使用openssl創建包含SAN的證書bash腳本
前面的文章介紹了使用openssl創建包含SAN的證書 但是命令是單行執行的,很不方便。本篇文章是改寫為shell腳本版本的,非常方便一個命令即可生成需要的服務器和客戶端證書。
創建一個文件cert.sh,保存下面的shell腳本,之後直接執行即可一個命令生成服務器和客戶端證書。
#!/bin/bash
DIR=./certs
if [ -d "$DIR" ]
then
echo "$DIR Found."
else
mkdir certs
fi
rm certs/*
touch certs/openssl.cnf
cat>>certs/openssl.cnf<<EOF
[CA_default]
copy_extensions = copy
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
# 國家
C = CN
# 省份
ST = Jl
# 城市
L = Cc
# 組織
O = hacker's home
# 部門
OU = hacker's home
# 域名
CN = localhost
[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
# 解析域名
DNS.1 = localhost
EOF
cd certs
echo "make ca key"
openssl genrsa -out ca.key 2048
echo "make ca certificate"
openssl req -new -key ca.key -out ca.csr
openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt
mkdir server
mkdir client
echo "make server key"
openssl genrsa -out server/server.key 2048
echo "make server certificate"
openssl req -new -nodes -key server/server.key -out server/server.csr -config openssl.cnf -extensions 'v3_req'
openssl x509 -req -in server/server.csr -out server/server.pem -CA ca.crt -CAkey ca.key -CAcreateserial -extfile openssl.cnf -extensions 'v3_req'
echo "make client key"
openssl genrsa -out client/client.key 2048
echo "make client certificate"
openssl req -new -nodes -key client/client.key -out client/client.csr -config openssl.cnf -extensions 'v3_req'
openssl x509 -req -in client/client.csr -out client/client.pem -CA ca.crt -CAkey ca.key -CAcreateserial -extfile openssl.cnf -extensions 'v3_req'