生成自签名证书脚本

Run

执行 ssc_gen.sh 文件即可：

1	bash ssc_gen.sh

说明

文件

执行脚本后，会生成以下文件

-rw-r--r--  1 ekwong  staff   1.9K  1 24 14:21 ca.crt
-rw-r--r--  1 ekwong  staff   3.2K  1 24 14:21 ca.key
-rw-r--r--  1 ekwong  staff    17B  1 24 14:21 ca.srl
-rw-r--r--  1 ekwong  staff   2.2K  1 24 14:21 example.com.crt
-rw-r--r--  1 ekwong  staff   1.7K  1 24 14:21 example.com.csr
-rw-r--r--  1 ekwong  staff   3.2K  1 24 14:21 example.com.key
-rw-r--r--  1 ekwong  staff   267B  1 24 14:21 v3.ext

这里着重关注四个文件：

# 证书颁布机构的证书
ca.crt
# 证书颁布机构的私钥
ca.key

# 服务器证书
example.com.crt
# 服务器证书私钥
example.com.key

使用方法

以 nginx 配置作为 web 服务器，Windows 机器作为 client 为例。

server

请把 example.com.crt 和 example.com.key 上传到服务器，并配置修改 nginx.conf ：

http{
  ...
    server{
        listen    443 ssl;
        ssl_certificate  /home/ca/example.com.crt;
        ssl_certificate_key /home/ca/example.com.key;
        ...
  }
  ...
}

请重启 nginx 服务：

1	nginx -s reload

client

请把 ca.crt 放到 Windows 机器上，并添加为受信任的证书。

自定义

若需自定义证书颁布机构域名、服务器域名、过期时间等信息，请修改 custom.cf 文件，请把 custom.cf 文件和 ssc_gen.sh 文件放在同一目录下。

ca_numbits=4096
ca_c=CN
ca_st=Beijing
ca_l=Beijing
ca_o=Ca
ca_ou=Personal
ca_cn=self.ca.org
ca_days=3650

svr_numbits=4096
svr_domain=example.com
svr_c=CN
svr_st=Beijing
svr_l=Beijing
svr_o=Example
svr_ou=Personal
svr_days=3650
svr_host=localhost.domain

关于

本脚本内容代码见 Github仓库

脚本及配置

ssc_gen.sh

#!/bin/bash
# self sign certificate

function getValue() {
    key=${1}
    default_value=${2}
    result=""
    if [[ -f custom.cf ]]; then
      result=`grep "${key}=" custom.cf | awk -F'=' '{print $2}'`
    fi
    if [[ -z ${result} ]]; then
      result="${default_value}"
    fi
    echo ${result}
    return 0
}

echo "generate self sign certificate"

version=`openssl "version"`

echo "using $version"

ca_numbits=`getValue "ca_numbits" "4096"`

echo "generate ca key using numbits ${ca_numbits}"
openssl genrsa -out ca.key ${ca_numbits}

ca_c=`getValue ca_c "CN"`
ca_st=`getValue ca_st "Beijing"`
ca_l=`getValue ca_l "Beijing"`
ca_o=`getValue ca_o "Ca"`
ca_ou=`getValue ca_ou "Personal"`
ca_cn=`getValue ca_cn "self.ca.org"`
ca_days=`getValue ca_days "3650"`

echo "generate ca crt for ${ca_cn}"
openssl req -x509 -new -nodes -sha512 -days ${ca_days} \
-subj "/C=${ca_c}/ST=${ca_st}/L=${ca_l}/O=${ca_o}/OU=${ca_ou}/CN=${ca_cn}" \
-key ca.key \
-out ca.crt

svr_numbits=`getValue "svr_numbits" "4096"`

svr_domain=`getValue svr_domain "example.com"`
svr_c=`getValue svr_c "CN"`
svr_st=`getValue svr_st "Beijing"`
svr_l=`getValue svr_l "Beijing"`
svr_o=`getValue svr_o "Example"`
svr_ou=`getValue svr_ou "Personal"`
svr_days=`getValue svr_days "3650"`
svr_host=`getValue svr_host "localhost.domain"`

echo "generate server key using numbits ${svr_numbits}"
openssl genrsa -out "${svr_domain}.key" ${svr_numbits}

echo "generate certificate sign request "
openssl req -sha512 -new \
-subj "/C=${svr_c}/ST=${svr_st}/L=${svr_l}/O=${svr_o}/OU=${svr_ou}/CN=${svr_domain}" \
-key "${svr_domain}.key" \
-out "${svr_domain}.csr"

echo "generate x509 v3 ext file"
echo "authorityKeyIdentifier=keyid,issuer" > v3.ext
echo "basicConstraints=CA:FALSE" >> v3.ext
echo "keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment" >> v3.ext
echo "extendedKeyUsage = serverAuth" >> v3.ext
echo "subjectAltName = @alt_names" >> v3.ext
echo "" >> v3.ext
echo "[alt_names]" >> v3.ext
echo "DNS.1=${svr_domain}" >> v3.ext
echo "DNS.2=${svr_domain%.*}" >> v3.ext
echo "DNS.3=${svr_host}" >> v3.ext

echo "generate server crt for ${svr_domain}"
openssl x509 -req -sha512 -days ${svr_days} \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in "${svr_domain}.csr" \
-out "${svr_domain}.crt"

custom.cf

ca_numbits=4096
ca_c=CN
ca_st=Beijing
ca_l=Beijing
ca_o=Ca
ca_ou=Personal
ca_cn=self.ca.org
ca_days=3650

svr_numbits=4096
svr_domain=example.com
svr_c=CN
svr_st=Beijing
svr_l=Beijing
svr_o=Example
svr_ou=Personal
svr_days=3650
svr_host=localhost.domain