📄 mkcert.sh
字号:
if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to generate RSA private key" 1>&2 exit 1 fi else if [ ".$randfiles" != . ]; then (umask 077 $openssl gendsa -rand $randfiles \ -out $sslkeydir/server.key $sslprmdir/ca.prm) else (umask 077 $openssl gendsa -out $sslkeydir/server.key $sslprmdir/ca.prm) fi if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to generate DSA private key" 1>&2 exit 1 fi fi echo "______________________________________________________________________" echo "" echo "${T_MD}STEP 5: Generating X.509 certificate signing request for SERVER [server.csr]${T_ME}" cat >.mkcert.cfg <<EOT[ req ]default_bits = 1024distinguished_name = req_DN[ req_DN ]countryName = "1. Country Name (2 letter code)"countryName_default = XYcountryName_min = 2countryName_max = 2stateOrProvinceName = "2. State or Province Name (full name) "stateOrProvinceName_default = Snake DesertlocalityName = "3. Locality Name (eg, city) "localityName_default = Snake Town0.organizationName = "4. Organization Name (eg, company) "0.organizationName_default = Snake Oil, LtdorganizationalUnitName = "5. Organizational Unit Name (eg, section) "organizationalUnitName_default = Webserver TeamcommonName = "6. Common Name (eg, FQDN) "commonName_max = 64commonName_default = www.snakeoil.domemailAddress = "7. Email Address (eg, name@fqdn)"emailAddress_max = 40emailAddress_default = www@snakeoil.domEOT $openssl req -config .mkcert.cfg \ -new \ -key $sslkeydir/server.key \ -out $sslcsrdir/server.csr if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to generate certificate signing request" 1>&2 exit 1 fi rm -f .mkcert.cfg prompt="8. Certificate Validity (days) [365]:" echo dummy | awk '{ printf("%s", prompt); }' "prompt=$prompt" read days if [ ".$days" = . ]; then days=365 fi echo "______________________________________________________________________" echo "" echo "${T_MD}STEP 6: Generating X.509 certificate signed by own CA [server.crt]${T_ME}" echo dummy | awk '{ printf("%s", prompt); }' "prompt=Certificate Version (1 or 3) [3]:" read certversion extfile="" if [ ".$certversion" = .3 -o ".$certversion" = . ]; then extfile="-extfile .mkcert.cfg" cat >.mkcert.cfg <<EOTextensions = x509v3[ x509v3 ]subjectAltName = email:copynsComment = "mod_ssl generated custom server certificate"nsCertType = serverEOT fi if [ ! -f .mkcert.serial ]; then echo '01' >.mkcert.serial fi $openssl x509 $extfile \ -days $days \ -CAserial .mkcert.serial \ -CA $sslcrtdir/ca.crt \ -CAkey $sslkeydir/ca.key \ -in $sslcsrdir/server.csr -req \ -out $sslcrtdir/server.crt if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to generate X.509 certificate" 1>&2 exit 1 fi rm -f .mkcert.cfg echo "Verify: matching certificate & key modulus" modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/server.crt | sed -e 's;.*Modulus=;;'` if [ ".$algo" = .RSA ]; then modkey=`$openssl rsa -noout -modulus -in $sslkeydir/server.key | sed -e 's;.*Modulus=;;'` else modkey=`$openssl dsa -noout -modulus -in $sslkeydir/server.key | sed -e 's;.*Key=;;'` fi if [ ".$modcrt" != ".$modkey" ]; then echo "mkcert.sh:Error: Failed to verify modulus on resulting X.509 certificate" 1>&2 exit 1 fi echo "Verify: matching certificate signature" $openssl verify -CAfile $sslcrtdir/ca.crt $sslcrtdir/server.crt if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to verify signature on resulting X.509 certificate" 1>&2 exit 1 fi echo "______________________________________________________________________" echo "" echo "${T_MD}STEP 7: Enrypting $algo private key of CA with a pass phrase for security [ca.key]${T_ME}" echo "The contents of the ca.key file (the generated private key) has to be" echo "kept secret. So we strongly recommend you to encrypt the server.key file" echo "with a Triple-DES cipher and a Pass Phrase." while [ 1 ]; do echo dummy | awk '{ printf("Encrypt the private key now? [Y/n]: "); }' read rc if [ ".$rc" = .n -o ".$rc" = .N ]; then rc="n" break fi if [ ".$rc" = .y -o ".$rc" = .Y -o ".$rc" = . ]; then rc="y" break fi done if [ ".$rc" = .y ]; then if [ ".$algo" = .RSA ]; then (umask 077 $openssl rsa -des3 \ -in $sslkeydir/ca.key \ -out $sslkeydir/ca.key.crypt) else (umask 077 $openssl dsa -des3 \ -in $sslkeydir/ca.key \ -out $sslkeydir/ca.key.crypt) fi if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to encrypt $algo private key" 1>&2 exit 1 fi (umask 077; cp $sslkeydir/ca.key.crypt $sslkeydir/ca.key) rm -f $sslkeydir/ca.key.crypt echo "Fine, you're using an encrypted private key." else echo "Warning, you're using an unencrypted private key." echo "Please notice this fact and do this on your own risk." fi echo "______________________________________________________________________" echo "" echo "${T_MD}STEP 8: Enrypting $algo private key of SERVER with a pass phrase for security [server.key]${T_ME}" echo "The contents of the server.key file (the generated private key) has to be" echo "kept secret. So we strongly recommend you to encrypt the server.key file" echo "with a Triple-DES cipher and a Pass Phrase." while [ 1 ]; do echo dummy | awk '{ printf("Encrypt the private key now? [Y/n]: "); }' read rc if [ ".