數字證書製作腳本

原創 hdy2010 2018-09-11 07:01

功能:
1. 生成自簽名的 CA 根證書
2. 生成 WWW 服務器證書
3. 生成個人身份標識證書

特色:
1. 簡單易用,傻瓜化
2. 支持中文 (使用 UTF-8 編碼)
3. 使用標準 shell 腳本,外部依賴很少
4. 支持多域名證書

使用方法:
0. 把下面腳本內容保存爲 mkca.sh
1. mkdir myca; mv mkca.sh myca; cd myca
2. ./mkca.sh init
3. ./mkca.sh server # 生成 Server 證書,放在 server/ 目錄下。
4. ./mkca.sh client # 生成 Client 證書,放在 client/ 目錄下。

注意事項:
1. 在 init初始化CA證書時當已經輸入CN後(一般爲 yourname Certification Authority

)也會提示輸入多個Common Name,直接回車跳過即可
2. 如果預期域名多於3個,自己添加

引用
n.commonName= Common Name
n.commonName_max= 64
3. 如果在已init後簽發多域名證書時發現域名多於3個,那麼修改myca目錄下 .config文件添加上面同樣內容。
 


 

代碼 (雙擊代碼複製到粘貼板) 

    #!/bin/sh
    # by [email protected] 2005.03.09
    # Usage: ca init; ca server; ca client
    # update: waiting@DRL 2010.05.17
    
    DB_DIR=db
    DB_CERTS_DIR=$DB_DIR/certs
    DB_SERIAL_FILE=$DB_DIR/serial
    DB_INDEX_FILE=$DB_DIR/index
    DB_RAND_FILE=$DB_DIR/rand
    CA_KEY_FILE=ca.key
    CA_CRT_FILE=ca.crt
    CONF_FILE=.config
    SERVER_DIR=server
    CLIENT_DIR=client
    OPENSSL=openssl
    CUR_SERIAL=0
    
    function info ()
    {
    echo -e "\033[32m$1\033[0m"
    }
    
    function warn()
    {
    echo -e "\033[33m$1\033[0m"
    }
    
    function error()
    {
    echo -e "\033[31m$1\033[0m"
    return 1
    }
    
    # 簽名,生成證書
    #$1 = 要簽名的證書請求文件 (.csr)
    #$2 = 輸出的證書文件 (.crt)
    function sign ()
    {
    info "CA signing: $1 -> $2"
    $OPENSSL ca -config $CONF_FILE -out $2 -infiles $1
    info "CA verifying: $2 <-> $CA_CRT_FILE"
    $OPENSSL verify -CAfile $CA_CRT_FILE $2
    rm -f $DB_SERIAL_FILE.old $DB_INDEX_FILE.old
    }
    
    # 初始化 CA 系統,生成 CA 根證書
    function init ()
    {
    mkdir -p $DB_DIR
    mkdir -p $DB_CERTS_DIR
    mkdir -p $SERVER_DIR
    mkdir -p $CLIENT_DIR
    
    if [ ! -f $DB_SERIAL_FILE ]; then
    echo '01' > $DB_SERIAL_FILE
    fi
    
    if [ ! -f $DB_INDEX_FILE ]; then
    touch $DB_INDEX_FILE
    fi
    cat > $CONF_FILE << EOT
    
    [ ca ]
    default_ca			  = CA_own
    
    [ CA_own ]
    dir= .
    certs    = \$dir
    new_certs_dir= \$dir/$DB_CERTS_DIR
    database				= \$dir/$DB_INDEX_FILE
    serial= \$dir/$DB_SERIAL_FILE
    RANDFILE= \$dir/$DB_RAND_FILE
    certificate= \$dir/$CA_CRT_FILE
    private_key= \$dir/$CA_KEY_FILE
    default_days= 3650
    default_crl_days= 30
    default_md= sha1
    preserve= no
    policy= policy_anything
    string_mask= utf8only
    x509_extensions= usr_cert	  # The extentions to add to the cert
    
    [ policy_anything ]
    countryName= optional
    stateOrProvinceName= optional
    localityName= optional
    organizationName= optional
    organizationalUnitName  = optional
    commonName= supplied
    emailAddress= optional
    
    [ req ]
    default_bits= 2048
    default_md= sha1
    distinguished_name= req_distinguished_name
    attributes= req_attributes
    x509_extensions= v3_ca
    
    [ req_distinguished_name ]
    countryName= Country Name (2 letter code)
    countryName_default= CN
    stateOrProvinceName= State or Province Name (full name)
    stateOrProvinceName_default= Beijing
    localityName= Locality Name (eg, city)
    localityName_default= Beijing
    0.organizationName= Organization Name (eg, company)
    0.organizationName_default= 
    organizationalUnitName   = Organizational Unit Name (eg, section) 
    #organizationalUnitName_default= 
    
    # for CA-OU: yourname Certification Authority 
    0.commonName= Common Name
    0.commonName_max= 64
    emailAddress= Email Address
    emailAddress_max= 64
    1.commonName= Common Name
    1.commonName_max= 64
    2.commonName= Common Name
    2.commonName_max= 64
    # 最後一個CU顯示最前
    
