数字证书制作脚本

功能:
1. 生成自签名的 CA 根证书
2. 生成 WWW 服务器证书
3. 生成个人身份标识证书

特色:
1. 简单易用,傻瓜化
2. 支持中文 (使用 UTF-8 编码)
3. 使用标准 shell 脚本,外部依赖很少
4. 支持多域名证书

使用方法:
0. 把下面脚本内容保存为 mkca.sh
1. mkdir myca; mv mkca.sh myca; cd myca
2. ./mkca.sh init
3. ./mkca.sh server # 生成 Server 证书,放在 server/ 目录下。
4. ./mkca.sh client # 生成 Client 证书,放在 client/ 目录下。

注意事项:
1. 在 init初始化CA证书时当已经输入CN后(一般为 yourname Certification Authority

)也会提示输入多个Common Name,直接回车跳过即可
2. 如果预期域名多于3个,自己添加

引用
n.commonName = Common Name
n.commonName_max = 64
3. 如果在已init后签发多域名证书时发现域名多于3个,那么修改myca目录下 .config文件添加上面同样内容。
 


 

代码 (双击代码复制到粘贴板)
    #!/bin/sh
    # by [email protected] 2005.03.09
    # Usage: ca init; ca server; ca client
    # update: waiting@DRL 2010.05.17
    
    DB_DIR=db
    DB_CERTS_DIR=$DB_DIR/certs
    DB_SERIAL_FILE=$DB_DIR/serial
    DB_INDEX_FILE=$DB_DIR/index
    DB_RAND_FILE=$DB_DIR/rand
    CA_KEY_FILE=ca.key
    CA_CRT_FILE=ca.crt
    CONF_FILE=.config
    SERVER_DIR=server
    CLIENT_DIR=client
    OPENSSL=openssl
    CUR_SERIAL=0
    
    function info ()
    {
    echo -e "\033[32m$1\033[0m"
    }
    
    function warn()
    {
    echo -e "\033[33m$1\033[0m"
    }
    
    function error()
    {
    echo -e "\033[31m$1\033[0m"
    return 1
    }
    
    # 签名,生成证书
    #$1 = 要签名的证书请求文件 (.csr)
    #$2 = 输出的证书文件 (.crt)
    function sign ()
    {
    info "CA signing: $1 -> $2"
    $OPENSSL ca -config $CONF_FILE -out $2 -infiles $1
    info "CA verifying: $2 <-> $CA_CRT_FILE"
    $OPENSSL verify -CAfile $CA_CRT_FILE $2
    rm -f $DB_SERIAL_FILE.old $DB_INDEX_FILE.old
    }
    
    # 初始化 CA 系统,生成 CA 根证书
    function init ()
    {
    mkdir -p $DB_DIR
    mkdir -p $DB_CERTS_DIR
    mkdir -p $SERVER_DIR
    mkdir -p $CLIENT_DIR
    
    if [ ! -f $DB_SERIAL_FILE ]; then
    echo '01' > $DB_SERIAL_FILE
    fi
    
    if [ ! -f $DB_INDEX_FILE ]; then
    touch $DB_INDEX_FILE
    fi
    cat > $CONF_FILE << EOT
    
    [ ca ]
    default_ca			  = CA_own
    
    [ CA_own ]
    dir= .
    certs    = \$dir
    new_certs_dir= \$dir/$DB_CERTS_DIR
    database				= \$dir/$DB_INDEX_FILE
    serial= \$dir/$DB_SERIAL_FILE
    RANDFILE= \$dir/$DB_RAND_FILE
    certificate= \$dir/$CA_CRT_FILE
    private_key= \$dir/$CA_KEY_FILE
    default_days= 3650
    default_crl_days= 30
    default_md= sha1
    preserve= no
    policy= policy_anything
    string_mask= utf8only
    x509_extensions= usr_cert	  # The extentions to add to the cert
    
    [ policy_anything ]
    countryName= optional
    stateOrProvinceName= optional
    localityName= optional
    organizationName= optional
    organizationalUnitName  = optional
    commonName= supplied
    emailAddress= optional
    
    [ req ]
    default_bits= 2048
    default_md= sha1
    distinguished_name= req_distinguished_name
    attributes= req_attributes
    x509_extensions= v3_ca
    
    [ req_distinguished_name ]
    countryName= Country Name (2 letter code)
    countryName_default= CN
    stateOrProvinceName= State or Province Name (full name)
    stateOrProvinceName_default= Beijing
    localityName= Locality Name (eg, city)
    localityName_default= Beijing
    0.organizationName= Organization Name (eg, company)
    0.organizationName_default= 
    organizationalUnitName   = Organizational Unit Name (eg, section) 
    #organizationalUnitName_default= 
    
