简介
基于OpenSSL实现自动生成自签名证书
实现
脚本如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75
| #! /bin/bash
DOMAIN=test1.zerchin.xyz DOMAIN_EXT= IP=172.16.1.188 DATE=3650
if [[ ! -e "cacerts.pem" || ! -e "cakey.pem" ]] then openssl genrsa -out cakey.pem 2048 openssl req -x509 -new -nodes -key cakey.pem -subj "/CN=zerchin" -days ${DATE} -out cacerts.pem fi
mkdir ${DOMAIN} openssl genrsa -out ${DOMAIN}/tls.key 2048
cat > ${DOMAIN}/csr.conf << EOF [ req ] default_bits = 2048 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn [ dn ] C = CN ST = GD L = SZ O = zerchin OU = zerchin CN = ${DOMAIN} [ req_ext ] subjectAltName = @alt_names [ alt_names ] EOF if [[ -n ${DOMAIN_EXT} ]] then IFS="," DNS=(${DOMAIN}) DNS+=(${DOMAIN_EXT}) for i in ${!DNS[@]} do echo DNS.${i} "=" ${DNS[$i]} >> ${DOMAIN}/csr.conf done echo DNS. fi if [[ -n ${IP} ]] then IFS="," ip=(${IP}) for i in ${!ip[@]} do echo IP.${i} "=" ${ip[$i]} >> ${DOMAIN}/csr.conf done echo DNS. fi cat >> ${DOMAIN}/csr.conf << EOF [ v3_ext ] authorityKeyIdentifier=keyid,issuer:always basicConstraints=CA:FALSE keyUsage=nonRepudiation,digitalSignature,keyEncipherment extendedKeyUsage=serverAuth,clientAuth subjectAltName=@alt_names EOF
openssl req -new -key ${DOMAIN}/tls.key -out ${DOMAIN}/tls.csr -config ${DOMAIN}/csr.conf
openssl x509 -req -in ${DOMAIN}/tls.csr -CA cacerts.pem -CAkey cakey.pem \ -CAcreateserial -out ${DOMAIN}/tls.crt -days ${DATE} \ -extensions v3_ext -extfile ${DOMAIN}/csr.conf
|
参数说明:
DOMAIN
:必填项,证书的域名
DOMAIN_EXT
:可选,额外的域名,多个域名以逗号隔开,没有则留空
IP
:可选,可信任的IP地址,多个IP地址以逗号隔开,没有则留空
DATE
:证书有效期,默认是10年
生成自签名证书
将上述脚本保存到文件中并执行
1
| bash auto-generate-cert.sh
|
验证
1 2 3 4 5 6 7
| openssl x509 -noout -text -in test1.zerchin.xyz/tls.crt
openssl verify -CAfile cacerts.pem test1.zerchin.xyz/tls.crt
openssl s_client -connect test1.zerchin.xyz:443 -servername test1.zerchin.xyz openssl s_client -connect test1.zerchin.xyz:443 -servername test1.zerchin.xyz -CAfile cacerts.pem
|