gfwleak/tango-certstore
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

提交服务配置文件certsotre.service

Browse Source 
修改signssl脚本文件
This commit is contained in:
fengweihao
2019-12-13 17:48:15 +08:00
parent d278e77671
commit 396582a015
2 changed files with 114 additions and 91 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
script/certstore.service Normal file
View File

@@ -0,0 +1,12 @@
[Unit]
Description=Certificate Signing Engine
After=redis.service
[Service]
WorkingDirectory=/home/tsg/certstore
ExecStart=/home/tsg/certstore/certstore
Restart=always
RestartSec=5s
[Install]
WantedBy=multi-user.target

193
script/signssl.sh
View File

@@ -1,24 +1,5 @@
#!/bin/bash
type_name=$1
name=$2
if [ "${type_name}" == "-caroot" ]; then
csrfrom=$3
csrname=$4
csrkey=$5
else
cafrom=$3
caname=$4
cakey=$5
csrfrom=$6
csrname=$7
csrkey=$8
fi
san_nam=$9
trap "do_signal" 2
do_signal()
{
@@ -52,24 +33,14 @@ do_clear()
do_help()
{
echo ""
echo "./signssl -type cert_name -cafrom ca_name key_name -csr csr_name csr_key -san san_nam"
echo "usage: ./signssl args"
echo " -type - input type "-csr -caroot -camiddle -entity""
echo " cert_name - input cert_name "input output cert namae""
echo " -cafrom ca_name keyname - input ca_name keyname "input the root cert name and key""
echo " -csrfrom csr_name csr_key - input csr_name csr_key "input cert signs request file name and key""
echo " san_name - input san_name "When it is an entity cert, input user alternate name""
echo ""
echo "exanple -csr"
echo "./signssl.sh -csr csr_name"
echo "example -caroot"
echo "./signssl.sh -caroot root_name"
echo "example -camiddle"
echo "./signssl.sh -camiddle middle_name -cafrom ../cert/mesalab-ca-cert.cer ../cert/mesalab-ca-cert.key -csrfrom ./csr/csrname/csrname.csr ./csr/csrname/csrname.key"
echo "exaple -entity"
echo "./signssl.sh -entity entity_name -cafrom ../cert/mesalab-ca-cert.cer ../cert/mesalab-ca-cert.key -csrfrom ./csr/csrname/csrname.csr ./csr/csrname/csrname.key 163"
echo ""
exit
echo "./signssl -t type -n name -c cert -k key"
echo "-t arg - Sign a certificate with type(root|middle|entity)"
echo "-n arg - Certificate file name"
echo "-c arg - The CA certificate, format=base64"
echo "-k arg - Private key file, format=base64"
echo "-s arg - user alternate name"
echo "-b arg - Generate a new RSA key of 'bits' in size"
echo "-d arg - Number of days a certificate generated by -x509 is valid for"
}
do_mkdir()
@@ -79,40 +50,31 @@ do_mkdir()
mkdir ./demoCA/newcerts
touch ./demoCA/index.txt
touch ./demoCA/serial
echo 0001 >> ./demoCA/serial
code_len=`date +%s%N | md5sum | head -c 24`
echo $code_len >> ./demoCA/serial
#echo 01 >> ./demoCA/serial
fi
}
do_check()
{
if [ "$type_name" == "" ]||[ "$name" == "" ]; then
echo "cert type is unkone!"
echo "cert type is unkonw!"
do_help
exit
fi
if [ "$type_name" == "root" ]; then
return
fi
if [ "$caname" == "" ] || [ "$cakey" == "" ]; then
echo "input certificate name or key is unkonw!"
do_help
exit
fi
if [ "$type_name" == "-csr" ]; then
return
fi
if [ "$type_name" == "-caroot" ]; then
return
fi
if [ "$csrfrom" == "" ] || [ "$csrname" == "" ] || [ "$csrkey" == "" ]; then
echo "input input cert signs request file name and key"
do_help
exit
fi
if [ "$cafrom" == "" ] || [ "$caname" == "" ] || [ "$cakey" == "" ]; then
echo "input certificate name or key is unkone!"
do_help
exit
fi
if [ "$type_name" == "-entity" ];then
if [ "$type_name" == "entity" ];then
if [ "$san_nam" == "" ];then
echo "Please enter the san name!"
do_help
@@ -124,80 +86,129 @@ do_check()
do_middle()
{
if [ ! -d "./ca-middle/${name}" ]; then
mkdir -p ca-middle/${name}
fi
outpath=ca-middle/${name}
openssl ca -extensions v3_ca -in ${csrname} -out ${outpath}/${name}.cer -cert ${caname} -keyfile ${cakey} -days 365 -policy policy_anything
do_csr ${outpath} ${name}
if [ $? -ne 0 ]; then
echo "certificate request file failed to be issued"
fi
csrname=${outpath}/${name}.csr
csrkey=${outpath}/${name}.key
openssl ca -extensions v3_ca -in ${csrname} -out ${outpath}/${name}.cer -cert ${caname} -keyfile ${cakey} -days ${days} -policy policy_anything
openssl pkcs12 -export -in ${outpath}/${name}.cer -inkey ${csrkey} -chain -CAfile ${caname} -out ${outpath}/${name}.p12
chain_file=${outpath}/${name}.chain.pem
touch ${chain_file}
cat ${outpath}/${name}.cer > ${chain_file}
cat ${caname} >> ${chain_file}
do_clear $? ${name}
cp ${csrkey} ${outpath}
}
do_entity()
{
if [ ! -d "./entity/${name}" ];then
mkdir -p entity/${name}
fi
outpath=entity/${name}
do_csr ${outpath} ${name}
if [ $? -ne 0 ]; then
echo "certificate request file failed to be issued"
fi
csrname=${outpath}/${name}.csr
csrkey=${outpath}/${name}.key
openssl ca -in ${csrname} -keyfile ${cakey} -cert ${caname} -extensions SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:*.${san_nam}.com,DNS:*.${san_nam}.cn")) -out ${outpath}/${name}.cer
openssl pkcs12 -export -in ${outpath}/${name}.cer -inkey ${csrkey} -chain -CAfile ${caname} -out ${outpath}/${name}.p12
chain_file=${outpath}/${name}.chain.pem
touch ${chain_file}
cat ${outpath}/${name}.cer >> ${chain_file}
cat ${caname} >> ${chain_file}
do_clear $? ${name}
cp ${csrkey} ${outpath}
}
do_caroot()
{
if [ ! -d ".caroot/${name}" ];then
mkdir -p caroot/${name}
fi
outpath=caroot/${name}
openssl genrsa -out ${outpath}/${name}.key 1024
openssl req -new -key ${outpath}/${name}.key -out ${outpath}/${name}.csr
openssl x509 -req -days 365 -sha256 -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -signkey ${outpath}/${name}.key -in ${outpath}/${name}.csr -out ${outpath}/${name}.cer
#openssl req -new -x509 -key ca.key -out ca.crt
do_csr ${outpath} ${name}
if [ $? -ne 0 ]; then
echo "certificate request file failed to be issued"
fi
csrname=${outpath}/${name}.csr
csrkey=${outpath}/${name}.key
openssl x509 -req -days ${days} -sha256 -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -signkey ${outpath}/${name}.key -in ${csrname} -out ${outpath}/${name}.cer
do_clear $? ${name}
}
do_csr()
{
if [ ! -d "./csr/${name}" ];then
mkdir -p csr/${name}
fi
outpath=csr/${name}
outpath=$1
name=$2
openssl genrsa -out ${outpath}/${name}.key 1024
if [ ! -d "./${outpath}" ];then
mkdir -p ${outpath}
fi
openssl genrsa -out ${outpath}/${name}.key ${bits}
openssl req -new -key ${outpath}/${name}.key -out ${outpath}/${name}.csr
do_clear $? ${name}
}
do_signssl()
{
if [ "$type_name" == "-camiddle" ]; then
if [ "$type_name" == "middle" ]; then
do_middle
exit
fi
if [ "$type_name" == "-entity" ]; then
if [ "$type_name" == "entity" ]; then
do_entity
exit
fi
if [ "$type_name" == "-caroot" ]; then
if [ "$type_name" == "root" ]; then
do_caroot
exit
fi
if [ "$type_name" == "-csr" ]; then
do_csr
exit
fi
echo "unknow command"
}
do_parse()
{
while getopts ":t:hn:c:k:s:d:b:" opt; do
case $opt in
t) type_name=$OPTARG ;;
n) name=$OPTARG ;;
c) caname=$OPTARG ;;
k) cakey=$OPTARG ;;
s) san_nam=$OPTARG ;;
b) bits=$OPTARG ;;
d) days=$OPTARG ;;
h)
do_help
exit 1
;;
?)
echo "unkonw argument"
do_help
exit 1
;;
esac
done
if [ -z "$bits" ]; then
bits=1024
fi
if [ -z "$days" ]; then
days=365
fi
}
do_parse "$@"
do_check
do_mkdir
do_signssl