自簽證書

自簽證書

配置openssl

#[ v3_ca ]和[ v3_req ]下新增
subjectAltName = @alt_names

#[ v3_ca ]后新增
[alt_names]
DNS.1 = www.test.com
IP.1 = 127.0.0.1

生成隨機密碼

#生成8位隨機密碼YE064yIf
openssl rand -base64 9|head -c8

生成私鑰

#生成沒有密碼的私鑰
openssl genrsa -out /data/cert/private.key 2048

#生成帶密碼的私鑰
openssl genrsa -des3 -passout pass:YE064yIf -out /data/cert/private.key 2048

openssl req -config /etc/pki/tls/openssl.cnf -new -x509 -subj "/C=CN/ST=GuangDong/L=ShenZhen/O=Company/OU=IT/CN=www.test.com/emailAddress=test@test.com" -days 3650 -key /data/cert/private.key -passin pass:YE064yIf -out /data/cert/cert.crt

生成PFX

openssl pkcs12 -export -in /data/cert/cert.crt -name www_test_com  -inkey /data/cert/private.key -passin pass:YE064yIf -password pass:YE064yIf -out /data/cert/cert.pfx

生成PK12

openssl pkcs12 -export -in /data/cert/cert.crt -name www_test_com -inkey /data/cert/private.key -passin pass:YE064yIf -password pass:YE064yIf -out /data/cert/cert.pk12

生成JKS

keytool -importkeystore -srcstoretype PKCS12 -srckeystore /data/cert/cert.pk12 -srcstorepass YE064yIf -deststoretype JKS -destkeystore /data/cert/cert.jks -deststorepass YE064yIf

Shell腳本一鍵執(zhí)行

將如下內容保存到本地隨便位置挤渔，取名XXX.sh友存。然后用chmod +x XXX.sh給腳本賦權历葛，執(zhí)行輸入域名就OK了，生成所有文檔都在/etc/pki/CA目錄下徐鹤。注意不要改動原始的openssl.conf莲祸，腳本也是生成新的配置，不會改動原始的配置蝴悉。

#!/bin/bash
read -p "Please input domain name: " DOMAIN

DOMAIN2=`echo "$DOMAIN"|tr '.' '_'`
EXPIRE=3650
KEY_SIZE=2048
DIR="/etc/pki/CA/$DOMAIN2"
PASS=`openssl rand -base64 9|head -c8`
SUBJECT="/C=CN/ST=GuangDong/L=ShenZhen/CN=$DOMAIN"


#Make sure dir is exits
[ -d $DIR ] || mkdir -p $DIR

#Make sure backup dir is exits
[ -d $DIR/backup ] || mkdir -p $DIR/backup

#Backup
mv $DIR/${DOMAIN2}* $DIR/backup &> /dev/null

#Save password to local file
echo -n "$PASS" > $DIR/password.txt

#Generate private key
openssl genrsa -des3 -passout pass:$PASS -out ${DIR}/$DOMAIN2.key $KEY_SIZE &> /dev/null

#Generate config
sed -e "/\[\ v3_req\ \]/i[alt_names]\nDNS.1 = $DOMAIN\nIP.1 = 127.0.0.1\n" -e '/\[\ v3_req\ \]/asubjectAltName = @alt_names' -e '/\[\ v3_ca\ \]/asubjectAltName = @alt_names' /etc/pki/tls/openssl.cnf > $DIR/openssl.conf


#Self sign
openssl req -config $DIR/openssl.conf -new -x509 -subj "$SUBJECT" -days $EXPIRE -key ${DIR}/$DOMAIN2.key -passin pass:$PASS -out ${DIR}/$DOMAIN2.crt

#Generate PFX
openssl pkcs12 -export -in ${DIR}/$DOMAIN2.crt -inkey ${DIR}/$DOMAIN2.key -passin pass:$PASS -password pass:$PASS -out ${DIR}/$DOMAIN2.pfx

#Generate PK12
openssl pkcs12 -export -in ${DIR}/$DOMAIN2.crt -inkey ${DIR}/$DOMAIN2.key -passin pass:$PASS -password pass:$PASS -out ${DIR}/$DOMAIN2.pk12

#Generate JKS
keytool -importkeystore -srcstoretype PKCS12 -srckeystore ${DIR}/$DOMAIN2.pk12 -srcstorepass $PASS -deststoretype JKS -destkeystore ${DIR}/$DOMAIN2.jks -deststorepass $PASS &> /dev/null

最后編輯于：2020.12.23 21:51:45

?著作權歸作者所有,轉載或內容合作請聯系作者