From 6443202d24116cdd99ccd9789e1d4149dd2fe611 Mon Sep 17 00:00:00 2001 From: fengweihao Date: Fri, 4 Jan 2019 17:26:50 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E6=94=B9=E8=AF=81=E4=B9=A6=E7=94=9F?= =?UTF-8?q?=E6=88=90=E5=B7=A5=E5=85=B7?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/script/signssl.sh | 179 ++++++++++++++++++++++++++++-------------- 1 file changed, 122 insertions(+), 57 deletions(-) diff --git a/src/script/signssl.sh b/src/script/signssl.sh index afc0fbd..1c818df 100644 --- a/src/script/signssl.sh +++ b/src/script/signssl.sh @@ -3,30 +3,72 @@ type_name=$1 name=$2 -caform=$3 -caname=$4 +if [ "${type_name}" == "-caroot" ]; then + csrfrom=$3 + csrname=$4 + csrkey=$5 +else + cafrom=$3 + caname=$4 + cakey=$5 -cakeyform=$5 -cakey=$6 + csrfrom=$6 + csrname=$7 + csrkey=$8 +fi -san=$7 -san_nam=$8 +san_nam=$9 + +trap "do_signal" 2 +do_signal() +{ + echo "\n" + read -p "Terminate theprocess? (y/n): " input +} + +do_clear() +{ + if [ -d "./demoCA" ]; then + rm -rf ./demoCA + fi + + if [ $1 -ne 0 ];then + if [ -d "./ca-middle/$2" ]; then + rm -rf ./ca-middle/$2 + fi + if [ -d "./entity/$2" ]; then + rm -rf ./entity/$2 + fi + if [ -d "./caroot/$2" ]; then + rm -rf ./caroot/$2 + fi + if [ -d "./csr/$2" ]; then + rm -rf ./csr/$2 + fi + exit + fi +} do_help() { - echo "./signssl -type cert_name -cafrom ca_name -cakeyfrom key_name -san san_nam" + echo "" + echo "./signssl -type cert_name -cafrom ca_name key_name -csr csr_name csr_key -san san_nam" echo "usage: ./signssl args" - echo " -type - input type (-caroot -middle, -entity)" - echo " cert_name - input cert_name (generate the certificate name)" - echo " -cafrom ca_name - input ca_name (root certificate)" - echo " -cakeyfrom key_name - input key_name (the root keys)" - echo " -san san_name - input san_name (When it is an entity certificate, input user alternate name)" - echo "example (root):" + echo " -type - input type "-csr -caroot -camiddle -entity"" + echo " cert_name - input cert_name "input output cert namae"" + echo " -cafrom ca_name keyname - input ca_name keyname "input the root cert name and key"" + echo " -csrfrom csr_name csr_key - input csr_name csr_key "input cert signs request file name and key"" + echo " san_name - input san_name "When it is an entity cert, input user alternate name"" + echo "" + echo "exanple -csr" + echo "./signssl.sh -csr csr_name" + echo "example -caroot" echo "./signssl.sh -caroot root_name" - echo "example (middle)" - echo "./signssl.sh -middle middle_name -cafrom ../cert/mesalab-ca-cert.cer -cakeyfrom ../cert/mesalab-ca-cert.key" - echo "exaple (entity)" - echo "./signssl.sh -entity entity_name -cafrom ../cert/mesalab-ca-cert.cer -cakeyfrom ../cert/mesalab-ca-cert.key -san 163" + echo "example -camiddle" + echo "./signssl.sh -camiddle middle_name -cafrom ../cert/mesalab-ca-cert.cer ../cert/mesalab-ca-cert.key -csrfrom ./csr/csrname/csrname.csr ./csr/csrname/csrname.key" + echo "exaple -entity" + echo "./signssl.sh -entity entity_name -cafrom ../cert/mesalab-ca-cert.cer ../cert/mesalab-ca-cert.key -csrfrom ./csr/csrname/csrname.csr ./csr/csrname/csrname.key 163" + echo "" exit } @@ -44,82 +86,100 @@ do_mkdir() do_check() { if [ "$type_name" == "" ]||[ "$name" == "" ]; then - echo "certificate type is unkone!" + echo "cert type is unkone!" do_help exit fi - if [ "$type_name" == "-caroot" ]; then + if [ "$type_name" == "-csr" ]; then return fi - if [ "$caform" != "-cafrom" ] || [ "$caname" == "" ]; then - echo "root certificate name is unkone!" - do_help - exit - fi - if [ "$cakeyform" != "-cakeyfrom" ] || [ "$cakey" == "" ]; then - echo "root certificate keys is unkone!" + + if [ "$type_name" == "-caroot" ]; then + return + fi + + + if [ "$csrfrom" == "" ] || [ "$csrname" == "" ] || [ "$csrkey" == "" ]; then + echo "input input cert signs request file name and key" + do_help + exit + fi + + if [ "$cafrom" == "" ] || [ "$caname" == "" ] || [ "$cakey" == "" ]; then + echo "input certificate name or key is unkone!" do_help exit fi + if [ "$type_name" == "-entity" ];then - if [ "$san" == "" ]||[ "$san_nam" == "" ];then + if [ "$san_nam" == "" ];then echo "Please enter the san name!" do_help exit fi fi - - } do_middle() { - if [ ! -d "./middle" ]; then - mkdir middle + if [ ! -d "./ca-middle/${name}" ]; then + mkdir -p ca-middle/${name} fi - openssl genrsa -out ${name}.key 1024 - openssl req -new -key ${name}.key -out ${name}.csr - openssl ca -extensions v3_ca -in ${name}.csr -out ${name}.pem -cert ${caname} -keyfile ${cakey} -days 365 -policy policy_anything - openssl pkcs12 -export -in ${name}.pem -inkey ${name}.key -chain -CAfile ${caname} -out ${name}.p12 - mv ${name}.* middle + outpath=ca-middle/${name} + + openssl ca -extensions v3_ca -in ${csrname} -out ${outpath}/${name}.cer -cert ${caname} -keyfile ${cakey} -days 365 -policy policy_anything + openssl pkcs12 -export -in ${outpath}/${name}.cer -inkey ${csrkey} -chain -CAfile ${caname} -out ${outpath}/${name}.p12 + + do_clear $? ${name} + cp ${csrkey} ${outpath} } do_entity() { - if [ ! -d ".entity" ];then - mkdir entity + if [ ! -d "./entity/${name}" ];then + mkdir -p entity/${name} fi - openssl genrsa -out ${name}.pem 1024 - openssl rsa -in ${name}.pem -out ${name}.key - - openssl req -new -sha256 -key ${name}.key -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:*.${name}.com,DNS:*.${name}.cn")) -out ${name}.csr - - openssl ca -in ${name}.csr -md sha256 -keyfile ${cakey} -cert ${caname} -extensions SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:*.${san_nam}.com,DNS:*.${san_nam}.cn")) -out ${name}.cer - - - openssl pkcs12 -export -in ${name}.cer -inkey ${name}.key -chain -CAfile ${caname} -out ${name}.p12 - - mv ${name}.* entity + outpath=entity/${name} + + openssl ca -in ${csrname} -keyfile ${cakey} -cert ${caname} -extensions SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:*.${san_nam}.com,DNS:*.${san_nam}.cn")) -out ${outpath}/${name}.cer + + openssl pkcs12 -export -in ${outpath}/${name}.cer -inkey ${csrkey} -chain -CAfile ${caname} -out ${outpath}/${name}.p12 + + do_clear $? ${name} + cp ${csrkey} ${outpath} } do_caroot() { - if [ ! -d ".caroot" ];then - mkdir caroot + if [ ! -d ".caroot/${name}" ];then + mkdir -p caroot/${name} fi - openssl genrsa -out ${name}.pem 1024 - openssl rsa -in ${name}.pem -out ${name}.key - openssl req -new -key ${name}.pem -out ${name}.csr - openssl x509 -req -days 365 -sha256 -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -signkey ${name}.pem -in ${name}.csr -out ${name}.cer + outpath=caroot/${name} - mv ${name}.* caroot + openssl genrsa -out ${outpath}/${name}.key 1024 + openssl req -new -key ${outpath}/${name}.key -out ${outpath}/${name}.csr + openssl x509 -req -days 365 -sha256 -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -signkey ${outpath}/${name}.key -in ${outpath}/${name}.csr -out ${outpath}/${name}.cer + #openssl req -new -x509 -key ca.key -out ca.crt + do_clear $? ${name} +} + +do_csr() +{ + if [ ! -d "./csr/${name}" ];then + mkdir -p csr/${name} + fi + outpath=csr/${name} + + openssl genrsa -out ${outpath}/${name}.key 1024 + openssl req -new -key ${outpath}/${name}.key -out ${outpath}/${name}.csr + do_clear $? ${name} } do_signssl() { - if [ "$type_name" == "-middle" ]; then + if [ "$type_name" == "-camiddle" ]; then do_middle exit fi @@ -131,6 +191,11 @@ do_signssl() do_caroot exit fi + if [ "$type_name" == "-csr" ]; then + do_csr + exit + fi + echo "unknow command" } do_check