Last active
June 19, 2019 08:57
-
-
Save sunnoy/0c3dee33fefb302f37a13033a9da3852 to your computer and use it in GitHub Desktop.
ssl-create
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #/bin/bash | |
| # @author: anyesu | |
| if [ $# != 1 ] ; then | |
| echo "USAGE: $0 [HOST_IP]" | |
| exit 1; | |
| fi | |
| #============================================# | |
| # 下面为证书密钥及相关信息配置,注意修改 # | |
| #============================================# | |
| PASSWORD="abc" | |
| COUNTRY=CN | |
| PROVINCE=henan | |
| CITY=zhengzhou | |
| ORGANIZATION=xylink | |
| GROUP=ops | |
| NAME=lirui | |
| #HOST hostname | |
| HOST=$1 | |
| SUBJ="/C=$COUNTRY/ST=$PROVINCE/L=$CITY/O=$ORGANIZATION/OU=$GROUP/CN=$HOST" | |
| echo "your host is: $1" | |
| # 1.生成根证书RSA私钥,PASSWORD作为私钥文件的密码 | |
| openssl genrsa -passout pass:$PASSWORD -aes256 -out ca-key.pem 4096 | |
| # 2.用根证书RSA私钥生成自签名的根证书 | |
| openssl req -passin pass:$PASSWORD -new -x509 -days 3650 -key ca-key.pem -sha256 -out ca.pem -subj $SUBJ | |
| #============================================# | |
| # 用根证书签发server端证书 # | |
| #============================================# | |
| # 3.生成服务端私钥 | |
| openssl genrsa -out server-key.pem 4096 | |
| # 4.生成服务端证书请求文件 CN再申请服务端证书的时候是域名或者IP | |
| openssl req -new -sha256 -key server-key.pem -out server.csr -subj "/CN=$HOST" | |
| # 5.使tls连接能通过ip地址方式,绑定IP | |
| echo subjectAltName = IP:127.0.0.1,DNS:$HOST > extfile.cnf | |
| # 6.使用根证书签发服务端证书 | |
| openssl x509 -passin pass:$PASSWORD -req -days 3650 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf | |
| #============================================# | |
| # 用根证书签发client端证书 # | |
| #============================================# | |
| # 7.生成客户端私钥 | |
| openssl genrsa -out key.pem 4096 | |
| # 8.生成客户端证书请求文件 CN再申请客户端证书的时候是申请者的姓名 | |
| openssl req -subj '/CN=$NAME' -new -key key.pem -out client.csr | |
| # 9.客户端证书配置文件 | |
| echo extendedKeyUsage = clientAuth > extfile.cnf | |
| # 10.使用根证书签发客户端证书 | |
| openssl x509 -passin pass:$PASSWORD -req -days 3650 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf | |
| #============================================# | |
| # 清理 # | |
| #============================================# | |
| # 删除中间文件 | |
| rm -f client.csr server.csr ca.srl extfile.cnf | |
| # 转移目录 | |
| mkdir client server | |
| cp {ca,cert,key}.pem client | |
| cp {ca,server-cert,server-key}.pem server | |
| rm {cert,key,server-cert,server-key}.pem | |
| # 设置私钥权限为只读 | |
| chmod -f 0400 ca-key.pem server/server-key.pem client/key.pem |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment