### 生成自签CA机构

```bash
cfssl print-defaults csr > ca-csr.json
```

```json
{
  "CN": "qygaming",
  "key": {
    "algo": "ecdsa",
    "size": 256
  },
  "names": [
    {
      "C": "US",
      "L": "CA",
      "ST": "San Francisco"
    }
  ]
}
```

### 生成CA配置文件
```shell
cfssl print-defaults config > ./ca-config.json
```
```json
{
  "signing": {
    "default": {
      "expiry": "16800h"
    },
    "profiles": { 
      "services": { // 服务器证书
        "expiry": "8760h",
        "usages": [
          "singing",
          "key encipherment",
          "server auth"
        ]
      },
      "client": { // 客户端证书
        "expiry": "8760h",
        "usages": [
          "singing",
          "key encipherment",
          "client auth"
        ]
      },
      "peer": {  // 对等证书
        "expiry": "8760h",
        "usages": [
          "signing",
          "key encipherment",
          "server auth",
          "client auth"
        ]
      }
    }
  }
}
```

#### 创建CA机构和私有
```bash
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
# ca.csr: 证书签署请求
# ca.pem: CA证书
# ca-csr.json: 证书签名请求文件
# ca-key.pem: 证书私钥
# ca-config.json: 证书配置文件
```