Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
OpenSSL 双向认证配置脚本
#!/bin/bash -e
# 创建CA根证书
# 非交互式方式创建以下内容:
# 国家名(2个字母的代号)
C=CN
#
ST=Shanghai
#
L=Shanghai
# 公司名
O=""
# 组织或部门名
OU=""
# 服务器FQDN或颁发者名
CN="*.ddns.example.com"
DNS="ddns.example.com"
# 邮箱地址
emailAddress=admin@ddns.example.com
mkdir -p /etc/pki/CA/{private,newcerts}
touch /etc/pki/CA/index.txt
[ ! -f /etc/pki/CA/seria ] && echo 01 > /etc/pki/CA/serial
[ ! -f /etc/pki/CA/crlnumber ] && echo 01 > /etc/pki/CA/crlnumber
[ ! -f /etc/pki/CA/cacert.pem ] && openssl req -utf8 -new -x509 -days 36500 -newkey rsa:2048 -nodes -keyout /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -subj "/C=${C}/ST=${ST}/L=${L}/O=${O}/OU=${OU}/CN=${CN}/DNS=${DNS}/emailAddress=${emailAddress}"
[ ! -f /etc/pki/CA/private/ca.crl ] && openssl ca -crldays 36500 -gencrl -out "/etc/pki/CA/private/ca.crl"
#!/bin/bash -e
show_help() {
echo "$0 [-h|-?|--help] [--ou ou] [--cn cn] [--email email]"
echo "-h|-?|--help 显示帮助"
echo "--ou 设置组织或部门名,如: 技术部"
echo "--cn 设置FQDN或所有者名,如: 冯宇"
echo "--email 设置FQDN或所有者邮件,如: fengyu@example.com"
}
while [[ $# -gt 0 ]]
do
case $1 in
-h|-\?|--help)
show_help
exit 0
;;
--ou)
OU="${2}"
shift
;;
--cn)
CN="${2}"
shift
;;
--email)
emailAddress="${2}"
shift
;;
--)
shift
break
;;
*)
echo -e "Error: $0 invalid option '$1'\nTry '$0 --help' for more information.\n" >&2
exit 1
;;
esac
shift
done
# 创建客户端证书
# 非交互式方式创建以下内容:
# 国家名(2个字母的代号)
C=CN
#
ST=Shanghai
#
L=Shanghai
# 公司名
O=ddns.example.com
# 组织或部门名
OU=${OU:-测试部门}
# 服务器FQDN或授予者名
CN=${CN:-demo}
# 邮箱地址
emailAddress=${emailAddress:-demo@example.com}
mkdir -p "${CN}"
[ ! -f "${CN}/${CN}.key" ] && openssl req -utf8 -nodes -newkey rsa:2048 -keyout "${CN}/${CN}.key" -new -days 36500 -out "${CN}/${CN}.csr" -subj "/C=${C}/ST=${ST}/L=${L}/O=${O}/OU=${OU}/CN=${CN}/emailAddress=${emailAddress}"
[ ! -f "${CN}/${CN}.crt" ] && openssl ca -utf8 -batch -days 36500 -in "${CN}/${CN}.csr" -out "${CN}/${CN}.crt"
[ ! -f "${CN}/${CN}.p12" ] && openssl pkcs12 -export -clcerts -CApath /etc/pki/CA/ -inkey "${CN}/${CN}.key" -in "${CN}/${CN}.crt" -certfile "/etc/pki/CA/cacert.pem" -passout pass: -out "${CN}/${CN}.p12"
#!/bin/bash -e
# 吊销一个签证过的证书
openssl ca -revoke "${1}/${1}.crt"
openssl ca -gencrl -out "/etc/pki/CA/private/ca.crl"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment