ssl_生成双向验证证书.sh

#!/bin/bash
read -p "请输入证书密码,并记住该密码,之后的步骤和客户端导入证书都需要输入该密码:" PASSWORD
#PASSWORD=123456
NAME=xxxx.com # 域名
DEPT=yunwei  # 部门名
COMPANY=youai  # 公司名
CITY=GZ  # 城市
PROVINCE=GD  # 省份
COUNTRY=CN  # 国家
SUBJ="/C=$COUNTRY/ST=$PROVINCE/L=$CITY/O=$COMPANY/OU=$DEPT/CN=$NAME"
/bin/rm -rf /etc/nginx/ssl
mkdir -p /etc/nginx/ssl
cd /etc/nginx/ssl

#1
echo "生成服务器端的私钥"
openssl genrsa -des3 -out server.key 2048
echo "去除server.key文件口令"
openssl rsa -in server.key -out server.key

#2
echo "用server.key生成证书"
openssl req -new -key server.key -out server.csr -days 3650 -subj "$SUBJ" -passin pass:"$PASSWORD" -passout pass:"$PASSWORD"

#3
echo "生成客户端私钥"
openssl genrsa -des3 -out client.key 2048
echo "使用client.key生成客户端证书"
openssl req -new -key client.key -out client.csr -days 3650 -subj "$SUBJ" -passin pass:"$PASSWORD" -passout pass:"$PASSWORD"

#4
echo "生成CA证书"
openssl req -new -x509 -keyout ca.key -out ca.crt -days 3650 -subj "$SUBJ" -passin pass:"$PASSWORD" -passout pass:"$PASSWORD"

#5.0
if ! grep \/etc\/pki\/CA /etc/pki/tls/openssl.cnf|grep -q ^dir;then
        echo "请在/etc/pki/tls/openssl.cnf修改dir = /etc/pki/CA"
        exit 2
fi
/bin/rm -rf  /etc/pki/CA/index.txt && touch /etc/pki/CA/index.txt
echo 01 > /etc/pki/CA/serial
/bin/rm -rf /etc/pki/CA/newcerts && mkdir /etc/pki/CA/newcerts
echo  "unique_subject = no" >/etc/pki/CA/index.txt.attr

#5
echo "用生成的CA的证书为server.csr签名"
openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -days 3650 -passin pass:"$PASSWORD"

#6
echo "用生成的CA的证书为client.crt签名"
openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -days 3650 -passin pass:"$PASSWORD"

#7.
echo "验证client证书"
openssl verify -CAfile ca.crt client.crt 

#8.
echo "生成nginx需要的dbparam.pem和tls_session_ticket.key"
openssl dhparam -out dhparam.pem 4096
openssl rand 48 > tls_session_ticket.key


#9.
echo "生成windows端证书"
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

echo "将client.p12导入个人电脑"