📄 gid-mkcert.sh
字号:
#!/bin/sh#### gid-mkcert.sh -- Create Certificates for Global Server ID facility## Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved. #### This script is derived from mkcert.sh from the mod_ssl distribution.## It requires OpenSSL 0.9.4.### parametersopenssl="openssl"sslcrtdir="."sslcsrdir="."sslkeydir="."# some optional terminal sequencescase $TERM in xterm|xterm*|vt220|vt220*) T_MD=`echo dummy | awk '{ printf("%c%c%c%c", 27, 91, 49, 109); }'` T_ME=`echo dummy | awk '{ printf("%c%c%c", 27, 91, 109); }'` ;; vt100|vt100*) T_MD=`echo dummy | awk '{ printf("%c%c%c%c%c%c", 27, 91, 49, 109, 0, 0); }'` T_ME=`echo dummy | awk '{ printf("%c%c%c%c%c", 27, 91, 109, 0, 0); }'` ;; default) T_MD='' T_ME='' ;;esac# find some random files# (do not use /dev/random here, because this device # doesn't work as expected on all platforms)randfiles=''for file in /var/log/messages /var/adm/messages \ /kernel /vmunix /vmlinuz \ /etc/hosts /etc/resolv.conf; do if [ -f $file ]; then if [ ".$randfiles" = . ]; then randfiles="$file" else randfiles="${randfiles}:$file" fi fidoneecho "${T_MD}This is GID-MKCERT (Global Server ID Generation)${T_ME}"echo "${T_MD}Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved.${T_ME}"if [ ! -f $sslcrtdir/ca.crt ]; then echo "" echo "${T_MD}Generating custom Certificate Authority (CA)${T_ME}" echo "______________________________________________________________________" echo "" echo "${T_MD}STEP 1: Generating RSA private key for CA (1024 bit)${T_ME}" if [ ! -f $HOME/.rnd ]; then touch $HOME/.rnd fi if [ ".$randfiles" != . ]; then $openssl genrsa -rand $randfiles \ -out $sslkeydir/ca.key \ 1024 else $openssl genrsa -out $sslkeydir/ca.key \ 1024 fi if [ $? -ne 0 ]; then echo "gid-mkcert.sh:Error: Failed to generate RSA private key" 1>&2 exit 1 fi echo "______________________________________________________________________" echo "" echo "${T_MD}STEP 2: Generating X.509 certificate signing request for CA${T_ME}" cat >.mkcert.cfg <<EOT[ req ]default_bits = 1024distinguished_name = req_DN[ req_DN ]countryName = "1. Country Name (2 letter code)"countryName_default = XYcountryName_min = 2countryName_max = 2stateOrProvinceName = "2. State or Province Name (full name) "stateOrProvinceName_default = Snake DesertlocalityName = "3. Locality Name (eg, city) "localityName_default = Snake Town0.organizationName = "4. Organization Name (eg, company) "0.organizationName_default = Snake Oil, LtdorganizationalUnitName = "5. Organizational Unit Name (eg, section) "organizationalUnitName_default = Certificate AuthoritycommonName = "6. Common Name (eg, CA name) "commonName_max = 64commonName_default = Snake Oil CAemailAddress = "7. Email Address (eg, name@FQDN)"emailAddress_max = 40emailAddress_default = ca@snakeoil.domEOT $openssl req -config .mkcert.cfg \ -new \ -key $sslkeydir/ca.key \ -out $sslcsrdir/ca.csr if [ $? -ne 0 ]; then echo "gid-mkcert.sh:Error: Failed to generate certificate signing request" 1>&2 exit 1 fi echo "______________________________________________________________________" echo "" echo "${T_MD}STEP 3: Generating X.509 certificate for CA signed by itself${T_ME}" cat >.mkcert.cfg <<EOTextensions = x509v3[ x509v3 ]subjectAltName = email:copybasicConstraints = CA:true,pathlen:0nsComment = "mod_ssl generated custom CA certificate"nsCertType = sslCAEOT $openssl x509 -extfile .mkcert.cfg \ -days 365 \ -signkey $sslkeydir/ca.key \ -in $sslcsrdir/ca.csr -req \ -out $sslcrtdir/ca.crt if [ $? -ne 0 ]; then echo "gid-mkcert.sh:Error: Failed to generate self-signed CA certificate" 1>&2 exit 1 fi echo "______________________________________________________________________" echo "" echo "${T_MD}RESULT:${T_ME}" $openssl verify $sslcrtdir/ca.crt if [ $? -ne 0 ]; then echo "gid-mkcert.sh:Error: Failed to verify resulting X.509 certificate" 1>&2 exit 1 fifiecho ""echo "${T_MD}Generating custom SERVER${T_ME}"echo "______________________________________________________________________"echo ""echo "${T_MD}STEP 5: Generating RSA private key for SERVER (1024 bit)${T_ME}"if [ ! -f $HOME/.rnd ]; then touch $HOME/.rndfiif [ ".$randfiles" != . ]; then $openssl genrsa -rand $randfiles \ -out $sslkeydir/server.key \ 1024else $openssl genrsa -out $sslkeydir/server.key \ 1024fiif [ $? -ne 0 ]; then echo "gid-mkcert.sh:Error: Failed to generate RSA private key" 1>&2 exit 1fiecho "______________________________________________________________________"echo ""echo "${T_MD}STEP 6: Generating X.509 certificate signing request for SERVER${T_ME}"cat >.mkcert.cfg <<EOT[ req ]default_bits = 1024distinguished_name = req_DN[ req_DN ]countryName = "1. Country Name (2 letter code)"countryName_default = XYcountryName_min = 2countryName_max = 2stateOrProvinceName = "2. State or Province Name (full name) "stateOrProvinceName_default = Snake DesertlocalityName = "3. Locality Name (eg, city) "localityName_default = Snake Town0.organizationName = "4. Organization Name (eg, company) "0.organizationName_default = Snake Oil, LtdorganizationalUnitName = "5. Organizational Unit Name (eg, section) "organizationalUnitName_default = Webserver TeamcommonName = "6. Common Name (eg, FQDN) "commonName_max = 64commonName_default = www.snakeoil.domemailAddress = "7. Email Address (eg, name@fqdn)"emailAddress_max = 40emailAddress_default = www@snakeoil.domEOT$openssl req -config .mkcert.cfg \ -new \ -key $sslkeydir/server.key \ -out $sslcsrdir/server.csrif [ $? -ne 0 ]; then echo "gid-mkcert.sh:Error: Failed to generate certificate signing request" 1>&2 exit 1fiecho "______________________________________________________________________"echo ""echo "${T_MD}STEP 7: Generating X.509 certificate signed by own CA${T_ME}"cat >.mkcert.cfg <<EOTextensions = x509v3[ x509v3 ]subjectAltName = email:copybasicConstraints = pathlen:0nsComment = "mod_ssl generated custom server certificate"nsCertType = server#extendedKeyUsage = RID:2.16.840.1.113730.4.1,RID:1.3.6.1.4.1.311.10.3.3extendedKeyUsage = msSGC,nsSGCEOTif [ ! -f .mkcert.serial ]; then echo '01' >.mkcert.serialfi$openssl x509 -extfile .mkcert.cfg \ -days 365 \ -CAserial .mkcert.serial \ -CA $sslcrtdir/ca.crt \ -CAkey $sslkeydir/ca.key \ -in $sslcsrdir/server.csr -req \ -out $sslcrtdir/server.crtif [ $? -ne 0 ]; then echo "gid-mkcert.sh:Error: Failed to generate X.509 certificate" 1>&2 exit 1ficaname="`$openssl x509 -noout -text -in $sslcrtdir/ca.crt |\ grep Subject: | sed -e 's;.*CN=;;' -e 's;/Em.*;;'`"username="`$openssl x509 -noout -text -in $sslcrtdir/server.crt |\ grep Subject: | sed -e 's;.*CN=;;' -e 's;/Em.*;;'`"$openssl pkcs12 \ -export \ -in $sslcrtdir/server.crt \ -inkey $sslkeydir/server.key \ -certfile $sslcrtdir/ca.crt \ -name "$username" \ -caname "$caname" \ -out $sslcrtdir/server.p12echo "______________________________________________________________________"echo ""echo "${T_MD}RESULT:${T_ME}"$openssl verify -CAfile $sslcrtdir/ca.crt $sslcrtdir/server.crtif [ $? -ne 0 ]; then echo "gid-mkcert.sh:Error: Failed to verify resulting X.509 certificate" 1>&2 exit 1fiecho "______________________________________________________________________"echo ""echo "${T_MD}STEP 8: Enrypting RSA private key of SERVER with a pass phrase for security${T_ME}"$openssl rsa -des3 -in $sslkeydir/server.key -out $sslkeydir/server.key.cryptif [ $? -ne 0 ]; then echo "gid-mkcert.sh:Error: Failed to encrypt RSA private key" 1>&2 exit 1ficp $sslkeydir/server.key.crypt $sslkeydir/server.keyrm -f $sslkeydir/server.key.crypt##EOF##⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -