一个shell脚本,实现利用OpenSSL生成X509证书
代码语言:javascript复制#!/bin/bash
#
Copyright (C) 2015 Nicolas TANDE
#
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
function usage() { cat << EOUSAGE
Usage : $0 CN [altnames]
: example : $0 mail.example.net
: example : $0 www.example.net alt.example.net secure.example.net
:
: for .example.net you can either put '.example.net' or 'wildcard.example.net'
EOUSAGE
}
#
Configuration
#
Path to openssl binary
openssl=$(which openssl)
Crypto ciphers rsa 4096 sha 512
openssl_crypto="rsa:4096 -sha512"
Certificate Authority that will sign our certificates
ca=
Details to be added to every certificates
organization=""
organizationunitname=""
locality=""
province=""
country=""
you may also define those variables in your home directory
userconfig="$HOME/.certifishrc"
[ -r "$userconfig" ] && source "$userconfig"
#
Sanity checks
#
function error()
{
echo "-- $1 --" >&2
exit 1
}
[ "$country" = "" -o "$province" = "" -o "$locality" = "" -o "$organization" = "" -o "$organizationunitname" = "" ] &&
error "Please set configuration at the begin of the script"
[ ! -r "$ca" ] && error "CA is not readable (path=$ca), please check configuration at the begin of the script"
[ ! -x "$openssl" ] && error "Could not find openssl binary (path=$openssl), please check configuration at the begin of the script"
#
Do no edit below this line
#
set -e
function notice()
{
echo "-- $1 --"
}
function confirmation()
{
notice "Is it correct ? [y/N]"
read confirmation
if [ "$confirmation" != "y" ]; then return 1; fi
}
Reading parameters
n=$#
if [ $n -lt 1 ]; then
usage
error "Invalid parameters"
fi
you can either input '*' or 'wildcard'
real_cn=$(echo "$1" | sed 's/wildcard/*/g')
cn=$(echo "$1"|sed 's/*/wildcard/g')
shift
altname=$@
Only display parameters
notice "You called this script with the following parameters"
echo CommonName: $real_cn
havealtname=0
if [ ${#altname[@]} -ne 0 ]; then
for i in ${altname[@]} ; do
havealtname=1
echo "AltName: $i";
done
fi
confirmation
mkdir "$cn"
cp "$ca" "$cn"
cd "$cn"
Display OpenSSL parameters
(
echo "[req]"
echo "distinguished_name = req_distinguished_name"
echo "req_extensions = req_ext"
echo "prompt = no"
echo ""
echo "[req_distinguished_name]"
echo "CN = $real_cn"
echo "O = $organization"
echo "OU = $organizationunitname"
echo "L = $locality"
echo "ST = $province"
echo "C = $country"
echo ""
echo "[req_ext]"
dns=1
if [ $havealtname -ne 0 ]; then
echo "subjectAltName = @alt_names"
echo ""
echo "[alt_names]"
for i in ${altname[@]} ; do
echo "DNS.$dns = $i";
dns=$((dns 1))
done
fi
) > "$cn.cnf"
notice "We are going to generate keys with following parameters"
notice "The Crypto will be $openssl_crypto and the config will be"
cat "$cn.cnf"
confirmation
Generate key csr
$openssl req -new -newkey $openssl_crypto -nodes -keyout "$cn.key" -out "$cn.csr" -config "$cn.cnf"
chmod 600 "$cn.key"
notice "This is the CSR, copy paste it in your CA website"
cat "$cn.csr"
read user certificate
ok=0
until [ "$ok" = 1 ] ; do
notice "Copy paste here the certificate from your CA website, Control-D to finish"
while read line; do
cert =( "$line" )
done
notice "You entered"
for line in "${cert[@]}"; do
echo "$line"
done
confirmation && ok=1
done
for line in "${cert[@]}"; do
echo "$line" >> "${cn}".crt
done
generate chained certificate
cat "${cn}.crt" $(basename "${ca}") > "${cn}.chained.crt"
generate DNSSEC/TLSA record
notice "TLSA"
notice "If you with to use DNSSEC/TLSA, add this in DNS zone (replace host with real hostname):"
fpr=$( $openssl x509 -noout -fingerprint -sha512 < "${cn}.crt" |sed -e "s/.*=//g" | sed -e "s/://g" )
echo "_port._tcp.host IN TLSA ( 3 0 2 $fpr )" > "${cn}.tlsa.txt"
echo "_port._tcp.host IN TLSA ( 3 0 2 $fpr )"</pre>