生成证书脚本
注:如果复制之后,在Centos里边出现Windows和Linux格式不匹配,使用以下命令修改文件格式,然后再执行脚本即可。
1、yum -y install dos2unix 2、dos2unix 文件名
1、如下是生成国密证书的脚本
#!/bin/bash set -e dir=`dirname $0` expire_days=3650 subj=/C="CN"/ST="Beijing"/L="Beijing"/O="Hy"/OU="hy"/CN="hyR" subji=/C="CN"/ST="Beijing"/L="Beijing"/O="Hy"/OU="hy"/CN="hyI" subjs=/C="CN"/ST="Beijing"/L="Beijing"/O="Hy"/OU="hy"/CN="hyS" subj2=/C="CN"/ST="Beijing"/L="Beijing"/O="Hy"/OU="hy"/CN="hy" subj3=/C="CN"/ST="Beijing"/L="Beijing"/O="Hy"/OU="hy"/CN="hy1" server="server-gmchain" param=$server if [ -d $param ]; then rm -r $param fi mkdir -p $param cd $param ca_name=ca-root-$param root_cacer=$ca_name.cer root_cakey=$ca_name.key ca_name=ca-sub1-$param sub1_cacer=$ca_name.cer sub1_cakey=$ca_name.key ca_name=ca-sub2-$param cacer=$ca_name.cer cakey=$ca_name.key cer=$param.cer csr=$param.csr key=$param.key #add server_name=client-$param cer1=$server_name.cer csr1=$server_name.csr key1=$server_name.key mkdir -p $dir/demoCA/{private,newcerts} touch $dir/demoCA/index.txt echo 01 > $dir/demoCA/serial echo 01 > $dir/demoCA/crlnumber cd demoCA ln -sf ../$root_cacer cacert.pem cd - cd demoCA/private ln -sf ../../$root_cakey cakey.pem cd - #Root CA gmssl ecparam -genkey -name sm2p256v1 -out $root_cakey gmssl req -x509 -sm3 -key $root_cakey -out $root_cacer -subj $subj -days $expire_days echo "===================Gen Root CA OK====================" #Sub1 CA gmssl ecparam -genkey -name sm2p256v1 -out $sub1_cakey gmssl req -new -sm3 -extensions v3_req -key $sub1_cakey -out $csr -subj $subji -days $expire_days gmssl ca -md sm3 -extensions v3_ca -batch -notext -in $csr -out $sub1_cacer echo "===================Gen Sub1 CA OK====================" #Sub2 CA gmssl ecparam -genkey -name sm2p256v1 -out $cakey gmssl req -new -sm3 -key $cakey -extensions v3_req -out $csr -subj $subjs -days $expire_days gmssl ca -md sm3 -extensions v3_ca -batch -notext -in $csr -out $cacer -cert $sub1_cacer -keyfile $sub1_cakey echo "===================Gen Sub2 CA OK====================" #Server cert gmssl ecparam -genkey -name sm2p256v1 -out $key gmssl req -new -key $key -out $csr -subj $subj2 -days $expire_days gmssl ca -md sm3 -batch -notext -in $csr -out $cer -cert $sub1_cacer -keyfile $sub1_cakey
echo "===================Gen Server cert OK===================="
#Server1 cert
gmssl ecparam -genkey -name sm2p256v1 -out $key1
gmssl req -new -key $key1 -out $csr1 -subj $subj3 -days $expire_days
gmssl ca -md sm3 -batch -notext -in $csr1 -out $cer1 -cert $sub1_cacer -keyfile $sub1_cakey
rm -f *.csr *.srl
echo "===================Gen Server1 cert OK===================="
cat $cer $cacer $sub1_cacer |tee $param.pem
echo "===================Gen All OK===================="
2、如下是生成国际证书脚本
#!/bin/bash set -e dir=`dirname $0` key_bits=2048 expire_days=3650 subj=/C="CN"/ST="Beijing"/L="Beijing"/O="Hy"/OU="hy"/CN="hyR" subji=/C="CN"/ST="Beijing"/L="Beijing"/O="Hy"/OU="hy"/CN="hyI" subjs=/C="CN"/ST="Beijing"/L="Beijing"/O="Hy"/OU="hy"/CN="hyS" subj2=/C="CN"/ST="Beijing"/L="Beijing"/O="Hy"/OU="hy"/CN="hy" server="server-gmchain" param=$server if [ -d $param ]; then rm -r $param fi mkdir -p $param cd $param ca_name=ca-root-$param root_cacer=$ca_name.cer root_cakey=$ca_name.key ca_name=ca-sub1-$param sub1_cacer=$ca_name.cer sub1_cakey=$ca_name.key ca_name=ca-sub2-$param cacer=$ca_name.cer cakey=$ca_name.key cer=$param.cer csr=$param.csr key=$param.key mkdir -p $dir/demoCA/{private,newcerts} touch $dir/demoCA/index.txt echo 01 > $dir/demoCA/serial echo 01 > $dir/demoCA/crlnumber cd demoCA ln -sf ../$root_cacer cacert.pem cd - cd demoCA/private ln -sf ../../$root_cakey cakey.pem cd - # -------------------------------------GenRSA--------------------------------- #Root CA openssl genrsa -out $root_cakey $key_bits openssl req -x509 -newkey rsa:$key_bits -keyout $root_cakey -nodes -out $root_cacer -subj $subj -days $expire_days echo "===================Gen Root CA OK====================" #Sub1 CA openssl genrsa -out $sub1_cakey $key_bits openssl req -new -key $sub1_cakey -sha256 -out $csr -subj $subji -days $expire_days openssl ca -extensions v3_ca -batch -notext -in $csr -out $sub1_cacer echo "===================Gen Sub1 CA OK====================" #Sub2 CA openssl genrsa -out $cakey $key_bits openssl req -new -key $cakey -sha256 -out $csr -subj $subjs -days $expire_days openssl ca -extensions v3_ca -batch -notext -in $csr -out $cacer -cert $sub1_cacer -keyfile $sub1_cakey echo "===================Gen Sub2 CA OK====================" #Server cert openssl genrsa -out $key $key_bits openssl req -new -key $key -sha256 -out $csr -subj $subj2 -days $expire_days openssl x509 -req -in $csr -sha256 -out $cer -CA $cacer -CAkey $cakey -CAserial t_ssl_ca.srl -CAcreateserial -days $expire_days -extensions v3_req #openssl pkcs12 -export -clcerts -in client.cer -inkey client.key -out client.p12 rm -f *.csr *.srl cat $cer $cacer $sub1_cacer |tee $param.pem echo "===================Gen All OK===================="