一键创建SSL证书

_sign_helper.sh

#!/bin/bash

# CA文件夹目录
CA_HOME=${CA_HOME:?}
# CA配置文件
CA_CFG=${CA_CFG:?}
# CA证书路径
CA_CERT=${CA_CERT:?}

IDENTITY=${IDENTITY:?}
OUTDIR=${OUTDIR:?}

PRIK_FILE=${PRIK_FILE:?}
PRIK_PASS=${PRIK_PASS:?}
CSR_FILE=${CSR_FILE:?}
CERT_FILE=${CERT_FILE:?}
EXT_FILE=${EXT_FILE:?}
SIGN_EXT=${SIGN_EXT:?}
PKCS12_FILE=${PKCS12_FILE:?}


echo 创建输出目录
mkdir -p "$OUTDIR"

gen_key()
{
echo 创建私钥
openssl genpkey -algorithm RSA \
  -pkeyopt rsa_keygen_bits:2048 \
  -aes256 -pass "$PRIK_PASS" \
  -out "$PRIK_FILE" || exit 1
}

show_key()
{
echo 查看公钥
openssl pkey -noout -text_pub -in "$PRIK_FILE" -passin "$PRIK_PASS" || exit 1
}

gen_csr()
{
echo 创建证书签署请求
openssl req -new -config "$EXT_FILE" \
  -key "$PRIK_FILE" -passin "$PRIK_PASS" \
  -out "$CSR_FILE" || exit 1
}

show_csr()
{
echo 查看CSR
openssl req  -noout -text -in "$CSR_FILE"  || exit 1
}

sign_csr()
{
echo 签署证书
touch "$CA_HOME"/index.txt
[[ ! -s "$CA_HOME"/serial ]] && echo 01 > "$CA_HOME"/serial

openssl ca -config "$CA_CFG" -passin "$PRIK_PASS" \
  -extensions "$SIGN_EXT" \
  -in "$CSR_FILE" \
  -out "$CERT_FILE" || exit 1

cat "$CA_CERT" >> "$CERT_FILE"
}

gen_pkcs12()
{
echo 导出PKCS12
openssl pkcs12 -export \
  -macalg sha256 -name "PKCS12 file for $IDENTITY" \
  -inkey "$PRIK_FILE" \
  -in "$CERT_FILE" -passin "$PRIK_PASS"  \
  -out "$PKCS12_FILE" -passout "$PRIK_PASS"

# https://www.openssl.org/docs/man1.1.0/man1/openssl.html#Pass-Phrase-Options
# PRIK_PASS文件的第一行是输入密码，第二行是输出密码
}

###
# 主入口
###

[ -s "$PRIK_FILE" ] || gen_key
show_key
[ -s "$CSR_FILE"  ] || gen_csr
show_csr
[ -s "$CERT_FILE" ] || sign_csr
gen_pkcs12

create_cert.sh

###
# 创建新的证书
###

# CA文件夹目录
CA_HOME="$HOME"/.ssh/ca
# 私钥密码文件（简单起见使用相同的密码）
PASS_FILE="$HOME"/.ssh/ca/.keypass
# 当前CA文件夹目录（该变量方便脚本重用）
CA_HOME="$CA_HOME"/intermediate
# CA配置文件
CA_CFG="$CA_HOME"/openssl.cnf
# CA证书路径
CA_CERT="$CA_HOME"/certs/intermediate.pem.crt

IDENTITY=${IDENTITY:-localhost}
OUTDIR=generate/"$IDENTITY"

PRIK_FILE=${PRIK_FILE:-"$OUTDIR"/"$IDENTITY".key.rsa}
PRIK_PASS=${PRIK_PASS:-file:"$PASS_FILE"}
CSR_FILE=${CSR_FILE:-"$OUTDIR"/"$IDENTITY".pem.csr}
CERT_FILE="$OUTDIR"/"$IDENTITY".pem.crt
PKCS12_FILE="$OUTDIR"/"$IDENTITY".p12
EXT_FILE=csr_ext.cnf
SIGN_EXT=server_cert

