临时¶

自动创建证书请求¶

ecc 算法证书请求:

#!/bin/sh

`openssl ecparam -out private.pem -name secp384r1 -genkey `

if [[ "$1" = ""  || "$2" = ""  || "$3" = "" || "$4" = "" || "$5" = "" || "$6" = "" || "$7" = "" ]] ; then
  echo "certRequestCreate.sh  country state location organization organizationUnit commonName  email"
  exit 0;
else
  if [ "$8" = "" ] ; then
    `openssl req -new -key private.pem -passin pass:123456  -subj /C=$1/ST=$2/L=$3/O=$4/OU=$5/CN=$6/emailAddress=$7    -out client.pem `
  else
    sed -i '/\[SAN\]*/d' /etc/pki/tls/openssl.cnf
    sed -i '/subjectAltName*/d' /etc/pki/tls/openssl.cnf
    `echo "[SAN]" >> /etc/pki/tls/openssl.cnf `
    `echo "subjectAltName=DNS:$8" >> /etc/pki/tls/openssl.cnf `
    `openssl req -new -key private.pem -passin pass:123456 -subj /C=$1/ST=$2/L=$3/O=$4/OU=$5/CN=$6/emailAddress=$7 -reqexts SAN -config  /etc/pki/tls/openssl.cnf  -out client.pem `
    sed -i '/\[SAN\]*/d' /etc/pki/tls/openssl.cnf
    sed -i '/subjectAltName*/d' /etc/pki/tls/openssl.cnf
  fi
fi

rsa 算法证书请求:

#!/bin/sh
`openssl genrsa   -out private.pem 2048`

if [[ "$1" = ""  || "$2" = ""  || "$3" = "" || "$4" = "" || "$5" = "" || "$6" = "" || "$7" = "" ]] ; then
  echo "certRequestCreate.sh  country state location organization organizationUnit commonName  email"
  exit 0;
else
  if [ "$8" = "" ] ; then
    `openssl req -new -key private.pem -passin pass:123456  -subj /C=$1/ST=$2/L=$3/O=$4/OU=$5/CN=$6/emailAddress=$7   -extensions v3_ca -out client.pem `
  else
    sed -i '/\[SAN\]*/d' /etc/pki/tls/openssl.cnf
    sed -i '/subjectAltName*/d' /etc/pki/tls/openssl.cnf
    `echo "[SAN]" >> /etc/pki/tls/openssl.cnf `
    `echo "subjectAltName=DNS:$8" >> /etc/pki/tls/openssl.cnf `
    `openssl req -new -key private.pem -passin pass:123456  -subj /C=$1/ST=$2/L=$3/O=$4/OU=$5/CN=$6/emailAddress=$7 -extensions v3_ca -reqexts SAN -config  /etc/pki/tls/openssl.cnf  -out client.pem `
    sed -i '/\[SAN\]*/d' /etc/pki/tls/openssl.cnf
    sed -i '/subjectAltName*/d' /etc/pki/tls/openssl.cnf
  fi
fi

生成ca证书并签名子证书¶

方法一¶

mkdir gordonca; cd gordonca
mkdir certs private
chmod 700 private

touch index.txt
echo 01 > serial
touch openssl.conf

打开并修改openssl.conf文件:

[ ca ]
default_ca = gordonca    # ca名称

[ gordonca ]
dir = .
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial

default_crl_days = 7  # 每隔7天提供一个crl文件
default_days = 365    # 过期时间:1年
default_md = sha1     # 使用sha1作为哈希函数

policy = gordonca_policy
x509_extensions = certificate_extensions

[ gordonca_policy ]     #ca策略
commonName = supplied
stateOrProvinceName = optional
countryName = optional
emailAddress = optional
organizationName = optional
organizationalUnitName = optional

[ certificate_extensions ]    # 扩展
basicConstraints = CA:false   # CA颁布的证书不能再为CA

[ req ]
dir = .
default_bits = 2048
default_keyfile = $dir/private/cakey.pem
default_md = sha1
prompt = yes
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions

[ root_ca_distinguished_name ]
commonName = hostname

[ root_ca_extensions ]
basicConstraints = CA:true
keyUsage = keyCertSign, cRLSign

[ client_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature
extendedKeyUsage = 1.3.6.1.5.5.7.3.2

[ server_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

生成根证书:

// 生成私钥: ./private/cakey.pem
// 生成pem格式证书: ./cacert.pem
openssl req -x509 -config openssl.conf -newkey rsa:2048 -days 365 -out cacert.pem -outform PEM -subj /CN=GORDONCA/ -nodes

// 导出cer格式证书: ./cacert.cer
openssl x509 -in cacert.pem -out cacert.cer -outform DER

生成服务器端证书:

cd ..
mkdir server; cd server
// 生成私钥
openssl genrsa -out key.pem 2048
// 生成证书
openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=$(hostname)/O=server/ -nodes

cd ../gordonca/
openssl ca -config openssl.conf -in ../server/req.pem -out ../server/cert.pem -notext -batch -extensions server_ca_extensions

生成客户器端证书:

cd ..
mkdir client; cd client
// 生成私钥
openssl genrsa -out key.pem 2048
// 生成证书
openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=$(hostname)/O=client/ -nodes

cd ../gordonca/
openssl ca -config openssl.conf -in ../client/req.pem -out ../client/cert.pem -notext -batch -extensions client_ca_extensions