    
[ req_attributes ]

   challengePassword= A challenge password 
    
challengePassword_min	= 4

   challengePassword_max	= 20 
    
unstructuredName= An optional company name

   #unstructuredName_default=  
     
    
[ v3_ca ]

   subjectKeyIdentifier= hash 
    
authorityKeyIdentifier= keyid:always,issuer:always

   basicConstraints= CA:true 
    
keyUsage= keyCertSign, cRLSign

   extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection 
    
    [ usr_cert ]
    basicConstraints= CA:FALSE
    subjectKeyIdentifier= hash
    authorityKeyIdentifier= keyid,issuer
    keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
    #extendedKeyUsage= serverAuth, clientAuth
    EOT
    
    info "CREATE CA KEY"
    $OPENSSL genrsa -aes256 -out $CA_KEY_FILE 4096
    info "CREATE CA CRT"
    $OPENSSL req -config $CONF_FILE -new -x509 -days 7300 -key $CA_KEY_FILE -out $CA_CRT_FILE
    }
    
    # 生成 WWW 服務器用的證書
    function server ()
    {
    SERVER_KEY_FILE=$SERVER_DIR/$CUR_SERIAL.key
    SERVER_KEY_FILE2=$SERVER_DIR/$CUR_SERIAL.key.unsecure
    SERVER_CSR_FILE=$SERVER_DIR/$CUR_SERIAL.csr
    SERVER_CRT_FILE=$SERVER_DIR/$CUR_SERIAL.crt
    
    info "CREATE SERVER KEY FILE"
    $OPENSSL genrsa -aes256 -out $SERVER_KEY_FILE 2048
    
    info "CREATE UNSECURE SERVER KEY FILE"
    openssl rsa -in $SERVER_KEY_FILE -out $SERVER_KEY_FILE2
    
    info "CREATE SERVER CERT REQUEST"
    $OPENSSL req -config $CONF_FILE -new -key $SERVER_KEY_FILE -out $SERVER_CSR_FILE
    
    info "SIGN AND CREATE SERVER CRT FILE"
    sign $SERVER_CSR_FILE $SERVER_CRT_FILE
    }
    
    # 生成客戶端證書 (PKCS12 格式)
    function client ()
    {
    CLIENT_KEY_FILE=$CLIENT_DIR/$CUR_SERIAL.key
    CLIENT_CSR_FILE=$CLIENT_DIR/$CUR_SERIAL.csr
    CLIENT_CRT_FILE=$CLIENT_DIR/$CUR_SERIAL.crt
    CLIENT_P12_FILE=$CLIENT_DIR/$CUR_SERIAL.p12
    
    info "CREATE CLIENT KEY FILE"
    $OPENSSL genrsa -aes256 -out $CLIENT_KEY_FILE 2048
    
    info "CREATE CLIENT CERT REQUEST"
    $OPENSSL req -config $CONF_FILE -new -key $CLIENT_KEY_FILE -out $CLIENT_CSR_FILE
    
    info "SIGN AND CREATE CLIENT CRT FILE"
    sign $CLIENT_CSR_FILE $CLIENT_CRT_FILE
    
    info "EXPORT TO PKCS#12 FORMAT"
    $OPENSSL pkcs12 -export -aes256 -in $CLIENT_CRT_FILE -inkey $CLIENT_KEY_FILE -out $CLIENT_P12_FILE
    }
    
    # 清除證書系統,刪除所有信息,僅保留此腳本
    function reset ()
    {
    rm -rf $DB_CERTS_DIR $DB_SERIAL_FILE $DB_INDEX_FILE $CONF_FILE
    rm -f $CA_CRT_FILE $CA_KEY_FILE
    rm -rf $DB_DIR
    rm -rf $SERVER_DIR $CLIENT_DIR
    }
    
    if [ $# -ne 1 ]
    then
    error "Usage: $0 init|server|client|reset"
    exit 1
    fi
    
    if [ "$1" != "init" ]; then
    if [ ! -f $DB_INDEX_FILE ]; then
    error "Please call 'init' firstly"
    exit 1
    fi
    
    CUR_SERIAL=`cat $DB_SERIAL_FILE`
    fi
    
    case "$1" in
    init)
    info "INIT CA SYSTEM"
    init
    exit
    ;;
    
    server)
    info "CREAT SERVER CERT"
    server
    exit
    ;;
    
    client)
    info "CREATE CLIENT CERT"
    client
    exit
    ;;
    
   reset)
    info "RESET SYSTEM"
    reset
    exit
    ;;
    
    *)
    error "Usage: $0 init|server|client|reset"
    exit 1
    esac
    
    exit 0
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

Linux核心技能与应用

wy53780 2020-04-23 14:02:05

Python與家國天下

豌豆花下貓 2019-02-24 22:22:40

linux上安裝Docker(非常簡單的安裝方法)

幸運券發放 2019-02-24 19:38:01

2019年Java面試-併發容器篇

王知無 2019-02-24 15:12:46

淺淡個人學習嵌入式Linux過程

wx5c317e5b736d2 2019-02-24 13:31:30

DHCP服務原理與搭建(Linux系統+路由器,二選一方案)

wx5c7174443c6f9 2019-02-24 13:23:18

Redis安裝與配置

劉遄 2019-02-24 13:12:51

路遇一個“乞討者“

楊木藝 2019-02-24 14:19:35

如果同事暗中傷害你,應該怎麼辦?

這個饅頭有餡 2019-02-24 13:59:08

職場中,抱怨越多的員工,越被領導瞧不起!

這個饅頭有餡 2019-02-24 13:59:08

老程序員被裁,應屆生卻能月薪 1.3 萬?這你能忍?

前端高達 2019-02-24 13:48:04

遇到到處蹭吃卻從不請客吃飯的主怎麼辦?

樑軍年 2019-02-24 13:26:35

Linux基本操作命令

wbzjacky 2019-02-24 13:12:38

高標準機房綜合配線安裝

wbzjacky 2019-02-24 13:12:38

444句英語

wbzjacky 2019-02-24 13:12:37