Skip to content

Instantly share code, notes, and snippets.

@jshensh
Last active Feb 28, 2022
Embed
What would you like to do?
OpenSSL 双向认证配置脚本
#!/bin/bash -e
# 创建CA根证书
# 非交互式方式创建以下内容:
# 国家名(2个字母的代号)
C=CN
#
ST=Shanghai
#
L=Shanghai
# 公司名
O="Organization Name"
# 组织或部门名
OU="Organizational Unit Name"
# 服务器FQDN或颁发者名
CN="Common Name"
# 邮箱地址
emailAddress=admin@ddns.example.com
mkdir -p ./demoCA/{private,newcerts}
touch ./demoCA/index.txt
[ ! -f ./demoCA/seria ] && echo 01 > ./demoCA/serial
[ ! -f ./demoCA/crlnumber ] && echo 01 > ./demoCA/crlnumber
[ ! -f ./demoCA/cacert.pem ] && openssl req -utf8 -new -x509 -days 36500 -newkey rsa:2048 -nodes -keyout ./demoCA/private/cakey.pem -out ./demoCA/cacert.pem -subj "/C=${C}/ST=${ST}/L=${L}/O=${O}/OU=${OU}/CN=${CN}/emailAddress=${emailAddress}"
[ ! -f ./demoCA/private/ca.crl ] && openssl ca -crldays 36500 -gencrl -out "./demoCA/private/ca.crl"/{private,newcerts}
touch ./demoCA/index.txt
[ ! -f ./demoCA/seria ] && echo 01 > ./demoCA/serial
[ ! -f ./demoCA/crlnumber ] && echo 01 > ./demoCA/crlnumber
[ ! -f ./demoCA/cacert.pem ] && openssl req -utf8 -new -x509 -days 36500 -newkey rsa:2048 -nodes -keyout ./demoCA/private/cakey.pem -out ./demoCA/cacert.pem -subj "/C=${C}/ST=${ST}/L=${L}/O=${O}/OU=${OU}/CN=${CN}/emailAddress=${emailAddress}"
[ ! -f ./demoCA/private/ca.crl ] && openssl ca -crldays 36500 -gencrl -out "./demoCA/private/ca.crl"
# 创建客户端证书
# 非交互式方式创建以下内容:
# 国家名(2个字母的代号)
C=CN
#
ST=Shanghai
#
L=Shanghai
# 公司名
O="Organization Name"
# 组织或部门名
OU="Organizational Unit Name"
# 服务器FQDN或颁发者名
CN="Common Name"
# 邮箱地址
emailAddress=${emailAddress:-admin@ddns.example.com}
[ ! -f "client.key" ] && openssl req -utf8 -nodes -newkey rsa:2048 -keyout "client.key" -new -out "client.csr" -subj "/C=${C}/ST=${ST}/L=${L}/O=${O}/OU=${OU}/CN=${CN}/emailAddress=${emailAddress}"
[ ! -f "client.crt" ] && openssl ca -utf8 -batch -days 36500 -in "client.csr" -out "client.crt"
[ ! -f "client.p12" ] && openssl pkcs12 -export -clcerts -CApath ./demoCA/ -inkey "client.key" -in "client.crt" -certfile "./demoCA/cacert.pem" -passout pass: -out "client.p12"
#!/bin/bash -e
# 公司名
O="Organization Name"
# 组织或部门名
OU="Organizational Unit Name"
openssl req -utf8 \
-nodes \
-newkey rsa:2048 \
-keyout ssl.key \
-new \
-sha256 \
-subj "/C=CN/ST=Shanghai/L=Shanghai/O=${O}/OU=${OU}/CN=192.168.1.234" \
-reqexts SAN \
-config <(cat /etc/pki/tls/openssl.cnf \
<(printf "[SAN]\nsubjectAltName=IP:192.168.1.234,DNS:*.ddns.example.com")) \
-out ssl.csr
openssl ca -in ssl.csr \
-md sha256 \
-keyfile ./demoCA/private/cakey.pem \
-cert ./demoCA/cacert.pem \
-extensions SAN \
-config <(cat /etc/pki/tls/openssl.cnf \
<(printf "[SAN]\nsubjectAltName=IP:192.168.1.234,DNS:*.ddns.example.com")) \
-out ssl.crt
#!/bin/bash -e
# 吊销一个签证过的证书
openssl ca -revoke "${1}/${1}.crt"
openssl ca -gencrl -out "/etc/pki/CA/private/ca.crl"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment