
 req_extensions = v3_req

[req_distinguished_name]
 countryName = Country Name (2 letter code)
 countryName_default = CN
 stateOrProvinceName = State or Province Name (full name)
 stateOrProvinceName_default = SiChuan
 localityName = Locality Name (eg, city)
 localityName_default = ChengDu
 organizationName = Organization Name (eg, company)
 organizationName_default = xxxxx Ltd
 organizationalUnitName  = Organizational Unit Name (eg, section)
 organizationalUnitName_default  = xxxxxxx
 commonName = Common Name (e.g. server FQDN or YOUR name)
 commonName_default = *.xxxx.com
 commonName_max  = 64

[v3_req]
 basicConstraints = CA:TRUE
 subjectAltName = @alt_names

[alt_names]
 IP.1 = xxx.xxx.xxx.xxx
 IP.2 = xxx.xxx.xxx.xxx

下面shell步骤。
# 建立 CA 目录结构
mkdir -p ./demoCA/{private,newcerts}
touch ./demoCA/index.txt
echo 01 > ./demoCA/serial
# 生成 CA 的 RSA 密钥对
openssl genrsa -des3 -out ./demoCA/private/cakey.pem 2048
# 自签发 CA 证书
openssl req -new -x509 -days 365 -key ./demoCA/private/cakey.pem -out ./demoCA/cacert.pem -extensions v3_req -config openssl.cnf
# 查看证书内容
openssl x509 -in demoCA/cacert.pem -noout -text

？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？
主要注意以下命令（还是按照CSDN生成证书的基本思路）：
openssl  req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM -days 2190 -config "$HOME/testcabsk/conf/gentestca.conf" -extensions v3_req
openssl pkcs12 -export -in servercert.pem -inkey serverkey.pem -out tomcat.p12 -name tomcat -CAfile "$HOME/testca/cacert.pem" -caname root -chain -extensions v3_req

-extensions v3_req---------v3_req 是配置文件中的配置，附上配置文件
 [req]req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:TRUE
subjectAltName = @alt_names

[alt_names]
IP.1=your ip
DNS.1 = your domain
DNS.2 = your domain