cld4h/README.md

## README.md

      
    Raw
  

              README.md
            
          
    第一步

首先执行
create_root_cert_and_key.sh

openssl会询问如下内容：
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ETO
Organizational Unit Name (eg, section) []:Adventists
Common Name (e.g. server FQDN or YOUR name) 叶文洁
Email Address []:wenjieye@tsinghua.edu.cn

之后会得到两个文件：rootCA.pem和rootCA.key，是用于后续签发tls证书的根证书和密钥。
执行 openssl x509 -in rootCA.pem -noout -text 查看 rootCA.pem 的内容：
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            18:bb:a3:0c:fd:e6:3d:6a:c3:e5:ce:a6:3a:60:10:23:53:78:90:a0
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = Beijing, L = Beijing, O = ETO, OU = Adventists, CN = \C3\A5\C2\8F\C2\B6\C3\A6\C2\96\C2\87\C3\A6\C2\B4\C2\81, emailAddress = wenjieye@tsinghua.edu.cn
        Validity
            Not Before: May  2 08:57:43 2022 GMT
            Not After : Feb 19 08:57:43 2025 GMT
        Subject: C = CN, ST = Beijing, L = Beijing, O = ETO, OU = Adventists, CN = \C3\A5\C2\8F\C2\B6\C3\A6\C2\96\C2\87\C3\A6\C2\B4\C2\81, emailAddress = wenjieye@tsinghua.edu.cn
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:d0:e9:53:c8:5d:77:4a:c6:59:7f:ad:49:27:8e:
                    bd:71:00:a7:7a:00:cc:1b:e7:94:3c:4c:5c:70:4b:
                    52:82:15:2b:16:30:12:09:6e:c0:99:2f:31:81:0d:
                    d8:bd:f2:8a:7b:6f:49:bc:00:fd:d5:69:51:0a:8c:
                    d8:b4:be:7c:ab:26:8b:ed:64:ff:0e:4f:4d:70:8c:
                    94:0f:a1:69:7b:cf:65:e4:81:05:28:93:cd:21:ce:
                    c6:24:ef:73:15:2b:89:02:c7:40:11:d4:75:2e:63:
                    ec:20:b5:91:bf:5e:06:6c:dc:5f:64:34:df:96:61:
                    4e:4d:e3:bd:e3:64:88:02:54:43:f4:a7:a0:36:9e:
                    e2:ae:e7:e0:7f:93:36:f2:ec:a7:b8:aa:4b:ff:d4:
                    7c:b1:33:74:e9:70:16:fd:19:41:f6:0c:5a:94:52:
                    f8:0a:39:f3:ff:36:5e:aa:60:6c:e1:41:01:6e:d5:
                    d7:d1:53:59:b4:8e:76:66:f7:f6:bf:47:9d:64:ec:
                    4c:e0:a0:c3:2e:c9:07:17:f2:cc:a1:3d:bf:a0:42:
                    d0:ba:f2:3d:51:45:40:bd:af:8f:1b:20:ef:08:9c:
                    4a:8a:5a:84:23:a1:c1:35:22:e3:df:92:71:59:b3:
                    19:5a:6a:2d:ee:ec:a1:ef:40:d0:ae:36:af:d1:bc:
                    47:f5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                D0:63:3A:15:5E:83:2F:96:12:37:7C:F0:A2:12:B9:51:DC:80:55:48
            X509v3 Authority Key Identifier:
                keyid:D0:63:3A:15:5E:83:2F:96:12:37:7C:F0:A2:12:B9:51:DC:80:55:48

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         ae:7b:d0:a7:1b:a8:d8:1a:7a:a5:a6:ea:e4:7d:a3:c5:5c:64:
         14:2a:ac:13:80:bf:71:c8:1a:9b:0d:b9:f3:0f:21:74:48:18:
         4c:f3:37:0c:66:e3:c6:16:e6:fd:e7:8c:42:9c:5b:36:65:d5:
         87:af:5b:38:35:32:97:dd:dd:c4:74:f6:6d:9d:c8:b3:5c:16:
         5a:cb:b6:6e:12:e6:19:51:e9:e7:78:53:17:f4:f1:1c:3d:65:
         0f:ae:59:86:a7:06:f6:e8:3e:aa:ba:71:44:07:7e:80:a2:b2:
         14:e1:dc:43:e2:8e:58:a6:1c:ef:5f:b9:9e:35:35:80:ad:27:
         1c:1a:69:ef:0b:18:29:0b:55:17:52:a5:ff:f0:34:84:6e:0d:
         b4:c8:30:9e:a0:d4:d6:12:d0:68:8d:87:b2:37:2f:3d:4f:20:
         5e:e8:5a:64:59:9d:b3:be:18:17:f7:67:e6:3c:73:4c:60:a5:
         6e:6a:b1:58:62:b7:6f:d6:89:77:f4:76:e8:76:65:f0:0e:6d:
         5c:c4:d1:e9:f7:2b:21:49:b5:06:67:88:95:c8:94:97:6a:0f:
         d6:36:7a:28:e9:55:02:eb:23:87:f8:e4:ec:cb:16:c8:50:cd:
         9f:75:a0:ed:47:56:2f:30:ed:17:54:13:26:93:79:28:35:b5:
         ca:98:e3:67

