生成https证书脚本

shell脚本

 

[root@localhost ~]# cat https.sh 
#! /bin/bash

hostname=192.168.186.130

cd /etc/pki/ && mkdir /etc/pki/CA/
cd /etc/pki/CA/ && mkdir /etc/pki/CA/private

yum -y remove httpd &>/dev/null
yum -y install httpd &>/dev/null
systemctl enable --now httpd &>/dev/null

(umask 077;openssl genrsa -out private/cakey.pem 2048)

openssl rsa -in private/cakey.pem -pubout


expect << EOF
    set timeout 60 
    spawn openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
    expect "letter code"                {send "CH\r"}
    expect "full name"                  {send "YN\r"}
        expect "Default City"               {send "KM\r"}
        expect "Default Company Ltd"        {send "LYJ\r"}
    expect "eg, section"                {send "tcp\r"}
    expect "hostname"                   {send "${hostname}\r"}
        expect "Email Address"              {send "123@456.com\r"}
        expect "#"                        
EOF

openssl x509 -text -in cacert.pem
mkdir certs newcerts cr1
touch index.txt. && echo 01 > serial

cd /etc/httpd && mkdir ssl && cd ssl
(umask 077;openssl genrsa -out httpd.key 2048)

expect << EOF

    set timeout 60
    spawn openssl req -new -key httpd.key -days 365 -out httpd.csr
    expect "code"                 {send "CH\r"}
    expect "name"                {send "YN\r"}
    expect "Default City"           {send "KM\r"}
        expect "Default Company Ltd"    {send "LYJ\r"}
        expect "eg, section"              {send "tcp\r"}
        expect "hostname"                  {send "${hostname}\r"}
        expect "Email Address"          {send "123@456.com\r"}
        expect "password"               {send "12345\r"}
        expect "company name"           {send "\r"}
    expect "#"                          
EOF

expect << EOF
set timeout 60
spawn scp httpd.csr root@${hostname}:/root
expect "password:"                {send "mf2130369588mf\r"}
expect "#"      
EOF

expect << EOF
set timeout 60
spawn openssl ca -in ./httpd.csr -out httpd.crt -days 365
expect "certificate" {send "y\r"}
expect "commit" {send "y\r"}
expect "#"
EOF

 

执行脚本

 

