一个shell脚本,实现利用OpenSSL生成X509证书
2018-07-20 来源:open-open
一个shell脚本,实现利用OpenSSL生成X509证书
来自:https://github.com/nittch/certifish
#!/bin/bash # # Copyright (C) 2015 Nicolas TANDE # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. # function usage() { cat << EOUSAGE Usage : $0 CN [altnames] : example : $0 mail.example.net : example : $0 www.example.net alt.example.net secure.example.net : : for *.example.net you can either put '*.example.net' or 'wildcard.example.net' EOUSAGE } ################# # Configuration # ################# # Path to openssl binary openssl=$(which openssl) # Crypto ciphers rsa 4096 + sha 512 openssl_crypto="rsa:4096 -sha512" # Certificate Authority that will sign our certificates ca= # Details to be added to every certificates organization="" organizationunitname="" locality="" province="" country="" # you may also define those variables in your home directory userconfig="$HOME/.certifishrc" [ -r "$userconfig" ] && source "$userconfig" ################# # Sanity checks # ################# function error() { echo "-- $1 --" >&2 exit 1 } [ "$country" = "" -o "$province" = "" -o "$locality" = "" -o "$organization" = "" -o "$organizationunitname" = "" ] && error "Please set configuration at the begin of the script" [ ! -r "$ca" ] && error "CA is not readable (path=$ca), please check configuration at the begin of the script" [ ! -x "$openssl" ] && error "Could not find openssl binary (path=$openssl), please check configuration at the begin of the script" ############################## # Do no edit below this line # ############################## set -e function notice() { echo "-- $1 --" } function confirmation() { notice "Is it correct ? [y/N]" read confirmation if [ "$confirmation" != "y" ]; then return 1; fi } # Reading parameters n=$# if [ $n -lt 1 ]; then usage error "Invalid parameters" fi # you can either input '*' or 'wildcard' real_cn=$(echo "$1" | sed 's/wildcard/\*/g') cn=$(echo "$1"|sed 's/\*/wildcard/g') shift altname=$@ # Only display parameters notice "You called this script with the following parameters" echo CommonName: $real_cn havealtname=0 if [ ${#altname[@]} -ne 0 ]; then for i in ${altname[@]} ; do havealtname=1 echo "AltName: $i"; done fi confirmation mkdir "$cn" cp "$ca" "$cn" cd "$cn" # Display OpenSSL parameters ( echo "[req]" echo "distinguished_name = req_distinguished_name" echo "req_extensions = req_ext" echo "prompt = no" echo "" echo "[req_distinguished_name]" echo "CN = $real_cn" echo "O = $organization" echo "OU = $organizationunitname" echo "L = $locality" echo "ST = $province" echo "C = $country" echo "" echo "[req_ext]" dns=1 if [ $havealtname -ne 0 ]; then echo "subjectAltName = @alt_names" echo "" echo "[alt_names]" for i in ${altname[@]} ; do echo "DNS.$dns = $i"; dns=$((dns + 1)) done fi ) > "$cn.cnf" notice "We are going to generate keys with following parameters" notice "The Crypto will be $openssl_crypto and the config will be" cat "$cn.cnf" confirmation # Generate key + csr $openssl req -new -newkey $openssl_crypto -nodes -keyout "$cn.key" -out "$cn.csr" -config "$cn.cnf" chmod 600 "$cn.key" notice "This is the CSR, copy paste it in your CA website" cat "$cn.csr" # read user certificate ok=0 until [ "$ok" = 1 ] ; do notice "Copy paste here the certificate from your CA website, Control-D to finish" while read line; do cert+=( "$line" ) done notice "You entered" for line in "${cert[@]}"; do echo "$line" done confirmation && ok=1 done for line in "${cert[@]}"; do echo "$line" >> "${cn}".crt done # generate chained certificate cat "${cn}.crt" $(basename "${ca}") > "${cn}.chained.crt" # generate DNSSEC/TLSA record notice "TLSA" notice "If you with to use DNSSEC/TLSA, add this in DNS zone (replace host with real hostname):" fpr=$( $openssl x509 -noout -fingerprint -sha512 < "${cn}.crt" |sed -e "s/.*=//g" | sed -e "s/\://g" ) echo "_port._tcp.host IN TLSA ( 3 0 2 $fpr )" > "${cn}.tlsa.txt" echo "_port._tcp.host IN TLSA ( 3 0 2 $fpr )"
来自:https://github.com/nittch/certifish
版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点!
本站所提供的图片等素材,版权归原作者所有,如需使用,请与原作者联系。
上一篇: iOS 获取当前Wifi的SSID
最新资讯
热门推荐