From 396582a01545df0264db5c416efefd3274aa48e2 Mon Sep 17 00:00:00 2001 From: fengweihao Date: Fri, 13 Dec 2019 17:48:15 +0800 Subject: [PATCH] =?UTF-8?q?=E6=8F=90=E4=BA=A4=E6=9C=8D=E5=8A=A1=E9=85=8D?= =?UTF-8?q?=E7=BD=AE=E6=96=87=E4=BB=B6certsotre.service=20=E4=BF=AE?= =?UTF-8?q?=E6=94=B9signssl=E8=84=9A=E6=9C=AC=E6=96=87=E4=BB=B6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- script/certstore.service | 12 +++ script/signssl.sh | 193 +++++++++++++++++++++------------------ 2 files changed, 114 insertions(+), 91 deletions(-) create mode 100644 script/certstore.service diff --git a/script/certstore.service b/script/certstore.service new file mode 100644 index 0000000..280d2b9 --- /dev/null +++ b/script/certstore.service @@ -0,0 +1,12 @@ +[Unit] +Description=Certificate Signing Engine +After=redis.service + +[Service] +WorkingDirectory=/home/tsg/certstore +ExecStart=/home/tsg/certstore/certstore +Restart=always +RestartSec=5s + +[Install] +WantedBy=multi-user.target diff --git a/script/signssl.sh b/script/signssl.sh index 1c818df..c5c373f 100644 --- a/script/signssl.sh +++ b/script/signssl.sh @@ -1,24 +1,5 @@ #!/bin/bash -type_name=$1 -name=$2 - -if [ "${type_name}" == "-caroot" ]; then - csrfrom=$3 - csrname=$4 - csrkey=$5 -else - cafrom=$3 - caname=$4 - cakey=$5 - - csrfrom=$6 - csrname=$7 - csrkey=$8 -fi - -san_nam=$9 - trap "do_signal" 2 do_signal() { @@ -52,24 +33,14 @@ do_clear() do_help() { echo "" - echo "./signssl -type cert_name -cafrom ca_name key_name -csr csr_name csr_key -san san_nam" - echo "usage: ./signssl args" - echo " -type - input type "-csr -caroot -camiddle -entity"" - echo " cert_name - input cert_name "input output cert namae"" - echo " -cafrom ca_name keyname - input ca_name keyname "input the root cert name and key"" - echo " -csrfrom csr_name csr_key - input csr_name csr_key "input cert signs request file name and key"" - echo " san_name - input san_name "When it is an entity cert, input user alternate name"" - echo "" - echo "exanple -csr" - echo "./signssl.sh -csr csr_name" - echo "example -caroot" - echo "./signssl.sh -caroot root_name" - echo "example -camiddle" - echo "./signssl.sh -camiddle middle_name -cafrom ../cert/mesalab-ca-cert.cer ../cert/mesalab-ca-cert.key -csrfrom ./csr/csrname/csrname.csr ./csr/csrname/csrname.key" - echo "exaple -entity" - echo "./signssl.sh -entity entity_name -cafrom ../cert/mesalab-ca-cert.cer ../cert/mesalab-ca-cert.key -csrfrom ./csr/csrname/csrname.csr ./csr/csrname/csrname.key 163" - echo "" - exit + echo "./signssl -t type -n name -c cert -k key" + echo "-t arg - Sign a certificate with type(root|middle|entity)" + echo "-n arg - Certificate file name" + echo "-c arg - The CA certificate, format=base64" + echo "-k arg - Private key file, format=base64" + echo "-s arg - user alternate name" + echo "-b arg - Generate a new RSA key of 'bits' in size" + echo "-d arg - Number of days a certificate generated by -x509 is valid for" } do_mkdir() @@ -79,40 +50,31 @@ do_mkdir() mkdir ./demoCA/newcerts touch ./demoCA/index.txt touch ./demoCA/serial - echo 0001 >> ./demoCA/serial + code_len=`date +%s%N | md5sum | head -c 24` + echo $code_len >> ./demoCA/serial + #echo 01 >> ./demoCA/serial fi } do_check() { if [ "$type_name" == "" ]||[ "$name" == "" ]; then - echo "cert type is unkone!" + echo "cert type is unkonw!" + do_help + exit + fi + + if [ "$type_name" == "root" ]; then + return + fi + + if [ "$caname" == "" ] || [ "$cakey" == "" ]; then + echo "input certificate name or key is unkonw!" do_help exit fi - if [ "$type_name" == "-csr" ]; then - return - fi - - if [ "$type_name" == "-caroot" ]; then - return - fi - - - if [ "$csrfrom" == "" ] || [ "$csrname" == "" ] || [ "$csrkey" == "" ]; then - echo "input input cert signs request file name and key" - do_help - exit - fi - - if [ "$cafrom" == "" ] || [ "$caname" == "" ] || [ "$cakey" == "" ]; then - echo "input certificate name or key is unkone!" - do_help - exit - fi - - if [ "$type_name" == "-entity" ];then + if [ "$type_name" == "entity" ];then if [ "$san_nam" == "" ];then echo "Please enter the san name!" do_help @@ -124,80 +86,129 @@ do_check() do_middle() { - if [ ! -d "./ca-middle/${name}" ]; then - mkdir -p ca-middle/${name} - fi outpath=ca-middle/${name} - openssl ca -extensions v3_ca -in ${csrname} -out ${outpath}/${name}.cer -cert ${caname} -keyfile ${cakey} -days 365 -policy policy_anything + do_csr ${outpath} ${name} + if [ $? -ne 0 ]; then + echo "certificate request file failed to be issued" + fi + + csrname=${outpath}/${name}.csr + csrkey=${outpath}/${name}.key + + openssl ca -extensions v3_ca -in ${csrname} -out ${outpath}/${name}.cer -cert ${caname} -keyfile ${cakey} -days ${days} -policy policy_anything openssl pkcs12 -export -in ${outpath}/${name}.cer -inkey ${csrkey} -chain -CAfile ${caname} -out ${outpath}/${name}.p12 + chain_file=${outpath}/${name}.chain.pem + touch ${chain_file} + cat ${outpath}/${name}.cer > ${chain_file} + cat ${caname} >> ${chain_file} + do_clear $? ${name} - cp ${csrkey} ${outpath} } do_entity() { - if [ ! -d "./entity/${name}" ];then - mkdir -p entity/${name} - fi outpath=entity/${name} + do_csr ${outpath} ${name} + if [ $? -ne 0 ]; then + echo "certificate request file failed to be issued" + fi + + csrname=${outpath}/${name}.csr + csrkey=${outpath}/${name}.key + openssl ca -in ${csrname} -keyfile ${cakey} -cert ${caname} -extensions SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:*.${san_nam}.com,DNS:*.${san_nam}.cn")) -out ${outpath}/${name}.cer - openssl pkcs12 -export -in ${outpath}/${name}.cer -inkey ${csrkey} -chain -CAfile ${caname} -out ${outpath}/${name}.p12 + chain_file=${outpath}/${name}.chain.pem + touch ${chain_file} + cat ${outpath}/${name}.cer >> ${chain_file} + cat ${caname} >> ${chain_file} + do_clear $? ${name} - cp ${csrkey} ${outpath} } do_caroot() { - if [ ! -d ".caroot/${name}" ];then - mkdir -p caroot/${name} - fi outpath=caroot/${name} - openssl genrsa -out ${outpath}/${name}.key 1024 - openssl req -new -key ${outpath}/${name}.key -out ${outpath}/${name}.csr - openssl x509 -req -days 365 -sha256 -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -signkey ${outpath}/${name}.key -in ${outpath}/${name}.csr -out ${outpath}/${name}.cer - #openssl req -new -x509 -key ca.key -out ca.crt + do_csr ${outpath} ${name} + if [ $? -ne 0 ]; then + echo "certificate request file failed to be issued" + fi + + csrname=${outpath}/${name}.csr + csrkey=${outpath}/${name}.key + + openssl x509 -req -days ${days} -sha256 -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -signkey ${outpath}/${name}.key -in ${csrname} -out ${outpath}/${name}.cer do_clear $? ${name} } do_csr() { - if [ ! -d "./csr/${name}" ];then - mkdir -p csr/${name} - fi - outpath=csr/${name} + outpath=$1 + name=$2 - openssl genrsa -out ${outpath}/${name}.key 1024 + if [ ! -d "./${outpath}" ];then + mkdir -p ${outpath} + fi + + openssl genrsa -out ${outpath}/${name}.key ${bits} openssl req -new -key ${outpath}/${name}.key -out ${outpath}/${name}.csr - do_clear $? ${name} } do_signssl() { - if [ "$type_name" == "-camiddle" ]; then + if [ "$type_name" == "middle" ]; then do_middle exit fi - if [ "$type_name" == "-entity" ]; then + if [ "$type_name" == "entity" ]; then do_entity exit fi - if [ "$type_name" == "-caroot" ]; then + if [ "$type_name" == "root" ]; then do_caroot exit - fi - if [ "$type_name" == "-csr" ]; then - do_csr - exit fi echo "unknow command" } +do_parse() +{ + while getopts ":t:hn:c:k:s:d:b:" opt; do + case $opt in + t) type_name=$OPTARG ;; + n) name=$OPTARG ;; + c) caname=$OPTARG ;; + k) cakey=$OPTARG ;; + s) san_nam=$OPTARG ;; + b) bits=$OPTARG ;; + d) days=$OPTARG ;; + h) + do_help + exit 1 + ;; + ?) + echo "unkonw argument" + do_help + exit 1 + ;; + esac + done + + if [ -z "$bits" ]; then + bits=1024 + fi + if [ -z "$days" ]; then + days=365 + fi +} + +do_parse "$@" + do_check do_mkdir do_signssl