#!/bin/sh
#Generate GM certificate files
#Author : xiejianjun
#Date : 2020-07-28
CurPath=`dirname $(readlink -f $0)`
GmsslRootPath=/home/GmSSL
GmsslBin=${GmsslRootPath}/apps/gmssl
DemoCaDir=${GmsslRootPath}/apps/demoCA/
CaCertDir=${DemoCaDir}/certs/
CertDir=${DemoCaDir}/certs/
KeyDir=${CertDir}
CrlDir=${DemoCaDir}/crl/
ReqDir=${DemoCaDir}/reqs/
CertDays=3650
CACertFile=CA.crt
CAKeyFile=CA.key
CA_DN_STRING="/C=CN/ST=SiChuan/L=ChengDu/O=August LTD./OU=August/CN=CA (GM)"
CAReqFile=CA.req
SSCertFile=SS.crt
SSKeyFile=SS.key
SS_DN_STRING="/C=CN/ST=SiChuan/L=ChengDu/O=August LTD./OU=August/CN=Server Sign (GM)"
SSReqFile=SS.req
SSCertKeyFile=SS.pem
SSP12File=SS.p12
SECertFile=SE.crt
SEKeyFile=SE.key
SE_DN_STRING="/C=CN/ST=SiChuan/L=ChengDu/O=August LTD./OU=August/CN=Server Encrypt (GM)"
SEReqFile=SE.req
SECertKeyFile=SE.pem
SEP12File=SE.p12
CSCertFile=CS.crt
CSKeyFile=CS.key
CS_DN_STRING="/C=CN/ST=SiChuan/L=ChengDu/O=August LTD./OU=August/CN=Client Sign (GM)"
CSReqFile=CS.req
CSCertKeyFile=CS.pem
CSP12File=CS.p12
CECertFile=CE.crt
CEKeyFile=CE.key
CE_DN_STRING="/C=CN/ST=SiChuan/L=ChengDu/O=August LTD./OU=August/CN=Client Encrypt (GM)"
CEReqFile=CE.req
CECertKeyFile=CE.pem
CEP12File=CE.p12
if [ ! -d "${GmsslRootPath}" ];then
echo "GmSSL path DONOT exist!"
exit 2
fi
export LD_LIBRARY_PATH=${GmsslRootPath}
mkdir -p "${CaCertDir}"
mkdir -p "${CertDir}"
mkdir -p "${KeyDir}"
mkdir -p "${CrlDir}"
mkdir -p "${ReqDir}"
echo "#######################################################################################################"
if [ ! -e "${CaCertDir}/${CACertFile}" ]; then
echo "Generate CA certificate file..."
${GmsslBin} ecparam -name sm2p256v1 -out "${DemoCaDir}/SM2.pem"
${GmsslBin} req -config "${GmsslRootPath}/apps/openssl.cnf" -nodes -subj "${CA_DN_STRING}" \
-keyout "${CaCertDir}/${CAKeyFile}" -newkey "ec:${DemoCaDir}/SM2.pem" \
-new -out "${ReqDir}/${CAReqFile}"
#Sign CA certificate with CAKeyFile
${GmsslBin} x509 -sm3 -req -days ${CertDays} -in "${ReqDir}/${CAReqFile}" \
-extfile "${GmsslRootPath}/apps/openssl.cnf" -extensions v3_ca -signkey "${CaCertDir}/${CAKeyFile}" \
-CAcreateserial -out "${CaCertDir}/${CACertFile}"
#Print CA certificate file
${GmsslBin} x509 -in "${CaCertDir}/${CACertFile}" -noout -text
fi
cp -f "${CaCertDir}/${CACertFile}" "${CertDir}"
echo "#######################################################################################################"
echo "Generate Server sign certificate file..."
${GmsslBin} req -config "${GmsslRootPath}/apps/openssl.cnf" -nodes -subj "${SS_DN_STRING}" \
-keyout "${KeyDir}/${SSKeyFile}" -newkey "ec:${DemoCaDir}/SM2.pem" \
-new -out "${ReqDir}/${SSReqFile}"
#Sign SS certificate with CAKeyFile
${GmsslBin} x509 -sm3 -req -days ${CertDays} -in "${ReqDir}/${SSReqFile}" \
-CA "${CaCertDir}/${CACertFile}" -CAkey "${CaCertDir}/${CAKeyFile}" \
-extfile "${GmsslRootPath}/apps/openssl.cnf" -extensions v3_req \
-CAcreateserial -out "${CertDir}/${SSCertFile}"
#Print SS certificate file
${GmsslBin} x509 -in "${CertDir}/${SSCertFile}" -noout -text
${GmsslBin} pkcs12 -export -in "${CertDir}/${SSCertFile}" -inkey "${KeyDir}/${SSKeyFile}" -name "Server Sign" -out "${CertDir}/${SSP12File}" -passout pass:123456
${GmsslBin} pkcs12 -in "${CertDir}/${SSP12File}" -out "${CertDir}/${SSCertKeyFile}" -nodes -passin pass:123456
echo "#######################################################################################################"
echo "Generate Server encrypt certificate file..."
