openssl.conf

[ ca ]
default_ca              = CA_default
[ CA_default ]
dir             = .
certs           = $dir/certs
crl_dir         = $dir/crl
database        = $dir/index.txt
new_certs_dir   = $dir/newcerts
certificate     = $dir/cacert.pem
serial          = $dir/serial
crlnumber       = $dir/crlnumber

crl             = $dir/crl.pem
private_key     = $dir/private/cakey.pem

default_days    = 365
default_crl_days= 30
default_md      = sha1
preserve        = no

policy          = policy_anything

[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

touch index.txt
echo 00 > seiral
echo 00 > crlnumber
mkdir private
秘密鍵の作成
#openssl genrsa -des3 -out private/cakey.pem 2048
CA証明書の作成
#openssl req -new -days 365 -key private/cakey.pem -out ca-nosign.crt
自己署名
#openssl ca -out cacert.pem -keyfile private/cakey.pem -config openssl.conf -selfsign -in ca-nosign.crt

証明書作成＆署名
openssl req -new -nodes -out public.key -keyout private.key
openssl ca -out public.pem -config openssl.conf -infiles public.key

PKCS12の作成
openssl pkcs12 -export -in clcert.pem -inkey client.key -certfile cacert.pem -out clcert.p12

署名の検証
openssl verify -CAfile cacert.pem public.pem

openssl ca -gencrl -config openssl.conf -out crl.pem
色々な証明書を作るには
対応するconfを作成し[req]に色々書く