之后执行create_certificate_for_domain.sh www.eto.com
得到了如下输出：
Generating a RSA private key
..+++++
..........................................................................................................+++++
writing new private key to 'device.key'
-----
Signature ok
subject=C = CA, ST = None, L = NB, O = None, CN = *.www.eto.com
Getting CA Private Key

###########################################################################
Done!
###########################################################################
To use these files on your server, simply copy both www.eto.com.csr and
device.key to your webserver, and use like so (if Apache, for example)

    SSLCertificateFile    /path_to_your_files/www.eto.com.crt
    SSLCertificateKeyFile /path_to_your_files/device.key


生成了 rootCA.srl，device.key，www.eto.com.crt，www.eto.com.csr
可以看到，www.eto.com.crt 是签发的证书，device.key是该证书对应的密钥。

  
## create_certificate_for_domain.sh
if [ -z "$1" ]
then
  echo "Please supply a subdomain to create a certificate for";
  echo "e.g. www.mysite.com"
  exit;
fi

# Create a new private key if one doesnt exist, or use the xeisting one if it does
if [ -f device.key ]; then
  KEY_OPT="-key"
else
  KEY_OPT="-keyout"
fi

DOMAIN=$1
COMMON_NAME=${2:-*.$1}
SUBJECT="/C=CA/ST=None/L=NB/O=None/CN=$COMMON_NAME"
NUM_OF_DAYS=999
openssl req -new -newkey rsa:2048 -sha256 -nodes $KEY_OPT device.key -subj "$SUBJECT" -out device.csr
cat v3.ext | sed s/%%DOMAIN%%/$COMMON_NAME/g > /tmp/__v3.ext
openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days $NUM_OF_DAYS -sha256 -extfile /tmp/__v3.ext

# move output files to final filenames
mv device.csr $DOMAIN.csr
cp device.crt $DOMAIN.crt

# remove temp file
rm -f device.crt;

echo
echo "###########################################################################"
echo Done!
echo "###########################################################################"
echo "To use these files on your server, simply copy both $DOMAIN.csr and"
echo "device.key to your webserver, and use like so (if Apache, for example)"
echo
echo "    SSLCertificateFile    /path_to_your_files/$DOMAIN.crt"
echo "    SSLCertificateKeyFile /path_to_your_files/device.key"

## create_root_cert_and_key.sh
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

## v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = %%DOMAIN%%
	if [ -z "$1" ]
	then
	echo "Please supply a subdomain to create a certificate for";
	echo "e.g. www.mysite.com"
	exit;
	fi

	# Create a new private key if one doesnt exist, or use the xeisting one if it does
	if [ -f device.key ]; then
	KEY_OPT="-key"
	else
	KEY_OPT="-keyout"
	fi

	DOMAIN=$1
	COMMON_NAME=${2:-*.$1}
	SUBJECT="/C=CA/ST=None/L=NB/O=None/CN=$COMMON_NAME"
	NUM_OF_DAYS=999
	openssl req -new -newkey rsa:2048 -sha256 -nodes $KEY_OPT device.key -subj "$SUBJECT" -out device.csr
	cat v3.ext \| sed s/%%DOMAIN%%/$COMMON_NAME/g > /tmp/__v3.ext
	openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days $NUM_OF_DAYS -sha256 -extfile /tmp/__v3.ext

	# move output files to final filenames
	mv device.csr $DOMAIN.csr
	cp device.crt $DOMAIN.crt

	# remove temp file
	rm -f device.crt;

	echo
	echo "###########################################################################"
	echo Done!
	echo "###########################################################################"
	echo "To use these files on your server, simply copy both $DOMAIN.csr and"
	echo "device.key to your webserver, and use like so (if Apache, for example)"
	echo
	echo " SSLCertificateFile /path_to_your_files/$DOMAIN.crt"
	echo " SSLCertificateKeyFile /path_to_your_files/device.key"
	openssl genrsa -out rootCA.key 2048
	openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
	authorityKeyIdentifier=keyid,issuer
	basicConstraints=CA:FALSE
	keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
	subjectAltName = @alt_names

	[alt_names]
	DNS.1 = %%DOMAIN%%