通过以下脚本可生成本地证书
#!/bin/bash
# 询问用户想要生成哪种类型的证书
echo "请选择证书类型:"
echo "1) RSA"
echo "2) ECDSA"
read -p "选择一个选项(1或2):" CERT_TYPE
# 设置证书有效期为10年
VALID_DAYS=3650
# 交互式读取CSR信息
echo "请输入您的证书信息:"
read -p "国家(两个字母的国家代码,例如:CN):" COUNTRY
while [ ${#COUNTRY} -ne 2 ]; do
echo "国家代码必须是两个大写字母。"
read -p "国家(两个字母的国家代码,例如:CN):" COUNTRY
done
COUNTRY=$(echo $COUNTRY | tr '[:lower:]' '[:upper:]') # 转换为大写
read -p "省份(例如:Beijing):" STATE
read -p "城市(例如:Beijing):" LOCALITY
read -p "组织名称(例如:My Company Ltd):" ORGANIZATION
read -p "组织单位名称(例如:IT Department):" ORGANIZATIONAL_UNIT
read -p "公共名称(通常是您的域名,例如:example.com):" COMMON_NAME
read -p "电子邮件地址(例如:admin@example.com):" EMAIL
read -p "服务器IP地址(例如:IP:127.0.0.1,IP:192.168.1.1):" SERVER_IP
SUBJ="/C=$COUNTRY/ST=$STATE/L=$LOCALITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$COMMON_NAME/emailAddress=$EMAIL"
echo "subjectAltName=${SERVER_IP}" >subjectAltName.txt
# 根据用户选择生成密钥和证书
case $CERT_TYPE in
1)
# 生成RSA密钥
openssl genrsa -out "$COMMON_NAME".key 4096
# 生成CSR并指定信息
openssl req -new -key "$COMMON_NAME".key -out "$COMMON_NAME".csr -subj "$SUBJ"
# 自签名证书
openssl x509 -req -days $VALID_DAYS -in "$COMMON_NAME".csr -signkey "$COMMON_NAME".key -out "$COMMON_NAME".crt -extfile subjectAltName.txt
;;
2)
# 生成ECDSA密钥
openssl ecparam -genkey -name secp384r1 -out "$COMMON_NAME".key
# 生成CSR并指定信息
openssl req -new -key "$COMMON_NAME".key -out "$COMMON_NAME".csr -subj "$SUBJ"
# 自签名证书
openssl x509 -req -days $VALID_DAYS -in "$COMMON_NAME".csr -signkey "$COMMON_NAME".key -out "$COMMON_NAME".crt -extfile subjectAltName.txt
;;
*)
echo "无效的选项。请重新运行脚本并选择1或2。"
exit 1
;;
esac
# 检查证书文件是否已创建
if [ -f "$COMMON_NAME.crt" ]; then
echo "证书生成成功。"
rm "$COMMON_NAME".csr # 删除CSR文件
else
echo "生成证书时发生错误,请检查输出信息确定问题所在。"
fi