. ../_sign_helper.sh

create_intermediate.sh

###
# 创建新的中级认证机构
###

# CA文件夹目录
CA_HOME="$HOME"/.ssh/ca
# 私钥密码文件（简单起见使用相同的密码）
PASS_FILE="$HOME"/.ssh/ca/.keypass
# 当前CA文件夹目录（该变量方便脚本重用）
CA_HOME="$CA_HOME"/root
# CA配置文件
CA_CFG="$CA_HOME"/openssl.cnf
# CA证书路径
CA_CERT="$CA_HOME"/certs/ca.pem.crt

IDENTITY=${IDENTITY:-intermediate}
OUTDIR=generate/"$IDENTITY"

PRIK_FILE=${PRIK_FILE:-"$OUTDIR"/"$IDENTITY".key.rsa}
PRIK_PASS=${PRIK_PASS:-file:"$PASS_FILE"}
CSR_FILE=${CSR_FILE:-"$OUTDIR"/"$IDENTITY".pem.csr}
CERT_FILE="$OUTDIR"/"$IDENTITY".pem.crt
PKCS12_FILE="$OUTDIR"/"$IDENTITY".p12
EXT_FILE=openssl.cnf
SIGN_EXT=v3_intermediate_ca

. ../_sign_helper.sh

csr_ext.cnf

# The main section is named req because the command we are using is req
# (openssl req ...)
[ req ]
# This specifies the default key size in bits. If not specified then 512 is
# used. It is used if the -new option is used. It can be overridden by using
# the -newkey option.
default_bits = 2048

# This is the default filename to write a private key to. If not specified the
# key is written to standard output. This can be overridden by the -keyout
# option.
default_keyfile = localhost.rsa.key

# If this is set to no then if a private key is generated it is not encrypted.
# This is equivalent to the -nodes command line option. For compatibility
# encrypt_rsa_key is an equivalent option.
encrypt_key = no

# This option specifies the digest algorithm to use.
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256

# if set to the value no this disables prompting of certificate fields and just
# takes values from the config file directly. It also changes the expected
# format of the distinguished_name and attributes sections.
prompt = yes

# if set to the value yes then field values to be interpreted as UTF8 strings,
# by default they are interpreted as ASCII. This means that the field values,
# whether prompted from a terminal or obtained from a configuration file, must
# be valid UTF8 strings.
utf8 = yes

# This specifies the section containing the distinguished name fields to
# prompt for when generating a certificate or certificate request.
distinguished_name = req_distinguished_name


# this specifies the configuration file section containing a list of extensions
# to add to the certificate request. It can be overridden by the -reqexts
# command line switch. See the x509v3_config(5) manual page for details of the
# extension section format.
req_extensions = req_ext

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
commonName                      = Common Name
emailAddress                    = Email Address
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name

# Optionally, specify some defaults.
commonName_default              = localhost
emailAddress_default            = [email protected]
countryName_default             = CN
stateOrProvinceName_default     = Shanghai
localityName_default            = Shanghai
0.organizationName_default      = enihsyou Ltd
organizationalUnitName_default  = enihsyou Ltd Server Group

[ req_ext ]
basicConstraints     = CA:FALSE
subjectKeyIdentifier = hash
keyUsage             = critical, digitalSignature, keyEncipherment
subjectAltName       = @alternate_names
extendedKeyUsage     = serverAuth

[ alternate_names ]
IP.1  = 127.0.0.1
IP.2  = 192.168.9.4
DNS.1 = enihsyou-MacBook-Pro.local
DNS.2 = localhost
DNS.3 = hdfs-namenode
DNS.4 = yarn-resource-manager

openssl_ca.cnf

# OpenSSL root CA configuration file.
# https://jamielinux.com/docs/openssl-certificate-authority/index.html
# https://www.phildev.net/ssl/opensslconf.html

[ ca ]
# `man ca`
default_ca = CA_default

[ CA_default ]
# Directory and file locations.
dir              = /Users/enihsyou/.ssh/ca/root
certs            = $dir/certs
crl_dir          = $dir/crl
new_certs_dir    = $dir/newcerts
database         = $dir/index.txt
serial           = $dir/serial
RANDFILE         = $dir/private/.rand

# The root key and root certificate.
private_key      = $dir/private/ca.key.rsa
certificate      = $dir/certs/ca.pem.crt

# For certificate revocation lists.
crlnumber        = $dir/crlnumber
crl              = $dir/crl/ca.crl.pem
crl_extensions   = crl_ext
default_crl_days = 30

# SHA-1 is deprecated, so use SHA-2 instead.
default_md       = sha256

name_opt         = ca_default
cert_opt         = ca_default
default_days     = 365
preserve         = no
policy           = policy_strict
unique_subject   = no


[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only

# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha256

# Extension to add when the -x509 option is used.
# Unsed to create self-signed certificates
x509_extensions     = v3_ca

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
commonName                      = Common Name
emailAddress                    = Email Address
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name

# Optionally, specify some defaults.
commonName_default              = enihsyou Ltd Intermediate CA
emailAddress_default            = [email protected]
countryName_default             = CN
stateOrProvinceName_default     = Shanghai
localityName_default            = Shanghai
0.organizationName_default      = enihsyou Ltd
organizationalUnitName_default  = enihsyou Ltd Certificate Authority

[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints       = critical, CA:true
keyUsage               = critical, digitalSignature, cRLSign, keyCertSign

[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints       = critical, CA:true, pathlen:0
keyUsage               = critical, digitalSignature, cRLSign, keyCertSign

[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier = keyid:always

[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints       = CA:FALSE
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
keyUsage               = critical, digitalSignature
extendedKeyUsage       = critical, OCSPSigning

openssl_intermediate.cnf

# OpenSSL intermediate CA configuration file.
# https://jamielinux.com/docs/openssl-certificate-authority/index.html
# https://www.phildev.net/ssl/opensslconf.html

[ ca ]
# `man ca`
default_ca = CA_default

[ CA_default ]
# Directory and file locations.
dir              = /Users/enihsyou/.ssh/ca/intermediate
certs            = $dir/certs
crl_dir          = $dir/crl
new_certs_dir    = $dir/newcerts
database         = $dir/index.txt
serial           = $dir/serial
RANDFILE         = $dir/private/.rand

# The root key and root certificate.
private_key      = $dir/private/intermediate.key.rsa
certificate      = $dir/certs/intermediate.pem.crt

# For certificate revocation lists.
crlnumber        = $dir/crlnumber
crl              = $dir/crl/intermediate.crl
crl_extensions   = crl_ext
default_crl_days = 30

# SHA-1 is deprecated, so use SHA-2 instead.
default_md       = sha256

name_opt         = ca_default
cert_opt         = ca_default
default_days     = 90
preserve         = no
policy           = policy_loose
unique_subject   = no
copy_extensions  = copy


[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only

# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha256

# Extension to add when the -x509 option is used.
x509_extensions     = server_cert

# Extension to add when the -req option is used.
req_extensions      = server_cert

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
commonName                      = Common Name
emailAddress                    = Email Address
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name

# Optionally, specify some defaults.
commonName_default              = localhost
emailAddress_default            = [email protected]
countryName_default             = CN
stateOrProvinceName_default     = Shanghai
localityName_default            = Shanghai
0.organizationName_default      = enihsyou Ltd
organizationalUnitName_default  = enihsyou Ltd Server Group

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints       = CA:FALSE
nsCertType             = client, email
nsComment              = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
keyUsage               = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage       = clientAuth, emailProtection

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
# RFC 5280, Section 4.2.1.12 makes EKU optional
#   CA\Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
#   In either case, you probably only need serverAuth.
basicConstraints       = CA:FALSE
nsCertType             = server
nsComment              = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage               = critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage       = serverAuth