📄 mkcert.sh
字号:
#!/bin/sh#### mkcert.sh -- SSL Certificate Generation Utility## Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved. ### parametersmake="$1"mflags="$2"openssl="$3"support="$4"type="$5"algo="$6"crt="$7"key="$8"view="$9"# we can operate only inside the Apache 1.3 source# tree and only when mod_ssl+OpenSSL is actually configured.if [ ! -f "../README.configure" ]; then echo "mkcert.sh:Error: Cannot operate outside the Apache 1.3 source tree." 1>&2 echo "mkcert.sh:Hint: You have to stay inside apache_1.3.x/src." 1>&2 exit 1fiif [ ".$openssl" = . ]; then echo "mkcert.sh:Error: mod_ssl/OpenSSL has to be configured before using this utility." 1>&2 echo "mkcert.sh:Hint: Configure mod_ssl with --enable-module=ssl in APACI, first." 1>&2 exit 1fi# configuration# WE ARE CALLED FROM THE PARENT DIR!sslcrtdir="../conf/ssl.crt"sslcsrdir="../conf/ssl.csr"sslkeydir="../conf/ssl.key"sslprmdir="../conf/ssl.prm"# some optional terminal sequencescase $TERM in xterm|xterm*|vt220|vt220*) T_MD=`echo dummy | awk '{ printf("%c%c%c%c", 27, 91, 49, 109); }'` T_ME=`echo dummy | awk '{ printf("%c%c%c", 27, 91, 109); }'` ;; vt100|vt100*) T_MD=`echo dummy | awk '{ printf("%c%c%c%c%c%c", 27, 91, 49, 109, 0, 0); }'` T_ME=`echo dummy | awk '{ printf("%c%c%c%c%c", 27, 91, 109, 0, 0); }'` ;; default) T_MD='' T_ME='' ;;esac# display headerecho "${T_MD}SSL Certificate Generation Utility${T_ME} (mkcert.sh)"echo "Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved."# on request view certificates onlyif [ ".$view" != . ]; then if [ -f "$sslcrtdir/ca.crt" -a -f "$sslkeydir/ca.key" ]; then echo "" echo "${T_MD}CA X.509 Certificate${T_ME} [ca.crt]" echo "______________________________________________________________________" $openssl x509 -noout -text -in $sslcrtdir/ca.crt echo "" if [ ".`$openssl x509 -noout -text -in $sslcrtdir/ca.crt | grep 'Signature Algorithm' | grep -i RSA`" != . ]; then echo "${T_MD}CA RSA Private Key${T_ME} [ca.key]" echo "______________________________________________________________________" $openssl rsa -noout -text -in $sslkeydir/ca.key else echo "${T_MD}CA DSA Private Key${T_ME} [ca.key]" echo "______________________________________________________________________" $openssl dsa -noout -text -in $sslkeydir/ca.key fi fi if [ -f "$sslcrtdir/server.crt" -a -f "$sslkeydir/server.key" ]; then echo "" echo "${T_MD}Server X.509 Certificate${T_ME} [server.crt]" echo "______________________________________________________________________" $openssl x509 -noout -text -in $sslcrtdir/server.crt echo "" if [ ".`$openssl x509 -noout -text -in $sslcrtdir/server.crt | grep 'Signature Algorithm' | grep -i RSA`" != . ]; then echo "${T_MD}Server RSA Private Key${T_ME} [server.key]" echo "______________________________________________________________________" $openssl rsa -noout -text -in $sslkeydir/server.key else echo "${T_MD}Server DSA Private Key${T_ME} [server.key]" echo "______________________________________________________________________" $openssl dsa -noout -text -in $sslkeydir/server.key fi fi exit 0fi# find some random files# (do not use /dev/random here, because this device # doesn't work as expected on all platforms)randfiles=''for file in /var/log/messages /var/adm/messages /var/log/system.log /var/wtmp \ /kernel /kernel/genunix /vmunix /vmlinuz /mach \ /etc/hosts /etc/group /etc/resolv.conf /bin/ls; do if [ -r $file ]; then if [ ".$randfiles" = . ]; then randfiles="$file" else randfiles="${randfiles}:$file" fi fidone# initialize random fileif [ -f $HOME/.rnd ]; then RANDFILE="$HOME/.rnd"else RANDFILE=".mkcert.rnd" (ps; date) >$RANDFILEfiexport RANDFILE# canonicalize parameterscase "x$type" in x ) type=test ;;esaccase "x$algo" in xRSA|xrsa ) algo=RSA ;; xDSA|xdsa ) algo=DSA ;; x ) algo=choose ;; * ) echo "Unknown algorithm \'$algo' (use RSA or DSA!)" 1>&2 exit 1 ;;esac# processingcase $type in dummy) echo "" echo "${T_MD}Generating self-signed Snake Oil certificate [DUMMY]${T_ME}" echo "______________________________________________________________________" echo "" if [ ".$algo" = .choose ]; then algo=RSA fi if [ ".$algo" = .RSA ]; then cp $sslcrtdir/snakeoil-rsa.crt $sslcrtdir/server.crt (umask 077; cp $sslkeydir/snakeoil-rsa.key $sslkeydir/server.key) else cp $sslcrtdir/snakeoil-dsa.crt $sslcrtdir/server.crt (umask 077; cp $sslkeydir/snakeoil-dsa.key $sslkeydir/server.key) fi echo "${T_MD}RESULT: Server Certification Files${T_ME}" echo "" echo "o ${T_MD}conf/ssl.key/server.key${T_ME}" echo " The PEM-encoded $algo private key file which you configure" echo " with the 'SSLCertificateKeyFile' directive (automatically done" echo " when you install via APACI). ${T_MD}KEEP THIS FILE PRIVATE!${T_ME}" echo "" echo "o ${T_MD}conf/ssl.crt/server.crt${T_ME}" echo " The PEM-encoded X.509 certificate file which you configure" echo " with the 'SSLCertificateFile' directive (automatically done" echo " when you install via APACI)." echo "" echo "WARNING: Do not use this for real-life/production systems" echo "" ;; test) echo "" echo "${T_MD}Generating test certificate signed by Snake Oil CA [TEST]${T_ME}" echo "WARNING: Do not use this for real-life/production systems" if [ ".$algo" = .choose ]; then echo "______________________________________________________________________" echo "" echo "${T_MD}STEP 0: Decide the signature algorithm used for certificate${T_ME}" echo "The generated X.509 CA certificate can contain either" echo "RSA or DSA based ingredients. Select the one you want to use." def1=R def2=r def=RSA prompt="Signature Algorithm ((R)SA or (D)SA) [$def1]:" while [ 1 ]; do echo dummy | awk '{ printf("%s", prompt); }' "prompt=$prompt" read algo if [ ".$algo" = ".$def1" -o ".$algo" = ".$def2" -o ".$algo" = . ]; then algo=$def break elif [ ".$algo" = ".R" -o ".$algo" = ".r" ]; then algo=RSA break elif [ ".$algo" = ".D" -o ".$algo" = ".d" ]; then algo=DSA break else echo "mkcert.sh:Warning: Invalid selection" 1>&2 fi done fi if [ ".$algo" = ".DSA" ]; then echo "" echo "${T_MD}WARNING!${T_ME} You're generating a DSA based certificate/key pair." echo " This implies that RSA based ciphers won't be available later," echo " which for your web server currently still means that mostly all" echo " popular web browsers cannot connect to it. At least not until" echo " you also generate an additional RSA based certificate/key pair" echo " and configure them in parallel." fi echo "______________________________________________________________________" echo "" echo "${T_MD}STEP 1: Generating $algo private key (1024 bit) [server.key]${T_ME}" if [ ".$algo" = .RSA ]; then if [ ".$randfiles" != . ]; then $openssl genrsa -rand $randfiles -out $sslkeydir/server.key 1024 else $openssl genrsa -out $sslkeydir/server.key 1024 fi if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to generate RSA private key" 1>&2 exit 1 fi else echo "Generating DSA private key via SnakeOil CA DSA parameters" if [ ".$randfiles" != . ]; then (umask 077 $openssl gendsa -rand $randfiles \ -out $sslkeydir/server.key \ $sslprmdir/snakeoil-ca-dsa.prm) else (umask 077 $openssl gendsa -out $sslkeydir/server.key \ $sslprmdir/snakeoil-ca-dsa.prm) fi if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to generate DSA private key" 1>&2 exit 1 fi fi echo "______________________________________________________________________" echo "" echo "${T_MD}STEP 2: Generating X.509 certificate signing request [server.csr]${T_ME}" cat >.mkcert.cfg <<EOT[ req ]default_bits = 1024distinguished_name = req_DN[ req_DN ]countryName = "1. Country Name (2 letter code)"countryName_default = XYcountryName_min = 2countryName_max = 2stateOrProvinceName = "2. State or Province Name (full name) "stateOrProvinceName_default = Snake DesertlocalityName = "3. Locality Name (eg, city) "localityName_default = Snake Town0.organizationName = "4. Organization Name (eg, company) "0.organizationName_default = Snake Oil, LtdorganizationalUnitName = "5. Organizational Unit Name (eg, section) "organizationalUnitName_default = Webserver TeamcommonName = "6. Common Name (eg, FQDN) "commonName_max = 64commonName_default = www.snakeoil.domemailAddress = "7. Email Address (eg, name@FQDN)"emailAddress_max = 40emailAddress_default = www@snakeoil.domEOT $openssl req -config .mkcert.cfg \ -new \ -key $sslkeydir/server.key \ -out $sslcsrdir/server.csr if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to generate certificate signing request" 1>&2 exit 1 fi rm -f .mkcert.cfg prompt="8. Certificate Validity (days) [365]:" echo dummy | awk '{ printf("%s", prompt); }' "prompt=$prompt" read days if [ ".$days" = . ]; then days=365 fi echo "______________________________________________________________________" echo "" echo "${T_MD}STEP 3: Generating X.509 certificate signed by Snake Oil CA [server.crt]${T_ME}" echo dummy | awk '{ printf("%s", prompt); }' "prompt=Certificate Version (1 or 3) [3]:"⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -