#!/bin/bash
COUNTRY=CN
PROVINCE=jiangsu
CITY=Suzhou
ORGANIZATION=Test
GROUP=Devops
HOST=test.com
SUBJ="/C=$COUNTRY/ST=$PROVINCE/L=$CITY/O=$ORGANIZATION/OU=$GROUP/CN=$HOST"
#============================================#
# 签发根证书 #
#============================================#
openssl genrsa -out my_root_ca.key 2048
faketime '1970-01-01 00:00:00' /bin/bash -c "openssl req -x509 -new -nodes -key my_root_ca.key -sha256 -days 365000 -out my_root_ca.pem -subj $SUBJ"
#============================================#
# 用根证书签发server端证书 #
#============================================#
openssl genrsa -out emqx.key 2048
cat <<EOF >openssl.cnf
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = CN
stateOrProvinceName = jinagsu
localityName = suz
organizationName = devops
commonName = dreame.com
[req_ext]
subjectAltName = @alt_names
[v3_req]
subjectAltName = @alt_names
[alt_names]
IP.1 = 127.0.0.1
DNS.1 = dreame.com
DNS.2 = $HOST
DNS.3 = *.com
EOF
openssl req -new -key ./emqx.key -config openssl.cnf -out emqx.csr
faketime '1970-01-01 00:00:00' /bin/bash -c 'openssl x509 -req -in ./emqx.csr -CA my_root_ca.pem -CAkey my_root_ca.key -CAcreateserial -out emqx.pem -days 365000 -sha256 -extensions v3_req -extfile openssl.cnf'
#============================================#
# 用根证书签发client端证书 #
#============================================#
openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr -subj "/C=CN/ST=Zhejiang/L=Hangzhou/O=EMQX/CN=client"
faketime '1970-01-01 00:00:00' /bin/bash -c 'openssl x509 -req -days 365000 -in client.csr -CA my_root_ca.pem -CAkey my_root_ca.key -CAcreateserial -out client.pem'
双向TLS证书
最新推荐文章于 2024-08-08 08:19:42 发布
该博客详细介绍了如何使用OpenSSL命令行工具生成根证书、服务器证书和客户端证书。过程包括设置地理信息、组织信息,以及配置文件来指定证书的详细信息,并使用faketime进行时间伪造以快速签发长期有效的证书。
摘要由CSDN通过智能技术生成