    # for CA-OU: yourname Certification Authority 
    0.commonName= Common Name
    0.commonName_max= 64
    emailAddress= Email Address
    emailAddress_max= 64
    1.commonName= Common Name
    1.commonName_max= 64
    2.commonName= Common Name
    2.commonName_max= 64
    # 最后一个CU显示最前
    
    
    
   
   
   
[ req_attributes ]
challengePassword= A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
#unstructuredName_default=
[ v3_ca ]
subjectKeyIdentifier= hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints= CA:true
keyUsage = keyCertSign, cRLSign
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection [ usr_cert ] basicConstraints= CA:FALSE subjectKeyIdentifier= hash authorityKeyIdentifier= keyid,issuer keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment #extendedKeyUsage= serverAuth, clientAuth EOT info "CREATE CA KEY" $OPENSSL genrsa -aes256 -out $CA_KEY_FILE 4096 info "CREATE CA CRT" $OPENSSL req -config $CONF_FILE -new -x509 -days 7300 -key $CA_KEY_FILE -out $CA_CRT_FILE } # 生成 WWW 服务器用的证书 function server () { SERVER_KEY_FILE=$SERVER_DIR/$CUR_SERIAL.key SERVER_KEY_FILE2=$SERVER_DIR/$CUR_SERIAL.key.unsecure SERVER_CSR_FILE=$SERVER_DIR/$CUR_SERIAL.csr SERVER_CRT_FILE=$SERVER_DIR/$CUR_SERIAL.crt info "CREATE SERVER KEY FILE" $OPENSSL genrsa -aes256 -out $SERVER_KEY_FILE 2048 info "CREATE UNSECURE SERVER KEY FILE" openssl rsa -in $SERVER_KEY_FILE -out $SERVER_KEY_FILE2 info "CREATE SERVER CERT REQUEST" $OPENSSL req -config $CONF_FILE -new -key $SERVER_KEY_FILE -out $SERVER_CSR_FILE info "SIGN AND CREATE SERVER CRT FILE" sign $SERVER_CSR_FILE $SERVER_CRT_FILE } # 生成客户端证书 (PKCS12 格式) function client () { CLIENT_KEY_FILE=$CLIENT_DIR/$CUR_SERIAL.key CLIENT_CSR_FILE=$CLIENT_DIR/$CUR_SERIAL.csr CLIENT_CRT_FILE=$CLIENT_DIR/$CUR_SERIAL.crt CLIENT_P12_FILE=$CLIENT_DIR/$CUR_SERIAL.p12 info "CREATE CLIENT KEY FILE" $OPENSSL genrsa -aes256 -out $CLIENT_KEY_FILE 2048 info "CREATE CLIENT CERT REQUEST" $OPENSSL req -config $CONF_FILE -new -key $CLIENT_KEY_FILE -out $CLIENT_CSR_FILE info "SIGN AND CREATE CLIENT CRT FILE" sign $CLIENT_CSR_FILE $CLIENT_CRT_FILE info "EXPORT TO PKCS#12 FORMAT" $OPENSSL pkcs12 -export -aes256 -in $CLIENT_CRT_FILE -inkey $CLIENT_KEY_FILE -out $CLIENT_P12_FILE } # 清除证书系统,删除所有信息,仅保留此脚本 function reset () { rm -rf $DB_CERTS_DIR $DB_SERIAL_FILE $DB_INDEX_FILE $CONF_FILE rm -f $CA_CRT_FILE $CA_KEY_FILE rm -rf $DB_DIR rm -rf $SERVER_DIR $CLIENT_DIR } if [ $# -ne 1 ] then error "Usage: $0 init|server|client|reset" exit 1 fi if [ "$1" != "init" ]; then if [ ! -f $DB_INDEX_FILE ]; then error "Please call 'init' firstly" exit 1 fi CUR_SERIAL=`cat $DB_SERIAL_FILE` fi case "$1" in init) info "INIT CA SYSTEM" init exit ;; server) info "CREAT SERVER CERT" server exit ;; client) info "CREATE CLIENT CERT" client exit ;; reset) info "RESET SYSTEM" reset exit ;; *) error "Usage: $0 init|server|client|reset" exit 1 esac exit 0

你可能感兴趣的:(linux,职场,script,休闲,数字证书制作脚本)