创建自签名证书脚本
#!/bin/bash
# 说明:用于创建证书
# 交互式读取证书信息
echo "请输入证书信息:"
# 用于提示输入默认值的函数
prompt_with_default() {
local prompt_message=$1
local default_value=$2
local input
read -p "$prompt_message [$default_value]: " input
echo "${input:-$default_value}"
}
HOST_NAME=$(hostname -I | awk '{print $1}')
HOST_NAME2=$(hostname -I | awk '{print $2}')
COUNTRY=$(prompt_with_default "国家(两个字母的国家代码,例如:CN)" "CN")
while [[ ! $COUNTRY =~ ^[A-Z]{2}$ ]]; do
echo "国家代码必须是两个大写字母。"
COUNTRY=$(prompt_with_default "国家(两个字母的国家代码,例如:CN)" "CN")
done
STATE=$(prompt_with_default "省份(例如:Guangdong)" "Guangdong")
LOCALITY=$(prompt_with_default "城市(例如:Shenzhen)" "Shenzhen")
ORGANIZATION=$(prompt_with_default "组织名称(例如:zhzx.com)" "*.zhzx.com")
ORGANIZATIONAL_UNIT=$(prompt_with_default "组织单位名称(例如:zhzx)" "zhzx")
COMMON_NAME=$(prompt_with_default "公共名称(通常是您的域名,例如:zhzx.com)" "zhzx.com")
EMAIL=$(prompt_with_default "电子邮件地址(例如:admin@zhzx.com)" "admin@zhzx.com")
SERVER_IP=$(prompt_with_default "服务器IP地址(例如:IP:${HOST_NAME},IP:${HOST_NAME2})" "IP:${HOST_NAME},IP:${HOST_NAME2}")
# 使用相同的证书信息来创建CA证书和密钥
CA_SUBJ="/C=$COUNTRY/ST=$STATE/L=$LOCALITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$COMMON_NAME/emailAddress=$EMAIL"
SUBJ="/C=$COUNTRY/ST=$STATE/L=$LOCALITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$COMMON_NAME/emailAddress=$EMAIL"
# 创建CA证书和密钥
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 -subj "$CA_SUBJ" -key ca.key -out ca.crt
# 提示用户输入目标路径来保存CA证书
read -p "请输入要保存CA证书的目标路径(默认为当前目录下的ca.crt): " CA_TARGET_PATH
CA_TARGET_PATH=${CA_TARGET_PATH:-./ca.crt}
cp ca.crt "$CA_TARGET_PATH"
echo "CA证书已保存至 $CA_TARGET_PATH"
# 设置证书有效期为10年
VALID_DAYS=3650
# 根据用户选择生成密钥
echo "请选择证书类型:"
echo "1) RSA"
echo "2) ECDSA"
read -p "选择一个选项(1或2):" CERT_TYPE
case $CERT_TYPE in
1)
# 生成RSA密钥
openssl genrsa -out "$COMMON_NAME".key 4096
;;
2)
# 生成ECDSA密钥
openssl ecparam -genkey -name secp384r1 -out "$COMMON_NAME".key
;;
*)
echo "无效的选项。请重新运行脚本并选择1或2。"
exit 1
;;
esac
# 如果生成密钥失败,则退出
if [[ $? -ne 0 ]]; then
echo "生成密钥时出错。"
exit 1
fi
# 生成CSR
openssl req -sha512 -new -subj "$SUBJ" -key "$COMMON_NAME".key -out "$COMMON_NAME".csr
# 定义扩展配置文件
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=$COMMON_NAME
DNS.2=www.$COMMON_NAME
DNS.3=$COMMON_NAME
EOF
# 将IP地址添加到v3.ext文件
IFS=',' read -ra ADDR <<< "$SERVER_IP"
for addr in "${ADDR[@]}"; do
IP=$(echo $addr | cut -d':' -f2)
echo "IP.1=$IP" >> v3.ext
done
# 生成证书
openssl x509 -req -sha512 -days $VALID_DAYS -extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in "$COMMON_NAME".csr -out "$COMMON_NAME".crt
# 检查证书文件是否已创建
if [ -f "$COMMON_NAME.crt" ]; then
echo "证书生成成功。"
rm "$COMMON_NAME".csr # 删除CSR文件
else
echo "生成证书时发生错误,请检查输出信息确定问题所在。"
fidebian
cp ca.crt /usr/local/share/ca-certificates/ca.crt
update-ca-certificatesopeneuler
cp ca.crt /etc/pki/tls/certs/ca.crt
cp ca.crt /etc/pki/ca-trust/source/anchors/
update-ca-trustwindows
certutil -addstore root ca.crt