使用openssl创建包含SAN的证书bash脚本
前面的文章介绍了使用openssl创建包含SAN的证书 但是命令是单行执行的,很不方便。本篇文章是改写为shell脚本版本的,非常方便一个命令即可生成需要的服务器和客户端证书。
创建一个文件cert.sh,保存下面的shell脚本,之后直接执行即可一个命令生成服务器和客户端证书。
#!/bin/bash
DIR=./certs
if [ -d "$DIR" ]
then
echo "$DIR Found."
else
mkdir certs
fi
rm certs/*
touch certs/openssl.cnf
cat>>certs/openssl.cnf<<EOF
[CA_default]
copy_extensions = copy
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
# 国家
C = CN
# 省份
ST = Jl
# 城市
L = Cc
# 组织
O = hacker's home
# 部门
OU = hacker's home
# 域名
CN = localhost
[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
# 解析域名
DNS.1 = localhost
EOF
cd certs
echo "make ca key"
openssl genrsa -out ca.key 2048
echo "make ca certificate"
openssl req -new -key ca.key -out ca.csr
openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt
mkdir server
mkdir client
echo "make server key"
openssl genrsa -out server/server.key 2048
echo "make server certificate"
openssl req -new -nodes -key server/server.key -out server/server.csr -config openssl.cnf -extensions 'v3_req'
openssl x509 -req -in server/server.csr -out server/server.pem -CA ca.crt -CAkey ca.key -CAcreateserial -extfile openssl.cnf -extensions 'v3_req'
echo "make client key"
openssl genrsa -out client/client.key 2048
echo "make client certificate"
openssl req -new -nodes -key client/client.key -out client/client.csr -config openssl.cnf -extensions 'v3_req'
openssl x509 -req -in client/client.csr -out client/client.pem -CA ca.crt -CAkey ca.key -CAcreateserial -extfile openssl.cnf -extensions 'v3_req'