[root@localhost ~]# ./https.sh 
Generating RSA private key, 2048 bit long modulus (2 primes)
...................+++++
............................................................................+++++
e is 65537 (0x010001)
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3ITZaDyRe7m+Ggny//H+
38qi/pVvMDp/KnxUQFog2oBLXc/iLRrvdwAA5A8NRJholvDmgLUIxwvVnC1n8JQF
2DyZAoUKOfBmsg809waaHzJN+2u+JPku3NMvInq4S1AvUchqIE/c8XlV0IsKt4mj
0pyfZhdM3ctcTnrlLH46WrOem1v54lU5JyZ0ow1xn8lLrmRVq+KcRgLBZTWBUjJY
Kb1IY5YNBDcN7fAUezfhbaOZGd+5FiYuEahDqwnqYBeu0Rb8GQkuvbuLrwsckBq+
pxg0i+otrhAsQaG8JNKHN55KGmBiYBIIqLdLfvn9JiTGr7pY819+CzjvkWlJYvfv
FQIDAQAB
-----END PUBLIC KEY-----
spawn openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CH
State or Province Name (full name) []:YN
Locality Name (eg, city) [Default City]:KM
Organization Name (eg, company) [Default Company Ltd]:LYJ
Organizational Unit Name (eg, section) []:tcp
Common Name (eg, your name or your server's hostname) []:192.168.186.130
Email Address []:123@456.com
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            3d:f3:c4:91:a3:cc:05:8f:2e:fd:9e:5e:2f:e0:cd:e8:c6:17:d5:ff
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CH, ST = YN, L = KM, O = LYJ, OU = tcp, CN = 192.168.186.130, emailAddress = 123@456.com
        Validity
            Not Before: Apr  1 11:25:28 2021 GMT
            Not After : Apr  1 11:25:28 2022 GMT
        Subject: C = CH, ST = YN, L = KM, O = LYJ, OU = tcp, CN = 192.168.186.130, emailAddress = 123@456.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:dc:84:d9:68:3c:91:7b:b9:be:1a:09:f2:ff:f1:
                    fe:df:ca:a2:fe:95:6f:30:3a:7f:2a:7c:54:40:5a:
                    20:da:80:4b:5d:cf:e2:2d:1a:ef:77:00:00:e4:0f:
                    0d:44:98:68:96:f0:e6:80:b5:08:c7:0b:d5:9c:2d:
                    67:f0:94:05:d8:3c:99:02:85:0a:39:f0:66:b2:0f:
                    34:f7:06:9a:1f:32:4d:fb:6b:be:24:f9:2e:dc:d3:
                    2f:22:7a:b8:4b:50:2f:51:c8:6a:20:4f:dc:f1:79:
                    55:d0:8b:0a:b7:89:a3:d2:9c:9f:66:17:4c:dd:cb:
                    5c:4e:7a:e5:2c:7e:3a:5a:b3:9e:9b:5b:f9:e2:55:
                    39:27:26:74:a3:0d:71:9f:c9:4b:ae:64:55:ab:e2:
                    9c:46:02:c1:65:35:81:52:32:58:29:bd:48:63:96:
                    0d:04:37:0d:ed:f0:14:7b:37:e1:6d:a3:99:19:df:
                    b9:16:26:2e:11:a8:43:ab:09:ea:60:17:ae:d1:16:
                    fc:19:09:2e:bd:bb:8b:af:0b:1c:90:1a:be:a7:18:
                    34:8b:ea:2d:ae:10:2c:41:a1:bc:24:d2:87:37:9e:
                    4a:1a:60:62:60:12:08:a8:b7:4b:7e:f9:fd:26:24:
                    c6:af:ba:58:f3:5f:7e:0b:38:ef:91:69:49:62:f7:
                    ef:15
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                3A:32:7C:FA:3D:86:85:E4:5D:F7:19:88:F7:0B:62:A1:09:63:D6:0A
            X509v3 Authority Key Identifier: 
                keyid:3A:32:7C:FA:3D:86:85:E4:5D:F7:19:88:F7:0B:62:A1:09:63:D6:0A

