GmSSL生成国密双证书

最新推荐文章于 2024-06-20 16:31:48 发布
叶之香
最新推荐文章于 2024-06-20 16:31:48 发布
阅读量1k
点赞数 1
分类专栏： Shell SSL/TLS 文章标签： linux 服务器数据库
本文链接：https://blog.csdn.net/xiejianjun417/article/details/127238893
版权
SSL/TLS 同时被 2 个专栏收录
7 篇文章 4 订阅
订阅专栏
Shell
5 篇文章 0 订阅
订阅专栏
#!/bin/sh
#Generate GM certificate files
#Author : xiejianjun
#Date : 2020-07-28
CurPath=`dirname $(readlink -f $0)`

GmsslRootPath=/home/GmSSL
GmsslBin=${GmsslRootPath}/apps/gmssl
DemoCaDir=${GmsslRootPath}/apps/demoCA/
CaCertDir=${DemoCaDir}/certs/
CertDir=${DemoCaDir}/certs/
KeyDir=${CertDir}
CrlDir=${DemoCaDir}/crl/
ReqDir=${DemoCaDir}/reqs/

CertDays=3650

CACertFile=CA.crt
CAKeyFile=CA.key
CA_DN_STRING="/C=CN/ST=SiChuan/L=ChengDu/O=August LTD./OU=August/CN=CA (GM)"
CAReqFile=CA.req

SSCertFile=SS.crt
SSKeyFile=SS.key
SS_DN_STRING="/C=CN/ST=SiChuan/L=ChengDu/O=August LTD./OU=August/CN=Server Sign (GM)"
SSReqFile=SS.req
SSCertKeyFile=SS.pem
SSP12File=SS.p12

SECertFile=SE.crt
SEKeyFile=SE.key
SE_DN_STRING="/C=CN/ST=SiChuan/L=ChengDu/O=August LTD./OU=August/CN=Server Encrypt (GM)"
SEReqFile=SE.req
SECertKeyFile=SE.pem
SEP12File=SE.p12

CSCertFile=CS.crt
CSKeyFile=CS.key
CS_DN_STRING="/C=CN/ST=SiChuan/L=ChengDu/O=August LTD./OU=August/CN=Client Sign (GM)"
CSReqFile=CS.req
CSCertKeyFile=CS.pem
CSP12File=CS.p12

CECertFile=CE.crt
CEKeyFile=CE.key
CE_DN_STRING="/C=CN/ST=SiChuan/L=ChengDu/O=August LTD./OU=August/CN=Client Encrypt (GM)"
CEReqFile=CE.req
CECertKeyFile=CE.pem
CEP12File=CE.p12

if [ ! -d "${GmsslRootPath}" ];then
    echo "GmSSL path DONOT exist!"
    exit 2
fi

export LD_LIBRARY_PATH=${GmsslRootPath}

mkdir -p "${CaCertDir}"
mkdir -p "${CertDir}"
mkdir -p "${KeyDir}"
mkdir -p "${CrlDir}"
mkdir -p "${ReqDir}"

echo "#######################################################################################################"
if [ ! -e "${CaCertDir}/${CACertFile}" ]; then
	echo "Generate CA certificate file..."
	${GmsslBin} ecparam -name sm2p256v1 -out "${DemoCaDir}/SM2.pem"
	${GmsslBin} req -config "${GmsslRootPath}/apps/openssl.cnf" -nodes -subj "${CA_DN_STRING}" \
		-keyout "${CaCertDir}/${CAKeyFile}" -newkey "ec:${DemoCaDir}/SM2.pem" \
		-new -out "${ReqDir}/${CAReqFile}"

#Sign CA certificate with CAKeyFile
	${GmsslBin} x509 -sm3 -req -days ${CertDays} -in "${ReqDir}/${CAReqFile}" \
		-extfile "${GmsslRootPath}/apps/openssl.cnf" -extensions v3_ca -signkey "${CaCertDir}/${CAKeyFile}" \
		-CAcreateserial -out "${CaCertDir}/${CACertFile}"

#Print CA certificate file
	${GmsslBin} x509 -in "${CaCertDir}/${CACertFile}" -noout -text
fi

cp -f "${CaCertDir}/${CACertFile}" "${CertDir}"

echo "#######################################################################################################"
echo "Generate Server sign certificate file..."
${GmsslBin} req -config "${GmsslRootPath}/apps/openssl.cnf" -nodes -subj "${SS_DN_STRING}" \
    -keyout "${KeyDir}/${SSKeyFile}" -newkey "ec:${DemoCaDir}/SM2.pem" \
    -new -out "${ReqDir}/${SSReqFile}"

#Sign SS certificate with CAKeyFile
${GmsslBin} x509 -sm3 -req -days ${CertDays} -in "${ReqDir}/${SSReqFile}" \
    -CA "${CaCertDir}/${CACertFile}" -CAkey "${CaCertDir}/${CAKeyFile}" \
    -extfile "${GmsslRootPath}/apps/openssl.cnf" -extensions v3_req \
    -CAcreateserial -out "${CertDir}/${SSCertFile}"

#Print SS certificate file
${GmsslBin} x509 -in "${CertDir}/${SSCertFile}" -noout -text
${GmsslBin} pkcs12 -export -in "${CertDir}/${SSCertFile}" -inkey "${KeyDir}/${SSKeyFile}" -name "Server Sign" -out "${CertDir}/${SSP12File}" -passout pass:123456
${GmsslBin} pkcs12 -in "${CertDir}/${SSP12File}" -out "${CertDir}/${SSCertKeyFile}" -nodes -passin pass:123456

echo "#######################################################################################################"
echo "Generate Server encrypt certificate file..."
${GmsslBin} req -config "${GmsslRootPath}/apps/openssl.cnf" -nodes -subj "${SE_DN_STRING}" \
    -keyout "${KeyDir}/${SEKeyFile}" -newkey "ec:${DemoCaDir}/SM2.pem" \
    -new -out "${ReqDir}/${SEReqFile}"

#Sign SE certificate with CAKeyFile
${GmsslBin} x509 -sm3 -req -days ${CertDays} -in "${ReqDir}/${SEReqFile}" \
    -CA "${CaCertDir}/${CACertFile}" -CAkey "${CaCertDir}/${CAKeyFile}" \
    -extfile "${GmsslRootPath}/apps/openssl.cnf" -extensions v3_req\
    -CAcreateserial -out "${CertDir}/${SECertFile}"

#Print SE certificate file
${GmsslBin} x509 -in "${CertDir}/${SECertFile}" -noout -text
${GmsslBin} pkcs12 -export -in "${CertDir}/${SECertFile}" -inkey "${KeyDir}/${SEKeyFile}" -name "Server Encrypt" -out "${CertDir}/${SEP12File}" -passout pass:123456
${GmsslBin} pkcs12 -in "${CertDir}/${SEP12File}" -out "${CertDir}/${SECertKeyFile}" -nodes -passin pass:123456

echo "#######################################################################################################"
echo "Generate Client sign certificate file..."
${GmsslBin} req -config "${GmsslRootPath}/apps/openssl.cnf" -nodes -subj "${CS_DN_STRING}" \
    -keyout "${KeyDir}/${CSKeyFile}" -newkey "ec:${DemoCaDir}/SM2.pem" \
    -new -out "${ReqDir}/${CSReqFile}"

#Sign CS certificate with CAKeyFile
${GmsslBin} x509 -sm3 -req -days ${CertDays} -in "${ReqDir}/${CSReqFile}" \
    -CA "${CertDir}/${CACertFile}" -CAkey "${CaCertDir}/${CAKeyFile}" \
    -extfile "${GmsslRootPath}/apps/openssl.cnf" -extensions v3_req \
    -CAcreateserial -out "${CertDir}/${CSCertFile}"

#Print CS certificate file
${GmsslBin} x509 -in "${CertDir}/${CSCertFile}" -noout -text
${GmsslBin} pkcs12 -export -in "${CertDir}/${CSCertFile}" -inkey "${KeyDir}/${CSKeyFile}" -name "Client Sign" -out "${CertDir}/${CSP12File}" -passout pass:123456
${GmsslBin} pkcs12 -in "${CertDir}/${CSP12File}" -out "${CertDir}/${CSCertKeyFile}" -nodes -passin pass:123456

echo "#######################################################################################################"
echo "Generate Client encrypt certificate file..."
${GmsslBin} req -config "${GmsslRootPath}/apps/openssl.cnf" -nodes -subj "${CE_DN_STRING}" \
    -keyout "${KeyDir}/${CEKeyFile}" -newkey "ec:${DemoCaDir}/SM2.pem" \
    -new -out "${ReqDir}/${CEReqFile}"

#Sign CE certificate with CAKeyFile
${GmsslBin} x509 -sm3 -req -days ${CertDays} -in "${ReqDir}/${CEReqFile}" \
    -CA "${CaCertDir}/${CACertFile}" -CAkey "${CaCertDir}/${CAKeyFile}" \
    -extfile "${GmsslRootPath}/apps/openssl.cnf" -extensions v3_req\
    -CAcreateserial -out "${CertDir}/${CECertFile}"

#Print CE certificate file
${GmsslBin} x509 -in "${CertDir}/${CECertFile}" -noout -text
${GmsslBin} pkcs12 -export -in "${CertDir}/${CECertFile}" -inkey "${KeyDir}/${CEKeyFile}" -name "Client Encrypt" -out "${CertDir}/${CEP12File}" -passout pass:123456
${GmsslBin} pkcs12 -in "${CertDir}/${CEP12File}" -out "${CertDir}/${CECertKeyFile}" -nodes -passin pass:123456