openssl实现证书颁发和吊销-脚本
/etc/pki/tls/certs
[root@centos7 certs]# make
[root@centos7 certs]# cat Makefile |grep 128
/usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@
make /data2/chuan.key
[root@centos7 certs]# make /data2/ge.crt umask 77 ; \ /usr/bin/openssl genrsa 2048 > /data2/ge.key Generating RSA private key, 2048 bit long modulus ..............................................+++ ..+++ e is 65537 (0x10001) umask 77 ; \ /usr/bin/openssl req -utf8 -new -key /data2/ge.key -x509 -days 365 -out /data2/ge.crt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:zhengfu Organizational Unit Name (eg, section) []:devops Common Name (eg, your name or your server's hostname) []:www.chuan.com Email Address []:
[root@centos7 certs]# cat Makefile UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8) DAYS=36000 KEYLEN=2048 TYPE=rsa:$(KEYLEN) EXTRA_FLAGS= ifdef SERIAL EXTRA_FLAGS+=-set_serial $(SERIAL) endif .PHONY: usage .SUFFIXES: .key .csr .crt .pem .PRECIOUS: %.key %.csr %.crt %.pem usage: @echo "This makefile allows you to create:" @echo " o public/private key pairs" @echo " o SSL certificate signing requests (CSRs)" @echo " o self-signed SSL test certificates" @echo @echo "To create a key pair, run \"make SOMETHING.key\"." @echo "To create a CSR, run \"make SOMETHING.csr\"." @echo "To create a test certificate, run \"make SOMETHING.crt\"." @echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"." @echo @echo "To create a key for use with Apache, run \"make genkey\"." @echo "To create a CSR for use with Apache, run \"make certreq\"." @echo "To create a test certificate for use with Apache, run \"make testcert\"." @echo @echo "To create a test certificate with serial number other than random, add SERIAL=num" @echo "You can also specify key length with KEYLEN=n and expiration in days with DAYS=n" @echo "Any additional options can be passed to openssl req via EXTRA_FLAGS" @echo @echo Examples: @echo " make server.key" @echo " make server.csr" @echo " make server.crt" @echo " make stunnel.pem" @echo " make genkey" @echo " make certreq" @echo " make testcert" @echo " make server.crt SERIAL=1" @echo " make stunnel.pem EXTRA_FLAGS=-sha384" @echo " make testcert DAYS=600" %.pem: umask 77 ; \ PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ /usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -days $(DAYS) -out $$PEM2 $(EXTRA_FLAGS) ; \ cat $$PEM1 > $@ ; \ echo "" >> $@ ; \ cat $$PEM2 >> $@ ; \ $(RM) $$PEM1 $$PEM2 %.key: umask 77 ; \ /usr/bin/openssl genrsa $(KEYLEN) > $@ %.csr: %.key umask 77 ; \ /usr/bin/openssl req $(UTF8) -new -key $^ -out $@ %.crt: %.key umask 77 ; \ /usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@ $(EXTRA_FLAGS) TLSROOT=/etc/pki/tls KEY=$(TLSROOT)/private/localhost.key CSR=$(TLSROOT)/certs/localhost.csr CRT=$(TLSROOT)/certs/localhost.crt genkey: $(KEY) certreq: $(CSR) testcert: $(CRT) $(CSR): $(KEY) umask 77 ; \ /usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR) $(CRT): $(KEY) umask 77 ; \ /usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out $(CRT) $(EXTRA_FLAGS)
[root@localhost CA]# cat certificate6.sh #!/bin/bash #证书存放目录 DIR=/data #每个证书信息 declare -A CERT_INFO CERT_INFO=([subject0]="/O=heaven/CN=ca.god.com" \ [keyfile0]="cakey.pem" \ [crtfile0]="cacert.pem" \ [key0]=2048 \ [expire0]=36000 \ [serial0]=0 \ [subject1]="/C=CN/ST=beijing/L=haidian/O=Central.Hospital/CN=master.chuan.org" \ [keyfile1]="master.key" \ [crtfile1]="master.crt" \ [key1]=2048 \ [expire1]=36000 [serial1]=1 \ [csrfile1]="master.csr" \ [subject2]="/C=CN/ST=beijing/L=zhaoyang/O=Central.Hospital/CN=slave.chuan.org" \ [keyfile2]="slave.key" \ [crtfile2]="slave.crt" \ [key2]=2048 \ [expire2]=36000 \ [serial2]=2 \ [csrfile2]="slave.csr" ) COLOR="echo -e \\E[1;32m" END="\\E[0m" #证书编号最大值 N=`echo ${!CERT_INFO[*]} |grep -o subject|wc -l` cd $DIR for((i=0;i<N;i++));do if [ $i -eq 0 ] ;then openssl req -x509 -newkey rsa:${CERT_INFO[key${i}]} -subj ${CERT_INFO[subject${i}]} \ -set_serial ${CERT_INFO[serial${i}]} -keyout ${CERT_INFO[keyfile${i}]} -nodes \ -days ${CERT_INFO[expire${i}]} -out ${CERT_INFO[crtfile${i}]} &>/dev/null else openssl req -newkey rsa:${CERT_INFO[key${i}]} -nodes -subj ${CERT_INFO[subject${i}]} \ -keyout ${CERT_INFO[keyfile${i}]} -out ${CERT_INFO[csrfile${i}]} &>/dev/null openssl x509 -req -in ${CERT_INFO[csrfile${i}]} -CA ${CERT_INFO[crtfile0]} \ -CAkey ${CERT_INFO[keyfile0]} -set_serial ${CERT_INFO[serial${i}]} \ -days ${CERT_INFO[expire${i}]} -out ${CERT_INFO[crtfile${i}]} &>/dev/null fi $COLOR"**************************************生成证书信息**************************************"$END openssl x509 -in ${CERT_INFO[crtfile${i}]} -noout -subject -dates -serial echo done chmod 600 *.key echo "证书生成完成" $COLOR"**************************************生成证书文件如下**************************************"$END echo "证书存放目录: "$DIR echo "证书文件列表: "`ls $DIR`
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 10年+ .NET Coder 心语,封装的思维:从隐藏、稳定开始理解其本质意义
· .NET Core 中如何实现缓存的预热?
· 从 HTTP 原因短语缺失研究 HTTP/2 和 HTTP/3 的设计差异
· AI与.NET技术实操系列:向量存储与相似性搜索在 .NET 中的实现
· 基于Microsoft.Extensions.AI核心库实现RAG应用
· 10年+ .NET Coder 心语 ── 封装的思维:从隐藏、稳定开始理解其本质意义
· 地球OL攻略 —— 某应届生求职总结
· 提示词工程——AI应用必不可少的技术
· 字符编码:从基础到乱码解决
· Open-Sora 2.0 重磅开源!