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         3c:4f:98:7f:31:1d:72:7c:ef:f0:e2:f3:73:99:a5:e0:66:4e:
         17:68:90:c9:ae:07:a6:cc:61:c8:04:56:e4:90:3f:81:95:74:
         00:68:0a:43:44:bd:8a:ee:65:48:35:8d:60:29:83:a0:01:17:
         25:ff:1a:a0:54:a6:c3:a0:83:9c:6c:5e:35:98:86:e3:95:5b:
         ca:83:a9:3e:7a:00:01:2e:c2:7d:80:32:2a:51:2b:a4:d0:9c:
         88:08:c1:70:94:6e:a3:37:5b:96:d4:82:ec:ee:63:78:c2:57:
         08:87:8b:f6:d5:ab:d7:b5:23:07:f0:77:b1:7e:d7:bd:d7:f6:
         de:71:94:5e:20:9d:97:75:19:ed:b0:90:e2:78:80:e9:66:61:
         49:5d:d8:c9:c1:0e:49:20:66:60:7f:00:1a:77:89:c7:82:bd:
         3d:52:e7:3e:f3:7c:83:74:bc:f3:f1:ea:b6:ca:5e:31:9f:0e:
         2e:1b:b2:25:6f:42:17:9c:cd:9f:1b:c0:6c:42:bf:8e:78:b1:
         77:ae:e1:94:6b:72:47:2f:55:99:18:f3:d8:2e:f3:97:c8:37:
         12:79:40:fc:7e:3a:3c:99:29:e2:d0:83:96:73:ee:12:46:3c:
         ef:70:38:16:38:1d:0e:7f:63:db:88:03:29:f2:01:ec:9f:42:
         77:1e:5c:54
-----BEGIN CERTIFICATE-----
MIID0zCCArugAwIBAgIUPfPEkaPMBY8u/Z5eL+DN6MYX1f8wDQYJKoZIhvcNAQEL
BQAweTELMAkGA1UEBhMCQ0gxCzAJBgNVBAgMAllOMQswCQYDVQQHDAJLTTEMMAoG
A1UECgwDTFlKMQwwCgYDVQQLDAN0Y3AxGDAWBgNVBAMMDzE5Mi4xNjguMTg2LjEz
MDEaMBgGCSqGSIb3DQEJARYLMTIzQDQ1Ni5jb20wHhcNMjEwNDAxMTEyNTI4WhcN
MjIwNDAxMTEyNTI4WjB5MQswCQYDVQQGEwJDSDELMAkGA1UECAwCWU4xCzAJBgNV
BAcMAktNMQwwCgYDVQQKDANMWUoxDDAKBgNVBAsMA3RjcDEYMBYGA1UEAwwPMTky
LjE2OC4xODYuMTMwMRowGAYJKoZIhvcNAQkBFgsxMjNANDU2LmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBANyE2Wg8kXu5vhoJ8v/x/t/Kov6VbzA6
fyp8VEBaINqAS13P4i0a73cAAOQPDUSYaJbw5oC1CMcL1ZwtZ/CUBdg8mQKFCjnw
ZrIPNPcGmh8yTftrviT5LtzTLyJ6uEtQL1HIaiBP3PF5VdCLCreJo9Kcn2YXTN3L
XE565Sx+Olqznptb+eJVOScmdKMNcZ/JS65kVavinEYCwWU1gVIyWCm9SGOWDQQ3
De3wFHs34W2jmRnfuRYmLhGoQ6sJ6mAXrtEW/BkJLr27i68LHJAavqcYNIvqLa4Q
LEGhvCTShzeeShpgYmASCKi3S375/SYkxq+6WPNffgs475FpSWL37xUCAwEAAaNT
MFEwHQYDVR0OBBYEFDoyfPo9hoXkXfcZiPcLYqEJY9YKMB8GA1UdIwQYMBaAFDoy
fPo9hoXkXfcZiPcLYqEJY9YKMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggEBADxPmH8xHXJ87/Di83OZpeBmThdokMmuB6bMYcgEVuSQP4GVdABoCkNE
vYruZUg1jWApg6ABFyX/GqBUpsOgg5xsXjWYhuOVW8qDqT56AAEuwn2AMipRK6TQ
nIgIwXCUbqM3W5bUguzuY3jCVwiHi/bVq9e1Iwfwd7F+173X9t5xlF4gnZd1Ge2w
kOJ4gOlmYUld2MnBDkkgZmB/ABp3iceCvT1S5z7zfIN0vPPx6rbKXjGfDi4bsiVv
QheczZ8bwGxCv454sXeu4ZRrckcvVZkY89gu85fINxJ5QPx+OjyZKeLQg5Zz7hJG
PO9wOBY4HQ5/Y9uIAynyAeyfQnceXFQ=
-----END CERTIFICATE-----
Generating RSA private key, 2048 bit long modulus (2 primes)
.................................+++++
..........+++++
e is 65537 (0x010001)
spawn openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CH
State or Province Name (full name) []:YN
Locality Name (eg, city) [Default City]:KM
Organization Name (eg, company) [Default Company Ltd]:LYJ
Organizational Unit Name (eg, section) []:tcp
Common Name (eg, your name or your server's hostname) []:192.168.186.130
Email Address []:123@456.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:12345
An optional company name []:
spawn scp httpd.csr root@192.168.186.130:/root
httpd.csr                             100% 1058   596.6KB/s   00:00    
expect: spawn id exp6 not open
    while executing
"expect "#"      "
//这里报错了,正在更新解决
spawn openssl ca -in ./httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
139978345297728:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/index.txt','r')
139978345297728:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:
expect: spawn id exp6 not open
    while executing
"expect "commit" {send "y\r"}"

 

posted @ 2021-04-02 09:00  Raygussie  阅读(224)  评论(0编辑  收藏  举报