openssl实现证书颁发和吊销-脚本

 

/etc/pki/tls/certs
[root@centos7 certs]# make

[root@centos7 certs]# cat Makefile |grep 128
    /usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@

make /data2/chuan.key

[root@centos7 certs]# make /data2/ge.crt
umask 77 ; \
/usr/bin/openssl genrsa  2048 > /data2/ge.key
Generating RSA private key, 2048 bit long modulus
..............................................+++
..+++
e is 65537 (0x10001)
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key /data2/ge.key -x509 -days 365 -out /data2/ge.crt 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:zhengfu
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:www.chuan.com
Email Address []:

 

[root@centos7 certs]# cat Makefile 
UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
DAYS=36000
KEYLEN=2048
TYPE=rsa:$(KEYLEN)
EXTRA_FLAGS=
ifdef SERIAL
    EXTRA_FLAGS+=-set_serial $(SERIAL)
endif

.PHONY: usage
.SUFFIXES: .key .csr .crt .pem
.PRECIOUS: %.key %.csr %.crt %.pem

usage:
    @echo "This makefile allows you to create:"
    @echo "  o public/private key pairs"
    @echo "  o SSL certificate signing requests (CSRs)"
    @echo "  o self-signed SSL test certificates"
    @echo
    @echo "To create a key pair, run \"make SOMETHING.key\"."
    @echo "To create a CSR, run \"make SOMETHING.csr\"."
    @echo "To create a test certificate, run \"make SOMETHING.crt\"."
    @echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"."
    @echo
    @echo "To create a key for use with Apache, run \"make genkey\"."
    @echo "To create a CSR for use with Apache, run \"make certreq\"."
    @echo "To create a test certificate for use with Apache, run \"make testcert\"."
    @echo
    @echo "To create a test certificate with serial number other than random, add SERIAL=num"
    @echo "You can also specify key length with KEYLEN=n and expiration in days with DAYS=n"
    @echo "Any additional options can be passed to openssl req via EXTRA_FLAGS"
    @echo
    @echo Examples:
    @echo "  make server.key"
    @echo "  make server.csr"
    @echo "  make server.crt"
    @echo "  make stunnel.pem"
    @echo "  make genkey"
    @echo "  make certreq"
    @echo "  make testcert"
    @echo "  make server.crt SERIAL=1"
    @echo "  make stunnel.pem EXTRA_FLAGS=-sha384"
    @echo "  make testcert DAYS=600"

%.pem:
    umask 77 ; \
    PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
    PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
    /usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -days $(DAYS) -out $$PEM2 $(EXTRA_FLAGS) ; \
    cat $$PEM1 >  $@ ; \
    echo ""    >> $@ ; \
    cat $$PEM2 >> $@ ; \
    $(RM) $$PEM1 $$PEM2

%.key:
    umask 77 ; \
    /usr/bin/openssl genrsa  $(KEYLEN) > $@

%.csr: %.key
    umask 77 ; \
    /usr/bin/openssl req $(UTF8) -new -key $^ -out $@

%.crt: %.key
    umask 77 ; \
    /usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@ $(EXTRA_FLAGS)

TLSROOT=/etc/pki/tls
KEY=$(TLSROOT)/private/localhost.key
CSR=$(TLSROOT)/certs/localhost.csr
CRT=$(TLSROOT)/certs/localhost.crt

genkey: $(KEY)
certreq: $(CSR)
testcert: $(CRT)

$(CSR): $(KEY)
    umask 77 ; \
    /usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR)

$(CRT): $(KEY)
    umask 77 ; \
    /usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out $(CRT) $(EXTRA_FLAGS)

 

[root@localhost CA]# cat certificate6.sh 
#!/bin/bash

#证书存放目录
DIR=/data


#每个证书信息
declare -A CERT_INFO
CERT_INFO=([subject0]="/O=heaven/CN=ca.god.com" \
           [keyfile0]="cakey.pem" \
           [crtfile0]="cacert.pem" \
           [key0]=2048 \
           [expire0]=36000 \
           [serial0]=0    \
           [subject1]="/C=CN/ST=beijing/L=haidian/O=Central.Hospital/CN=master.chuan.org" \
           [keyfile1]="master.key" \
           [crtfile1]="master.crt" \
           [key1]=2048 \
           [expire1]=36000
           [serial1]=1 \
           [csrfile1]="master.csr" \
           [subject2]="/C=CN/ST=beijing/L=zhaoyang/O=Central.Hospital/CN=slave.chuan.org" \
           [keyfile2]="slave.key" \
           [crtfile2]="slave.crt" \
           [key2]=2048 \
           [expire2]=36000 \
           [serial2]=2 \
           [csrfile2]="slave.csr"   )

COLOR="echo -e \\E[1;32m"
END="\\E[0m"

#证书编号最大值
N=`echo ${!CERT_INFO[*]} |grep -o subject|wc -l`

cd $DIR 



for((i=0;i<N;i++));do
    if [ $i -eq 0 ] ;then
        openssl req  -x509 -newkey rsa:${CERT_INFO[key${i}]} -subj ${CERT_INFO[subject${i}]} \
            -set_serial ${CERT_INFO[serial${i}]} -keyout ${CERT_INFO[keyfile${i}]} -nodes \
        -days ${CERT_INFO[expire${i}]}  -out ${CERT_INFO[crtfile${i}]} &>/dev/null
        
    else 
        openssl req -newkey rsa:${CERT_INFO[key${i}]} -nodes -subj ${CERT_INFO[subject${i}]} \
            -keyout ${CERT_INFO[keyfile${i}]}   -out ${CERT_INFO[csrfile${i}]} &>/dev/null

        openssl x509 -req -in ${CERT_INFO[csrfile${i}]}  -CA ${CERT_INFO[crtfile0]} \
        -CAkey ${CERT_INFO[keyfile0]}  -set_serial ${CERT_INFO[serial${i}]}  \
        -days ${CERT_INFO[expire${i}]} -out ${CERT_INFO[crtfile${i}]} &>/dev/null
    fi
    $COLOR"**************************************生成证书信息**************************************"$END
    openssl x509 -in ${CERT_INFO[crtfile${i}]} -noout -subject -dates -serial
    echo 
done
chmod 600 *.key
echo  "证书生成完成"
$COLOR"**************************************生成证书文件如下**************************************"$END
echo "证书存放目录: "$DIR
echo "证书文件列表: "`ls $DIR`