${GmsslBin} req -config "${GmsslRootPath}/apps/openssl.cnf" -nodes -subj "${SE_DN_STRING}" \
-keyout "${KeyDir}/${SEKeyFile}" -newkey "ec:${DemoCaDir}/SM2.pem" \
-new -out "${ReqDir}/${SEReqFile}"
#Sign SE certificate with CAKeyFile
${GmsslBin} x509 -sm3 -req -days ${CertDays} -in "${ReqDir}/${SEReqFile}" \
-CA "${CaCertDir}/${CACertFile}" -CAkey "${CaCertDir}/${CAKeyFile}" \
-extfile "${GmsslRootPath}/apps/openssl.cnf" -extensions v3_req\
-CAcreateserial -out "${CertDir}/${SECertFile}"
#Print SE certificate file
${GmsslBin} x509 -in "${CertDir}/${SECertFile}" -noout -text
${GmsslBin} pkcs12 -export -in "${CertDir}/${SECertFile}" -inkey "${KeyDir}/${SEKeyFile}" -name "Server Encrypt" -out "${CertDir}/${SEP12File}" -passout pass:123456
${GmsslBin} pkcs12 -in "${CertDir}/${SEP12File}" -out "${CertDir}/${SECertKeyFile}" -nodes -passin pass:123456
echo "#######################################################################################################"
echo "Generate Client sign certificate file..."
${GmsslBin} req -config "${GmsslRootPath}/apps/openssl.cnf" -nodes -subj "${CS_DN_STRING}" \
-keyout "${KeyDir}/${CSKeyFile}" -newkey "ec:${DemoCaDir}/SM2.pem" \
-new -out "${ReqDir}/${CSReqFile}"
#Sign CS certificate with CAKeyFile
${GmsslBin} x509 -sm3 -req -days ${CertDays} -in "${ReqDir}/${CSReqFile}" \
-CA "${CertDir}/${CACertFile}" -CAkey "${CaCertDir}/${CAKeyFile}" \
-extfile "${GmsslRootPath}/apps/openssl.cnf" -extensions v3_req \
-CAcreateserial -out "${CertDir}/${CSCertFile}"
#Print CS certificate file
${GmsslBin} x509 -in "${CertDir}/${CSCertFile}" -noout -text
${GmsslBin} pkcs12 -export -in "${CertDir}/${CSCertFile}" -inkey "${KeyDir}/${CSKeyFile}" -name "Client Sign" -out "${CertDir}/${CSP12File}" -passout pass:123456
${GmsslBin} pkcs12 -in "${CertDir}/${CSP12File}" -out "${CertDir}/${CSCertKeyFile}" -nodes -passin pass:123456
echo "#######################################################################################################"
echo "Generate Client encrypt certificate file..."
${GmsslBin} req -config "${GmsslRootPath}/apps/openssl.cnf" -nodes -subj "${CE_DN_STRING}" \
-keyout "${KeyDir}/${CEKeyFile}" -newkey "ec:${DemoCaDir}/SM2.pem" \
-new -out "${ReqDir}/${CEReqFile}"
#Sign CE certificate with CAKeyFile
${GmsslBin} x509 -sm3 -req -days ${CertDays} -in "${ReqDir}/${CEReqFile}" \
-CA "${CaCertDir}/${CACertFile}" -CAkey "${CaCertDir}/${CAKeyFile}" \
-extfile "${GmsslRootPath}/apps/openssl.cnf" -extensions v3_req\
-CAcreateserial -out "${CertDir}/${CECertFile}"
#Print CE certificate file
${GmsslBin} x509 -in "${CertDir}/${CECertFile}" -noout -text
${GmsslBin} pkcs12 -export -in "${CertDir}/${CECertFile}" -inkey "${KeyDir}/${CEKeyFile}" -name "Client Encrypt" -out "${CertDir}/${CEP12File}" -passout pass:123456
${GmsslBin} pkcs12 -in "${CertDir}/${CEP12File}" -out "${CertDir}/${CECertKeyFile}" -nodes -passin pass:123456
GmSSL生成国密双证书
最新推荐文章于 2024-06-20 16:31:48 发布