执行certificate-gen.sh脚本后生成的文件(执行前确保环境支持keytool和openssl命令)
.p12是keystore文件,cer是证书文件,证书和仓库的默认密码都是123456,修改密码需在sh脚本中修改。
ca-openssl.cnf:
[req] distinguished_name = req_distinguished_name req_extensions = v3_req [req_distinguished_name] countryName = Country Name (2 letter code) countryName_default = CN stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = SiChuan organizationName = Organization Name (eg, company) organizationName_default = NSTC Co., Ltd commonName = Common Name (eg, YOUR name) commonName_default = TestRootCA [v3_req] basicConstraints = CA:true keyUsage = critical, keyCertSign
client-openssl.cnf:
[req] distinguished_name = req_distinguished_name req_extensions = v3_req [req_distinguished_name] countryName = Country Name (2 letter code) countryName_default = CN stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Sichuan localityName = Locality Name (eg, city) localityName_default = Chengdu organizationName = Organization Name (eg, company) organizationName_default = CDXX Co., Ltd commonName = Common Name (eg, YOUR name) commonName_default = ClientTestCer [v3_req] basicConstraints = CA:false keyUsage = critical, keyCertSign
server-openssl.cnf:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Beijing
localityName = Locality Name (eg, city)
localityName_default = Beijing
organizationName = Organization Name (eg, company)
organizationName_default = NSTC Co., Ltd
commonName = Common Name (eg, YOUR name)
commonName_default = ServerTestCer
commonName_max = 64
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = . # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir # default place for new certs.
certificate = $dir/ca.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.20.156
certificate-gen.sh:
#!/bin/bash
echo "=>SSL证书生成程序"
echo "=>清理环境"
rm *.rsa
rm *.cer
rm *.jks
rm *.p12
rm *.key
rm *.csr
rm *.srl
echo "=>生成自签发证书ca.cer"
openssl req -x509 -new -newkey rsa:2048 -nodes -keyout ca.key -out ca.cer -config ca-openssl.cnf -days 3650 -extensions v3_req
echo "=>将ca.cer转换为PKCS#12格式的KeyStore文件ca.p12, KeyStore密码为 123456"
keytool -importcert -trustcacerts -file ca.cer -keystore ca.p12 -storepass 123456
echo "=>生成客户端私钥client.key,通过ca签发客户端证书client.cer"
openssl genrsa -out client.key.rsa 2048
openssl pkcs8 -topk8 -in client.key.rsa -out client.key -nocrypt
openssl req -new -key client.key -out client.csr -config client-openssl.cnf
openssl x509 -req -CA ca.cer -CAkey ca.key -CAcreateserial -in client.csr -extfile client-openssl.cnf -out client.cer -days 3650
echo "=>将客户端私钥和对应的证书链合成PKCS#12格式的KeyStore文件client.p12,KeyStore密码和私钥密码均为 123456"
openssl pkcs12 -export -CAfile ca.cer -in client.cer -inkey client.key -out client.p12 -passout pass:123456
echo "=>生成服务端私钥server.key,通过ca签发服务端证书server.cer"
echo "=>填写服务端主机名(域名)或IP地址,证书验证服务器时需要此扩展属性,否则可能导致通讯时无法正常验证"
read -p "请输入服务器域名或者主机名:" server
echo "=>set alt_names $server"
old_server=$(grep "IP.1 = " server-openssl.cnf|awk -F " " '{print $3}')
echo "=>将 alt_names 从 $old_server 修改为 $server"
sed -i "s/$old_server/$server/g" server-openssl.cnf
openssl genrsa -out server.key.rsa 2048
openssl pkcs8 -topk8 -in server.key.rsa -out server.key -nocrypt
openssl req -new -key server.key -out server.csr -config server-openssl.cnf
openssl x509 -req -CA ca.cer -CAkey ca.key -CAcreateserial -in server.csr -out server.cer -extensions v3_req -extfile server-openssl.cnf -days 3650
echo "=>将服务端私钥和对应的证书链合成PKCS#12格式的KeyStore文件server.p12,KeyStore密码和私钥密码均为 123456"
openssl pkcs12 -export -CAfile ca.cer -in server.cer -inkey server.key -out server.p12 -passout pass:123456
echo "=>将服务端证书server.cer合成PKCS#12格式的KeyStore文件client_ts.p12(作为客户端TrustStore),KeyStore密码和私钥密码均为 123456"
keytool -importcert -trustcacerts -file server.cer -keystore client_ts.p12 -storepass 123456
echo "=>清理无用的文件"
rm *.rsa
rm *.csr
rm ca.srl
echo "=>SSL证书生成程序执行结束"
评论