$rc" = .n -o ".$rc" = .N ]; then rc="n" break fi if [ ".$rc" = .y -o ".$rc" = .Y -o ".$rc" = . ]; then rc="y" break fi done if [ ".$rc" = .y ]; then if [ ".$algo" = .RSA ]; then (umask 077 $openssl rsa -des3 \ -in $sslkeydir/server.key \ -out $sslkeydir/server.key.crypt) else (umask 077 $openssl dsa -des3 \ -in $sslkeydir/server.key \ -out $sslkeydir/server.key.crypt) fi if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to encrypt $algo private key" 1>&2 exit 1 fi (umask 077; cp $sslkeydir/server.key.crypt $sslkeydir/server.key) rm -f $sslkeydir/server.key.crypt echo "Fine, you're using an encrypted $algo private key." else echo "Warning, you're using an unencrypted $algo private key." echo "Please notice this fact and do this on your own risk." fi echo "______________________________________________________________________" echo "" echo "${T_MD}RESULT: CA and Server Certification Files${T_ME}" echo "" echo "o ${T_MD}conf/ssl.key/ca.key${T_ME}" echo " The PEM-encoded $algo private key file of the CA which you can" echo " use to sign other servers or clients. ${T_MD}KEEP THIS FILE PRIVATE!${T_ME}" echo "" echo "o ${T_MD}conf/ssl.crt/ca.crt${T_ME}" echo " The PEM-encoded X.509 certificate file of the CA which you use to" echo " sign other servers or clients. When you sign clients with it (for" echo " SSL client authentication) you can configure this file with the" echo " 'SSLCACertificateFile' directive." echo "" echo "o ${T_MD}conf/ssl.key/server.key${T_ME}" echo " The PEM-encoded $algo private key file of the server which you configure" echo " with the 'SSLCertificateKeyFile' directive (automatically done" echo " when you install via APACI). ${T_MD}KEEP THIS FILE PRIVATE!${T_ME}" echo "" echo "o ${T_MD}conf/ssl.crt/server.crt${T_ME}" echo " The PEM-encoded X.509 certificate file of the server which you configure" echo " with the 'SSLCertificateFile' directive (automatically done" echo " when you install via APACI)." echo "" echo "o ${T_MD}conf/ssl.csr/server.csr${T_ME}" echo " The PEM-encoded X.509 certificate signing request of the server file which" echo " you can send to an official Certificate Authority (CA) in order" echo " to request a real server certificate (signed by this CA instead" echo " of our own CA) which later can replace the conf/ssl.crt/server.crt" echo " file." echo "" echo "Congratulations that you establish your server with real certificates." echo "" ;; existing) echo "" echo "${T_MD}Using existing custom certificate [EXISTING]${T_ME}" echo "______________________________________________________________________" echo "" if [ ".$crt" = . ]; then echo "mkcert.sh: No certificate file given" 1>&2 exit 1 fi if [ ! -f "$crt" ]; then echo "mkcert.sh: Cannot find certificate file: $crt" 1>&2 exit 1 fi if [ ".$key" != . ]; then if [ ! -f "$key" ]; then echo "mkcert.sh: Cannot find private key file: $key" 1>&2 exit 1 fi cp $crt $sslcrtdir/server.crt (umask 077; cp $key $sslkeydir/server.key) else key=$crt umask 077 touch $sslkeydir/server.key sed -e '/-----BEGIN CERTIFICATE/,/-----END CERTIFICATE/p' -e '/.*/d' \ <$crt >$sslcrtdir/server.crt sed -e '/-----BEGIN ... PRIVATE KEY/,/-----END ... PRIVATE KEY/p' -e '/.*/d' \ <$key >$sslkeydir/server.key fi $openssl x509 -noout -in $sslcrtdir/server.crt if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to check certificate contents: $crt" 1>&2 exit 1 fi if [ ".`grep 'PRIVATE KEY' $sslkeydir/server.key | grep RSA`" != . ]; then algo=RSA else algo=DSA fi echo "${T_MD}RESULT: Server Certification Files${T_ME}" echo "" echo "o ${T_MD}conf/ssl.key/server.key${T_ME}" echo " The PEM-encoded $algo private key file which you configure" echo " with the 'SSLCertificateKeyFile' directive (automatically done" echo " when you install via APACI). ${T_MD}KEEP THIS FILE PRIVATE!${T_ME}" echo "" echo "o ${T_MD}conf/ssl.crt/server.crt${T_ME}" echo " The PEM-encoded X.509 certificate file which you configure" echo " with the 'SSLCertificateFile' directive (automatically done" echo " when you install via APACI)." echo "" echo "Congratulations that you establish your server with real certificates." echo "" ;;esac##EOF##⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -