修改openssl.cnf配置文件内容：

# vim /etc/pki/tls/openssl.cnf
[ req_distinguished_name ]  找到这项，将0.XXX，前面的0去掉。
0.organizationName                   = Organization Name (eg, company)
0.organizationName_default       = Default Company Ltd

[ req ]
default_bits            = 2048
default_md              = sha256        查看此项是不是sha256,不是的话自行修改
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert     这行注释的话，取消注释。

[ v3_req ]      找到这行，添加信息，DNS表示可注册的泛域名。可添加多行信息。
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = martinhe.com
DNS.2 = *.martinhe.com

泛域名证书再签法时，Comman Name要写成在[ alt_names ]中存在的名称，如签署泛域名*.martinhe.com。

创建自签名证书并签发泛域名证书：

# mkdir /usr/local/harbor/ssl
/usr/local/harbor/ssl]# cd /usr/local/harbor/ssl
# (umask 066;openssl genrsa 2048 > cakey.pem)
# openssl req -new -x509 -key cakey.pem -out cacert.pem -days 3650
CN
beijing
beijing
martinhe
devops
ca.martinhe.com
回车
# openssl x509 -in cacert.pem -noout -text  #可查看CA证书内容。
# openssl req -newkey rsa:1024 -nodes -keyout martinhe.com.key > martinhe.com.csr
CN
beijing
beijing
martim
devops
*.martinhe.com
回车
# openssl x509 -req -days 365 -in martinhe.com.csr -CA cacert.pem -CAkey cakey.pem -set_serial 01 > martinhe.com.crt

将自签名CA导入系统根证书信任机构，需要执行下列命令：

# openssl x509 -outform der -in cacert.pem -out cacert.crt  #转换证书格式
# cp cacert.crt /usr/local/share/ca-certificates
# sudo update-ca-certificates   #更新根证书
Updating certificates in /etc/ssl/certs...
rehash: skipping cacert.pem,it does not contain exactly one certificate or CRL
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

将自签名CA移除系统根证书信任机构，需要执行下列命令：

/usr/local/share/ca-certificates]# rm -rf cacert.crt
# sudo update-ca-certificates --fresh   重新读取证书列表

参看地址：https://www.qiansw.com/add-the-ca-root-certificate-to-the-operating-system-for-trust.html