学习笔记:脚本中的一些文件名字是按照openssl配置文件要求编写。做实验之前,确保/etc/pki/tls/openssl.cnf的配置文件的指定目录及文件名一致。
#!/bin/bash
#创建私有ca的参数
ca_directory="/etc/pki/CA"
country_name="CN"
state_name="nanjin"
city_name="nj"
org_name="microvideo"
department_name="devops"
common_name="baidu.com"
email_name=""
#颁发证书的参数
issue_key_name="/data/app1.key"
issue_cert_name="app1.crt"
issue_city_name="nj"
issue_department_name="it"
issue_common_name="app1.baidu.com"
issue_email_name=""
#自签名证书的参数
self_issue_key_name="/data/self/app2.key"
#openssl x509 -in /etc/pki/CA/cacert.pem -noout [-text|-serial|-subject|dates] #查看证书信息
#openssl ca -status [serial] #通过编号查看证书有效性
#openssl crl -in /etc/pki/CA/crl.pem -noout -text #查看证书吊销列表的文件
#检查并创建目录和文件
check_directory(){
if [ ! -d ${ca_directory} ]; then
mkdir -p ${ca_directory}/{certs,crl,newcerts,private}
fi
if [ ! -f "${ca_directory}/index.txt" ];then
touch ${ca_directory}/index.txt
fi
if [ ! -f "${ca_directory}/serial" ];then
echo 01 > ${ca_directory}/serial
fi
}
#创建自己的根CA
self_root_certificate(){
if [ -f ${ca_directory}/cacert.pem ];then
echo -e "\033[1;31mcerficate center is exist\033[0m"
exit 2
fi
#创建CA私钥
(umask 066; openssl genrsa -out ${ca_directory}/private/cakey.pem 2048)
#创建自签名证书,到此完成根ca搭建
if [ $? -eq 0 ];then
openssl req -new -x509 -key ${ca_directory}/private/cakey.pem -days 3650 -out ${ca_directory}/cacert.pem <<EOF
${country_name}
${state_name}
${city_name}
${org_name}
${department_name}
${common_name}
${email_name}
EOF
fi
}
#颁发证书
issue_certficate(){
if [ ! -f ${ca_directory}/cacert.pem ];then
echo -e "\033[1;31mroot cerficate center not exist\033[0m"
exit 1
fi
if [ ! -d ${issue_key_name%/*} ];then
mkdir -p ${issue_key_name%/*}
fi
#生成一个未加密的私钥文件
(umask 066; openssl genrsa -out ${issue_key_name} 2048)
#生成证书申请文件,%表示行尾匹配,里面还要密码,不填,有2行空格
openssl req -new -key ${issue_key_name} -out ${issue_key_name/%key/csr}<<EOF
${country_name}
${state_name}
${issue_city_name}
${org_name}
${issue_department_name}
${issue_common_name}
${issue_email_name}
EOF
#证书颁发
if [ $? -eq 0 ];then
openssl ca -in ${issue_key_name/%key/csr} -out ${ca_directory}/certs/${issue_cert_name} -days 3650 <<EOF
y
y
EOF
fi
cp ${ca_directory}/certs/${issue_cert_name} ${issue_key_name%/*} && echo -e "\033[1;32myou can find cert in ${issue_key_name%/*}\033[0m"
}
#吊销证书
certificate_V(){
ls -l ${ca_directory}/certs
echo -e "\033[1;33m是否需要吊销证书[y/n]:\033[0m"
read M
if [ ${M} == "y" ];then
while :;do
read -p "请输入需要吊销的证书[q退出]:" cert_revoke_name
if [ ${cert_revoke_name} == "q" ];then
break
fi
#第一次执行证书吊销列表命令的时候要有这个文件
if [ ! -f ${ca_directory/crlnumber} ];then
echo 01 > ${ca_directory/crlnumber}
fi
openssl x509 -in ${ca_directory}/certs/${cert_revoke_name} -noout -serial -subject
if [ $? -eq 0 ];then
openssl ca -revoke ${ca_directory}/certs/${cert_revoke_name}
#更新证书吊销列表
openssl ca -gencrl -out ${ca_directory}/crl.pem
else
echo -e "\033[1;31m吊销的证书不存在或已吊销!!!\033[0m"
fi
done
else
echo -e "\033[1;32mnot revoke cerficate!!!\033[0m"
exit 4
fi
}
#自签名证书
issue_self_crt(){
if [ ! -d ${self_issue_key_name%/*} ];then
mkdir -p ${self_issue_key_name%/*}
fi
openssl req -utf8 -newkey rsa:1024 -subj "/CN=www.baidu.com" -keyout ${self_issue_key_name} -nodes -x509 -out ${self_issue_key_name/%key/crt}
}
main(){
cat - <<EOF
0:创建根CA
1:颁发证书
2:自签发证书
3:吊销证书
EOF
read -p "请选择的操作[0-3]:" N
case $N in
0)
check_directory
self_root_certificate
;;
1)
issue_certficate
;;
2)
issue_self_crt
;;
3)
certificate_V
;;
*)
exit 3
;;
esac
}
main