我正在努力生成用自己的CA签名的ECDSA SSL通配符证书。

我正在使用以下命令：

# Generates CA private key
openssl ecparam -name secp521r1 -genkey -param_enc explicit -out server-ca.key

# Generates CA certificate
openssl req -x509 -sha256 -new -nodes -key server-ca.key -days 3650 -out server-ca.crt

# Generates private key
openssl ecparam -name secp521r1 -genkey -param_enc explicit -out server.key

# Generates certificate signing request
openssl req -new -key server.key -out server.csr -config server.conf -reqexts req_ext

# Generates certificate signed with my CA
openssl x509 -req -sha256 -days 3650 -in server.csr -CA server-ca.crt -CAkey server-ca.key -CAcreateserial -out server.crt -extfile server.conf -extensions req_ext

[req]
req_extensions = req_ext
distinguished_name = req_dn
default_md = sha256

[req_ext]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[req_dn]
CN=domain.my

[alt_names]
DNS.1 = domain.my
DNS.2 = *.domain.my

CONNECTED(00000003)
140500060243600:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:762:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

ssl_certificate         server.crt;
ssl_certificate_key     server.key;
ssl_trusted_certificate server-ca.crt;
ssl_session_cache    shared:SSL:1m;
ssl_session_timeout  5m;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers  on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";

openssl ecparam -name secp521r1 -genkey -param_enc explicit -out server-ca.key


您必须创建没有“ -param_enc显式”的密钥对。
不要问我为什么;）