SSL证书生成脚本

Forrest Tse
Forrest Tse
Forrest Tse
21
文章
0
评论
03/15/202117:36:16 评论 73 阅读

执行certificate-gen.sh脚本后生成的文件(执行前确保环境支持keytool和openssl命令)

SSL证书生成脚本

.p12是keystore文件,cer是证书文件,证书和仓库的默认密码都是123456,修改密码需在sh脚本中修改。

ca-openssl.cnf:

[req]
distinguished_name  = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
countryName           = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName   = State or Province Name (full name)
stateOrProvinceName_default = SiChuan
organizationName          = Organization Name (eg, company)
organizationName_default = NSTC Co., Ltd
commonName            = Common Name (eg, YOUR name)
commonName_default = TestRootCA

[v3_req]
basicConstraints = CA:true
keyUsage = critical, keyCertSign

client-openssl.cnf:

[req]
distinguished_name  = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
countryName           = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName   = State or Province Name (full name)
stateOrProvinceName_default = Sichuan
localityName          = Locality Name (eg, city)
localityName_default  = Chengdu
organizationName          = Organization Name (eg, company)
organizationName_default = CDXX Co., Ltd
commonName            = Common Name (eg, YOUR name)
commonName_default = ClientTestCer

[v3_req]
basicConstraints = CA:false
keyUsage = critical, keyCertSign

server-openssl.cnf:

[req]
distinguished_name  = req_distinguished_name
req_extensions     = v3_req

[req_distinguished_name]
countryName           = Country Name (2 letter code)
countryName_default   = CN
stateOrProvinceName   = State or Province Name (full name)
stateOrProvinceName_default = Beijing
localityName          = Locality Name (eg, city)
localityName_default  = Beijing
organizationName          = Organization Name (eg, company)
organizationName_default  =  NSTC Co., Ltd
commonName            = Common Name (eg, YOUR name)
commonName_default  =  ServerTestCer
commonName_max        = 64

####################################################################
[ ca ]
default_ca  = CA_default        # The default ca section

####################################################################
[ CA_default ]

dir     = . # Where everything is kept
certs       = $dir # Where the issued certs are kept
crl_dir     = $dir      # Where the issued crl are kept
database    = $dir/index.txt    # database index file.
#unique_subject = no            # Set to 'no' to allow creation of
                    # several ctificates with same subject.
new_certs_dir   = $dir      # default place for new certs.

certificate = $dir/ca.pem   # The CA certificate
serial      = $dir/serial       # The current serial number
crlnumber   = $dir/crlnumber    # the current crl number
                    # must be commented out to leave a V1 CRL
crl     = $dir/crl.pem      # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE    = $dir/private/.rand    # private random number file

x509_extensions = usr_cert      # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt    = ca_default        # Subject Name options
cert_opt    = ca_default        # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions    = crl_ext

default_days    = 365           # how long to certify for
default_crl_days= 30            # how long before next CRL
default_md  = default       # use public key default MD
preserve    = no            # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy      = policy_anything
[ policy_anything ]
countryName     = optional
stateOrProvinceName = optional
localityName        = optional
organizationName    = optional
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional

[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
IP.1 = 192.168.20.156

certificate-gen.sh:

#!/bin/bash
echo "=>SSL证书生成程序"
echo "=>清理环境"
rm *.rsa
rm *.cer
rm *.jks
rm *.p12
rm *.key
rm *.csr
rm *.srl

echo "=>生成自签发证书ca.cer"
openssl req -x509 -new -newkey rsa:2048 -nodes -keyout ca.key -out ca.cer -config ca-openssl.cnf -days 3650 -extensions v3_req

echo "=>将ca.cer转换为PKCS#12格式的KeyStore文件ca.p12, KeyStore密码为 123456"
keytool -importcert -trustcacerts -file ca.cer -keystore ca.p12 -storepass 123456

echo "=>生成客户端私钥client.key,通过ca签发客户端证书client.cer"
openssl genrsa -out client.key.rsa 2048
openssl pkcs8 -topk8 -in client.key.rsa -out client.key -nocrypt
openssl req -new -key client.key -out client.csr -config client-openssl.cnf
openssl x509 -req -CA ca.cer -CAkey ca.key -CAcreateserial -in client.csr -extfile client-openssl.cnf -out client.cer -days 3650

echo "=>将客户端私钥和对应的证书链合成PKCS#12格式的KeyStore文件client.p12,KeyStore密码和私钥密码均为 123456"
openssl pkcs12 -export -CAfile ca.cer -in client.cer  -inkey client.key -out client.p12 -passout pass:123456

echo "=>生成服务端私钥server.key,通过ca签发服务端证书server.cer"
echo "=>填写服务端主机名(域名)或IP地址,证书验证服务器时需要此扩展属性,否则可能导致通讯时无法正常验证"
read -p "请输入服务器域名或者主机名:" server
echo "=>set alt_names $server"
old_server=$(grep "IP.1 = " server-openssl.cnf|awk -F " " '{print $3}')
echo "=>将 alt_names 从 $old_server 修改为 $server"
sed -i "s/$old_server/$server/g" server-openssl.cnf
openssl genrsa -out server.key.rsa 2048
openssl pkcs8 -topk8 -in server.key.rsa -out server.key -nocrypt
openssl req -new -key server.key -out server.csr -config server-openssl.cnf
openssl x509 -req -CA ca.cer -CAkey ca.key -CAcreateserial -in server.csr -out server.cer -extensions v3_req -extfile server-openssl.cnf -days 3650

echo "=>将服务端私钥和对应的证书链合成PKCS#12格式的KeyStore文件server.p12,KeyStore密码和私钥密码均为 123456"
openssl pkcs12 -export -CAfile ca.cer -in server.cer  -inkey server.key -out server.p12 -passout pass:123456

echo "=>将服务端证书server.cer合成PKCS#12格式的KeyStore文件client_ts.p12(作为客户端TrustStore),KeyStore密码和私钥密码均为 123456"
keytool -importcert -trustcacerts -file server.cer -keystore client_ts.p12 -storepass 123456

echo "=>清理无用的文件"
rm *.rsa
rm *.csr
rm ca.srl
echo "=>SSL证书生成程序执行结束"
Forrest Tse
  • 本文由 发表于 03/15/202117:36:16
  • 转载请务必保留本文链接:https://www.ieei.top/96.html
Linux系统信息查看命令

Linux系统信息查看命令

arch 显示机器的处理器架构 uname -m 显示机器的处理器架构 uname -r 显示正在使用的内核版本 cat /etc/issue 查看操作系统类型 dmidecode -q 显示硬件系统...
查看Linux系统CPU性能 蝶语

查看Linux系统CPU性能

查看系统CPU性能 1、安装yum install sysbench 2、执行sysbench cpu --cpu-max-prime=20000 --threads=8 run 参数说明: --cp...
Oracle迁移DM达梦数据库常见问题

Oracle迁移DM达梦数据库常见问题

DM_DBA手记之ORACLE移植到DM.pdf 只选择迁移表,多出其他对象 如下图所示: 【问题原因】: 勾选了目录、公共同义词和上下文。 【解决方法】: 返回上一步,取消勾选则正常。 varcha...
匿名

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: