📄 mkcert.sh
字号:
read certversion extfile="" if [ ".$certversion" = .3 -o ".$certversion" = . ]; then extfile="-extfile .mkcert.cfg" cat >.mkcert.cfg <<EOTextensions = x509v3[ x509v3 ]subjectAltName = email:copynsComment = "mod_ssl generated test server certificate"nsCertType = serverEOT fi if [ ! -f .mkcert.serial ]; then echo '01' >.mkcert.serial fi if [ ".$algo" = .RSA ]; then $openssl x509 $extfile \ -days $days \ -CAserial .mkcert.serial \ -CA $sslcrtdir/snakeoil-ca-rsa.crt \ -CAkey $sslkeydir/snakeoil-ca-rsa.key \ -in $sslcsrdir/server.csr -req \ -out $sslcrtdir/server.crt else $openssl x509 $extfile \ -days $days \ -CAserial .mkcert.serial \ -CA $sslcrtdir/snakeoil-ca-dsa.crt \ -CAkey $sslkeydir/snakeoil-ca-dsa.key \ -in $sslcsrdir/server.csr -req \ -out $sslcrtdir/server.crt fi if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to generate X.509 certificate" 1>&2 exit 1 fi rm -f .mkcert.cfg echo "Verify: matching certificate & key modulus" modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/server.crt | sed -e 's;.*Modulus=;;'` if [ ".$algo" = .RSA ]; then modkey=`$openssl rsa -noout -modulus -in $sslkeydir/server.key | sed -e 's;.*Modulus=;;'` else modkey=`$openssl dsa -noout -modulus -in $sslkeydir/server.key | sed -e 's;.*Key=;;'` fi if [ ".$modcrt" != ".$modkey" ]; then echo "mkcert.sh:Error: Failed to verify modulus on resulting X.509 certificate" 1>&2 exit 1 fi echo "Verify: matching certificate signature" if [ ".$algo" = .RSA ]; then $openssl verify -CAfile $sslcrtdir/snakeoil-ca-rsa.crt $sslcrtdir/server.crt else $openssl verify -CAfile $sslcrtdir/snakeoil-ca-dsa.crt $sslcrtdir/server.crt fi if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to verify signature on resulting X.509 certificate" 1>&2 exit 1 fi echo "______________________________________________________________________" echo "" echo "${T_MD}STEP 4: Enrypting $algo private key with a pass phrase for security [server.key]${T_ME}" echo "The contents of the server.key file (the generated private key) has to be" echo "kept secret. So we strongly recommend you to encrypt the server.key file" echo "with a Triple-DES cipher and a Pass Phrase." while [ 1 ]; do echo dummy | awk '{ printf("Encrypt the private key now? [Y/n]: "); }' read rc if [ ".$rc" = .n -o ".$rc" = .N ]; then rc="n" break fi if [ ".$rc" = .y -o ".$rc" = .Y -o ".$rc" = . ]; then rc="y" break fi done if [ ".$rc" = .y ]; then if [ ".$algo" = .RSA ]; then (umask 077 $openssl rsa -des3 \ -in $sslkeydir/server.key \ -out $sslkeydir/server.key.crypt) else (umask 077 $openssl dsa -des3 \ -in $sslkeydir/server.key \ -out $sslkeydir/server.key.crypt) fi if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to encrypt $algo private key" 1>&2 exit 1 fi (umask 077; cp $sslkeydir/server.key.crypt $sslkeydir/server.key) rm -f $sslkeydir/server.key.crypt echo "Fine, you're using an encrypted $algo private key." else echo "Warning, you're using an unencrypted $algo private key." echo "Please notice this fact and do this on your own risk." fi echo "______________________________________________________________________" echo "" echo "${T_MD}RESULT: Server Certification Files${T_ME}" echo "" echo "o ${T_MD}conf/ssl.key/server.key${T_ME}" echo " The PEM-encoded $algo private key file which you configure" echo " with the 'SSLCertificateKeyFile' directive (automatically done" echo " when you install via APACI). ${T_MD}KEEP THIS FILE PRIVATE!${T_ME}" echo "" echo "o ${T_MD}conf/ssl.crt/server.crt${T_ME}" echo " The PEM-encoded X.509 certificate file which you configure" echo " with the 'SSLCertificateFile' directive (automatically done" echo " when you install via APACI)." echo "" echo "o ${T_MD}conf/ssl.csr/server.csr${T_ME}" echo " The PEM-encoded X.509 certificate signing request file which" echo " you can send to an official Certificate Authority (CA) in order" echo " to request a real server certificate (signed by this CA instead" echo " of our demonstration-only Snake Oil CA) which later can replace" echo " the conf/ssl.crt/server.crt file." echo "" echo "WARNING: Do not use this for real-life/production systems" echo "" ;; custom) echo "" echo "${T_MD}Generating custom certificate signed by own CA [CUSTOM]${T_ME}" if [ ".$algo" = .choose ]; then echo "______________________________________________________________________" echo "" echo "${T_MD}STEP 0: Decide the signature algorithm used for certificates${T_ME}" echo "The generated X.509 certificates can contain either" echo "RSA or DSA based ingredients. Select the one you want to use." def1=R def2=r def=RSA prompt="Signature Algorithm ((R)SA or (D)SA) [$def1]:" while [ 1 ]; do echo dummy | awk '{ printf("%s", prompt); }' "prompt=$prompt" read algo if [ ".$algo" = ".$def1" -o ".$algo" = ".$def2" -o ".$algo" = . ]; then algo=$def break elif [ ".$algo" = ".R" -o ".$algo" = ".r" ]; then algo=RSA break elif [ ".$algo" = ".D" -o ".$algo" = ".d" ]; then algo=DSA break else echo "mkcert.sh:Warning: Invalid selection" 1>&2 fi done fi if [ ".$algo" = ".DSA" ]; then echo "" echo "${T_MD}WARNING!${T_ME} You're generating DSA based certificate/key pairs." echo " This implies that RSA based ciphers won't be available later," echo " which for your web server currently still means that mostly all" echo " popular web browsers cannot connect to it. At least not until" echo " you also generate an additional RSA based certificate/key pair" echo " and configure them in parallel." fi echo "______________________________________________________________________" echo "" echo "${T_MD}STEP 1: Generating $algo private key for CA (1024 bit) [ca.key]${T_ME}" if [ ".$algo" = .RSA ]; then if [ ".$randfiles" != . ]; then $openssl genrsa -rand $randfiles -out $sslkeydir/ca.key 1024 else $openssl genrsa -out $sslkeydir/ca.key 1024 fi if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to generate RSA private key" 1>&2 exit 1 fi else if [ ".$randfiles" != . ]; then $openssl dsaparam -rand $randfiles -out $sslprmdir/ca.prm 1024 echo "Generating DSA private key:" (umask 077 $openssl gendsa -rand $randfiles -out $sslkeydir/ca.key $sslprmdir/ca.prm) else $openssl dsaparam -out $sslprmdir/ca.prm 1024 echo "Generating DSA private key:" (umask 077 $openssl gendsa -out $sslkeydir/ca.key $sslprmdir/ca.prm) fi if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to generate DSA private key" 1>&2 exit 1 fi fi echo "______________________________________________________________________" echo "" echo "${T_MD}STEP 2: Generating X.509 certificate signing request for CA [ca.csr]${T_ME}" cat >.mkcert.cfg <<EOT[ req ]default_bits = 1024distinguished_name = req_DN[ req_DN ]countryName = "1. Country Name (2 letter code)"countryName_default = XYcountryName_min = 2countryName_max = 2stateOrProvinceName = "2. State or Province Name (full name) "stateOrProvinceName_default = Snake DesertlocalityName = "3. Locality Name (eg, city) "localityName_default = Snake Town0.organizationName = "4. Organization Name (eg, company) "0.organizationName_default = Snake Oil, LtdorganizationalUnitName = "5. Organizational Unit Name (eg, section) "organizationalUnitName_default = Certificate AuthoritycommonName = "6. Common Name (eg, CA name) "commonName_max = 64commonName_default = Snake Oil CAemailAddress = "7. Email Address (eg, name@FQDN)"emailAddress_max = 40emailAddress_default = ca@snakeoil.domEOT $openssl req -config .mkcert.cfg \ -new \ -key $sslkeydir/ca.key \ -out $sslcsrdir/ca.csr if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to generate certificate signing request" 1>&2 exit 1 fi rm -f .mkcert.cfg prompt="8. Certificate Validity (days) [365]:" echo dummy | awk '{ printf("%s", prompt); }' "prompt=$prompt" read days if [ ".$days" = . ]; then days=365 fi echo "______________________________________________________________________" echo "" echo "${T_MD}STEP 3: Generating X.509 certificate for CA signed by itself [ca.crt]${T_ME}" echo dummy | awk '{ printf("%s", prompt); }' "prompt=Certificate Version (1 or 3) [3]:" read certversion extfile="" if [ ".$certversion" = .3 -o ".$certversion" = . ]; then extfile="-extfile .mkcert.cfg" cat >.mkcert.cfg <<EOTextensions = x509v3[ x509v3 ]subjectAltName = email:copybasicConstraints = CA:true,pathlen:0nsComment = "mod_ssl generated custom CA certificate"nsCertType = sslCAEOT fi $openssl x509 $extfile \ -days $days \ -signkey $sslkeydir/ca.key \ -in $sslcsrdir/ca.csr -req \ -out $sslcrtdir/ca.crt if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to generate self-signed CA certificate" 1>&2 exit 1 fi rm -f .mkcert.cfg echo "Verify: matching certificate & key modulus" modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/ca.crt | sed -e 's;.*Modulus=;;'` if [ ".$algo" = .RSA ]; then modkey=`$openssl rsa -noout -modulus -in $sslkeydir/ca.key | sed -e 's;.*Modulus=;;'` else modkey=`$openssl dsa -noout -modulus -in $sslkeydir/ca.key | sed -e 's;.*Key=;;'` fi if [ ".$modcrt" != ".$modkey" ]; then echo "mkcert.sh:Error: Failed to verify modulus on resulting X.509 certificate" 1>&2 exit 1 fi echo "Verify: matching certificate signature" $openssl verify $sslcrtdir/ca.crt if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to verify signature on resulting X.509 certificate" 1>&2 exit 1 fi echo "______________________________________________________________________" echo "" echo "${T_MD}STEP 4: Generating $algo private key for SERVER (1024 bit) [server.key]${T_ME}" if [ ".$algo" = .RSA ]; then if [ ".$randfiles" != . ]; then $openssl genrsa -rand $randfiles -out $sslkeydir/server.key 1024 else $openssl genrsa -out $sslkeydir/server.key 1024 fi⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -