1、生成根证书和私钥 :生成rootkey.pem 和 root.pem，如果要浏览器警告，需要把root.pem导入到浏览器根证书目录。
CN="Root CA" SAN="IP:172.16.0.1" ./openssl req -config ca.conf -x509 -nodes -keyout rootkey.pem -out root.pem -newkey rsa:2048 -days  36500

2、生成RSA用户证书请求和私钥：生成 privkey.pem 和 req.pem
CN="Usr Cert" SAN="IP:172.16.0.1" ./openssl req -config ca.conf -nodes -keyout privkey.pem -out req.pem -newkey rsa:2048

3、生成用户证书：即使用CA来签名用户证书请求请求，使用rootkey.pem 、root.pem、req.pem来生成输出 usr.pem
CN="Usr Cert" SAN="IP:172.16.0.1" ./openssl x509 -req -extensions v3_req -extfile ca.conf -in req.pem -CA root.pem -CAkey rootkey.pem -days 3600 -CAcreateserial -out usr.pem

  ca.conf的内容可以参考下面即可：

# ca.cnf
HOME                    = .
RANDFILE                = $ENV::HOME/.rnd
CN                      = "Not Defined"
SAN                     = "Not Defined"
default_ca              = ca

####################################################################
[ req ]
default_bits            = 2048
default_keyfile         = privkey.pem
prompt                  = no                         # ????
distinguished_name      = req_distinguished_name
x509_extensions         = v3_ca                      # ?? only for ca
string_mask             = utf8only
req_extensions          = v3_req

[ req_distinguished_name ]
countryName             = CN
stateOrProvinceName     = Shanghai
localityName            = Shanghai
organizationName        = SpiderX Technology Co.,Ltd.
organizationalUnitName  = SpiderX
commonName              = $ENV::CN

[ v3_req ]
subjectAltName          = $ENV::SAN

[ usr_cert ]
basicConstraints        = critical, CA:FALSE
keyUsage                = critical, nonRepudiation, digitalSignature, keyEncipherment
nsComment               = "SpiderX Generated Certificate"
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid

[ v3_ca ]
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always
basicConstraints        = critical,CA:true
keyUsage                = critical, cRLSign, keyCertSign

[ca]
database                = index.txt
crlnumber               = crlnum.txt