Last active
March 23, 2021 06:03
-
-
Save ruo91/4f620389a05ce130e44f61bd214f23b4 to your computer and use it in GitHub Desktop.
OpenSSL - Self-Signed 인증서 생성 스크립트
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #---------------------------------------------------# | |
| # - Title | |
| # Generating Self-Signed Certificate with OpenSSL | |
| # | |
| # - Script Version | |
| # v1.0 | |
| # | |
| # - OS Supported | |
| # All | |
| # | |
| # - Required Package | |
| # OpenSSL | |
| # https://www.openssl.org/ | |
| # | |
| # - Maintainer | |
| # Yongbok Kim (ruo91) | |
| #---------------------------------------------------# | |
| #!/bin/bash | |
| # Global Variables | |
| ROOTCA_DAYS="36500" | |
| CLIENT_DAYS="365" | |
| ROOTCA="root/rootca.crt" | |
| ROOTCA_CSR="root/rootca.csr" | |
| ROOTCA_KEY="root/rootca.key" | |
| CLIENT_NAME="example example2" | |
| CERT_PASS="your-password" | |
| # OpenSSL Config | |
| # RootCA | |
| OPENSSL_ROOTCA_COUNTRY_NAME='KR' | |
| OPENSSL_ROOTCA_STATE_NAME='Seoul' | |
| OPENSSL_ROOTCA_LOCAL_NAME='Gangnam-gu' | |
| OPENSSL_ROOTCA_OU_NAME='Your Company' | |
| OPENSSL_ROOTCA_COMMON_NAME='Your Company - Self Signed RootCA' | |
| # Client | |
| OPENSSL_CLIENT_COUNTRY_NAME='KR' | |
| OPENSSL_CLIENT_STATE_NAME='Seoul' | |
| OPENSSL_CLIENT_LOCAL_NAME='Gangnam-gu' | |
| OPENSSL_CLIENT_OU_NAME='Your Company' | |
| OPENSSL_CLIENT_COMMON_NAME_01='*.example.com' | |
| OPENSSL_CLIENT_COMMON_NAME_02='*.example2.com' | |
| OPENSSL_CLIENT_COMMON_NAME_03='*.example3.com' | |
| OPENSSL_CLIENT_COMMON_NAME_04='*.example4.com' | |
| OPENSSL_CLIENT_COMMON_NAME_05='*.example5.com' | |
| # Functios | |
| # Check workdir | |
| function f_check_workdir { | |
| mkdir -p {root,client,conf} | |
| for i in ${CLIENT_NAME}; do | |
| mkdir -p client/$i; | |
| done | |
| } | |
| # Check OpenSSL config files | |
| function f_check_openssl_conf { | |
| if [[ ! -e "conf/openssl-rootca.conf" ]]; then | |
| f_create_openssl_rootca_conf | |
| fi | |
| for i in ${CLIENT_NAME}; do | |
| if [[ ! -e "conf/openssl-$i.conf" ]]; then | |
| f_create_openssl_client_conf | |
| fi | |
| done | |
| } | |
| # Check RootCA Certificates | |
| function f_check_rootca { | |
| if [[ ! -e "$ROOTCA" ]]; then | |
| f_create_rootca | |
| fi | |
| } | |
| # Remove all certificates (not recommend) | |
| function f_cert_remove_all { | |
| for i in ${CLIENT_NAME}; do | |
| rm -f root/$i/* | |
| rm -f client/$i/*; | |
| done | |
| } | |
| # Update CA Trust | |
| function f_update_ca_trust { | |
| for i in ${CLIENT_NAME}; do | |
| cp client/$i/$i.crt /etc/pki/ca-trust/source/anchors | |
| update-ca-trust; | |
| done | |
| } | |
| # Create OpenSSL RootCA Config files | |
| function f_create_openssl_rootca_conf { | |
| # RootCA | |
| cat << EOF > conf/openssl-rootca.conf | |
| [ req ] | |
| default_bits = 2048 | |
| prompt = no | |
| default_md = sha256 | |
| distinguished_name = req_distinguished_name | |
| req_extensions = req_ext | |
| ssl_conf = ssl_sect | |
| [ssl_sect] | |
| system_default = system_default_sect | |
| [system_default_sect] | |
| MinProtocol = TLSv1.2 | |
| #CipherString = DEFAULT@SECLEVEL=2 | |
| #Ciphersuites = | |
| [req_distinguished_name] | |
| countryName = "$OPENSSL_ROOTCA_COUNTRY_NAME" | |
| stateOrProvinceName = "$OPENSSL_ROOTCA_STATE_NAME" | |
| localityName = "$OPENSSL_ROOTCA_LOCAL_NAME" | |
| organizationalUnitName = "$OPENSSL_ROOTCA_OU_NAME" | |
| commonName = "$OPENSSL_ROOTCA_COMMON_NAME" | |
| [req_ext] | |
| basicConstraints = critical,CA:TRUE | |
| keyUsage = critical,digitalSignature,keyEncipherment | |
| extendedKeyUsage = serverAuth | |
| EOF | |
| } | |
| # Create OpenSSL Client Config files | |
| function f_create_openssl_client_conf { | |
| # Client | |
| for i in ${CLIENT_NAME}; do | |
| cat << EOF > conf/openssl-$i.conf | |
| [ req ] | |
| default_bits = 2048 | |
| prompt = no | |
| default_md = sha256 | |
| distinguished_name = req_distinguished_name | |
