1. 安装 openssl 后可以执行如下命令来生成私钥和对应的证书请求文件

ca openssl req -new -keyout private.key -out for_request.csr
Generating a bit RSA private key
………….+++
……………………………………………………………………………………….+++
writing new private key to 'private.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Verify failure
Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,

If you enter '.', the field will be left blank.

Country Name ( letter code) []:CN
State or Province Name (full name) []:sichuan
Locality Name (eg, city) []:chengdu
Organization Name (eg, company) []:zchd
Organizational Unit Name (eg, section) []:Dev
Common Name (eg, fully qualified host name) []:zchd.ltd
Email Address []:zchd.ltd@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
➜ ca ls
for_request.csr private.key
➜ ca cat for_request.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICyjCCAbICAQAwgYQxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdzaWNodWFuMRAw
DgYDVQQHDAdjaGVuZ2R1MQ0wCwYDVQQKDAR6Y2hkMQwwCgYDVQQLDANEZXYxETAP
BgNVBAMMCHpjaGQubHRkMSEwHwYJKoZIhvcNAQkBFhJ6Y2hkLmx0ZEBnbWFpbC5j
b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCng+pbIhGhTHoNiCtG
jL75cF8aWre255+zMzVCYAqsQKUAG57MdRA4rgwIvJ9bkXDtEEjA4+a+o8xwp1od
BvsyPNPYmc5Bp5dCLKypnmGI18VzzJRu6wxrYNAMdv2DfrlHK+bD4KVr1PeoYbsh
YKEL125eIM9+Xr79fY+VWhZqbfgK5X1HWakx4CvOCzWwjGoobkKHJJgyJpxN9Y87
cAkP5q62f/b0VHTI1h83cbvQCKgL3J2P0ZtKhHMFPCmFkz27aL9hmfzw95iifbYb
XST8gfcBnGWv/P5pk5wdDoiTuC/QqHuozqc3TKFjLP3oTUgXMPURYWgwLvAJYna9
f9vdAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAcXoWDs4B0hfvoARErsFv43/Z
B6xX9fCwiTOQQea2gb2AXGY6I5dj9QIU8/q/tPoFWGxAw3phkJN7vC1qnOaqv5DX
upwHp3zIDZCwioDwAedIpbV5sJomDapzVY0ww2MC44sf6YnZGZIUO4q5DGpMBNVf
x8bhStKmkk90QrNFHD6V2REuw9Y/+hDdan2WJaj1i/bkIadXnNjBYjSr98K6XXjf
EG25lftuDXL4ykKL8gu4kdM8X86TMXFB7fTuZBrvN6S3aw88RiECw8FCEBDRzuAx
e2gqRdihsLe6oWFhzs/TlCK81CMXH9CrnZnAGbx+nFBfXcKvCYYm1oTxXmJIjw==
-----END CERTIFICATE REQUEST-----
➜ ca openssl req -in for_request.csr -noout -text
Certificate Request:
Data:
Version: (0x0)
Subject: C=CN, ST=sichuan, L=chengdu, O=zchd, OU=Dev, CN=zchd.ltd/emailAddress=zchd.ltd@gmail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: ( bit)
Modulus:
:a7::ea:5b:::a1:4c:7a:0d::2b::8c:
be:f9::5f:1a:5a:b7:b6:e7:9f:b3:::::
0a:ac::a5::1b:9e:cc::::ae:0c::bc:
9f:5b:::ed:::c0:e3:e6:be:a3:cc::a7:
5a:1d::fb::3c:d3:d8::ce::a7:::2c:
ac:a9:9e:::d7:c5::cc::6e:eb:0c:6b::
d0:0c::fd::7e:b9::2b:e6:c3:e0:a5:6b:d4:
f7:a8::bb:::a1:0b:d7:6e:5e::cf:7e:5e:
be:fd:7d:8f::5a::6a:6d:f8:0a:e5:7d:::
a9::e0:2b:ce:0b::b0:8c:6a::6e::::
:::9c:4d:f5:8f:3b:::0f:e6:ae:b6:7f:
f6:f4:::c8:d6:1f:::bb:d0::a8:0b:dc:
9d:8f:d1:9b:4a::::3c::::3d:bb::
bf:::fc:f0:f7::a2:7d:b6:1b:5d::fc::
f7::9c::af:fc:fe:::9c:1d:0e:::b8:
2f:d0:a8:7b:a8:ce:a7::4c:a1::2c:fd:e8:4d:
:::f5:::::2e:f0::::bd:7f:
db:dd
Exponent: (0x10001)
Attributes:
a0:
Signature Algorithm: sha256WithRSAEncryption
:7a::0e:ce::d2::ef:a0:::ae:c1:6f:e3:7f:d9:
:ac::f5:f0:b0:::::e6:b6::bd::5c::3a:
:::f5:::f3:fa:bf:b4:fa:::6c::c3:7a::
::7b:bc:2d:6a:9c:e6:aa:bf::d7:ba:9c::a7:7c:c8:
0d::b0:8a::f0::e7::a5:b5::b0:9a::0d:aa::
:8d::c3:::e3:8b:1f:e9::d9::::3b:8a:b9:
0c:6a:4c::d5:5f:c7:c6:e1:4a:d2:a6::4f:::b3::
1c:3e::d9::2e:c3:d6:3f:fa::dd:6a:7d:::a8:f5:
8b:f6:e4::a7::9c:d8:c1:::ab:f7:c2:ba:5d::df:
:6d:b9::fb:6e:0d::f8:ca::8b:f2:0b:b8::d3:3c:
5f:ce:::::ed:f4:ee::1a:ef::a4:b7:6b:0f:3c:
:::c3:c1::::d1:ce:e0::7b::2a::d8:a1:
b0:b7:ba:a1:::ce:cf:d3:::bc:d4:::1f:d0:ab:
9d::c0::bc:7e:9c::5f:5d:c2:af::::d6::f1:
5e:::8f

生成过程中需要输入地理位置、组织、通用名等信息。生成的私钥和 csr 文件默认以 PEM 格式存储，内容为 base64 编码。

需要注意，用户自行生成私钥情况下，私钥文件一旦丢失，CA 方由于不持有私钥信息，无法进行恢复，意味着通过该证书中公钥加密的内容将无法被解密。