| req_extensions = req_ext | |
| ssl_conf = ssl_sect | |
| [ssl_sect] | |
| system_default = system_default_sect | |
| [system_default_sect] | |
| MinProtocol = TLSv1.2 | |
| #CipherString = DEFAULT@SECLEVEL=2 | |
| #Ciphersuites = | |
| [req_distinguished_name] | |
| countryName = "$OPENSSL_CLIENT_COUNTRY_NAME" | |
| stateOrProvinceName = "$OPENSSL_CLIENT_STATE_NAME" | |
| localityName = "$OPENSSL_CLIENT_LOCAL_NAME" | |
| organizationalUnitName = "$OPENSSL_CLIENT_OU_NAME" | |
| commonName = "$OPENSSL_CLIENT_COMMON_NAME_01" | |
| [req_ext] | |
| basicConstraints = critical,CA:FALSE | |
| keyUsage = critical,digitalSignature,keyEncipherment | |
| extendedKeyUsage = serverAuth | |
| subjectAltName = @alt_names | |
| [alt_names] | |
| DNS.1 = "$OPENSSL_CLIENT_COMMON_NAME_01" | |
| #DNS.2 = "$OPENSSL_CLIENT_COMMON_NAME_02" | |
| #DNS.3 = "$OPENSSL_CLIENT_COMMON_NAME_03" | |
| #DNS.4 = "$OPENSSL_CLIENT_COMMON_NAME_04" | |
| #DNS.5 = "$OPENSSL_CLIENT_COMMON_NAME_05" | |
| EOF | |
| done | |
| } | |
| # Create RootCA | |
| function f_create_rootca { | |
| # Check workdir | |
| f_check_workdir | |
| # Check OpenSSL Config | |
| f_check_openssl_conf | |
| # Create RootCA key | |
| openssl genrsa -aes256 -out $ROOTCA_KEY -passout pass:$CERT_PASS 2048 | |
| # Create CSR | |
| openssl req -new \ | |
| -key $ROOTCA_KEY \ | |
| -out $ROOTCA_CSR \ | |
| -passin pass:$CERT_PASS \ | |
| -config conf/openssl-rootca.conf | |
| # Create self-signed | |
| # Hash: -sha256, -sha384, -sha512 | |
| openssl x509 -req -sha256 -days $ROOTCA_DAYS -extensions req_ext -set_serial 1 \ | |
| -in $ROOTCA_CSR \ | |
| -signkey $ROOTCA_KEY \ | |
| -out $ROOTCA \ | |
| -extfile conf/openssl-rootca.conf \ | |
| -passin pass:$CERT_PASS | |
| # Check RootCA | |
| echo | |
| echo "- RootCA" | |
| openssl x509 -noout -text -in $ROOTCA | |
| } | |
| # Create client certificates | |
| function f_create_client_all { | |
| # Check workdir | |
| f_check_workdir | |
| # Check OpenSSL Config | |
| f_check_openssl_conf | |
| # Check RootCA certificates | |
| f_check_rootca | |
| # Create RSA key pair | |
| for i in ${CLIENT_NAME}; do | |
| openssl genrsa -aes256 -out client/$i/$i.key -passout pass:$CERT_PASS 2048; | |
| done | |
| # Remove Passphrase from key | |
| for i in ${CLIENT_NAME}; do | |
| cp client/$i/$i.key client/$i/$i.enc | |
| openssl rsa -in client/$i/$i.enc -out client/$i/$i.key -passin pass:$CERT_PASS; | |
| done | |
| # Create CSR | |
| for i in ${CLIENT_NAME}; do | |
| openssl req -new \ | |
| -key client/$i/$i.key \ | |
| -out client/$i/$i.csr \ | |
| -passin pass:$CERT_PASS \ | |
| -config conf/openssl-$i.conf; | |
| done | |
| # Create SSL | |
| for i in ${CLIENT_NAME}; do | |
| openssl x509 -req -days $CLIENT_DAYS \ | |
| -in client/$i/$i.csr \ | |
| -CA $ROOTCA \ | |
| -CAkey $ROOTCA_KEY \ | |
| -CAcreateserial -out client/$i/$i.crt \ | |
| -extensions req_ext \ | |
| -passin pass:$CERT_PASS \ | |
| -extfile conf/openssl-$i.conf; | |
| done | |
| # Check Certificates | |
| for i in ${CLIENT_NAME}; do | |
| echo | |
| echo "- Cert: $i" | |
| openssl x509 -noout -dates -in client/$i/$i.crt; | |
| done | |
| } | |
| # Print help | |
| function f_help { | |
| echo "Usage: $ARG_0 [Options]" | |
| echo | |
| echo "- Options" | |
| echo "a, all : Create RootCA, Client and Update CA Trust" | |
| echo "c, client : Create Client Certificates" | |
| echo "r, root : Create RootCA Certificates" | |
| echo "u, update : Update CA Trust" | |
| echo "h, help : Print help" | |
| echo | |
| } | |
| # Main | |
| ARG_0="$0" | |
| ARG_1="$1" | |
| case ${ARG_1} in | |
| a|all) | |
| f_create_rootca | |
| f_create_client_all | |
| f_update_ca_trust | |
| ;; | |
| r|root) | |
| f_create_rootca | |
| ;; | |
| c|client) | |
| f_create_client_all | |
| ;; | |
| u|update) | |
| f_update_ca_trust | |
| ;; | |
| *|h|help) | |
| f_help | |
| ;; | |
| esac |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment