78 lines
2.0 KiB
Plaintext
78 lines
2.0 KiB
Plaintext
|
#!/usr/bin/env bash
|
||
|
|
||
|
# 环境检测
|
||
|
echo "openssl 环境检测中..."
|
||
|
openssl version
|
||
|
echo "请自行确认openssl版本, 如果为libressl的话(MacOS), 签发的CA证书无法在部分手机上安装..."
|
||
|
echo "推荐使用openssl 1.1.1或3.x版"
|
||
|
echo ""
|
||
|
|
||
|
read -p "输入要签证书的根域名: " domain
|
||
|
read -p "输入要签证的三级子域1(可选,默认为cdn): " third1
|
||
|
read -p "输入要签证的三级子域2(可选,默认为m): " third2
|
||
|
read -p "要保存的证书的名字: " cert_name
|
||
|
|
||
|
if [ "$domain" = "" ]; then
|
||
|
exit 0;
|
||
|
fi
|
||
|
|
||
|
if [ "$third1" = "" ]; then
|
||
|
third1="cdn"
|
||
|
fi
|
||
|
|
||
|
if [ "$third2" = "" ]; then
|
||
|
third2="m"
|
||
|
fi
|
||
|
|
||
|
if [ "$cert_name" = "" ]; then
|
||
|
cert_name=$domain;
|
||
|
fi
|
||
|
|
||
|
|
||
|
if [ ! -e ca/my_ca.key ]; then
|
||
|
mkdir ca
|
||
|
openssl genrsa -out ca/my_ca.key
|
||
|
fi
|
||
|
|
||
|
# 签10年的根证书
|
||
|
if [ ! -e ca/my_ca.pem ]; then
|
||
|
openssl req -x509 -new -subj "/C=CN/ST=GuangDong/L=GuangZhou/O=bytedo/OU=IT/CN=Self Sign CA" -nodes -key ca/my_ca.key -sha256 -days 3650 -out ca/my_ca.pem
|
||
|
fi
|
||
|
|
||
|
|
||
|
openssl genrsa -out "$cert_name.key"
|
||
|
|
||
|
openssl req -new -subj "/C=CN/ST=GuangDong/L=GuangZhou/O=bytedo/OU=IT/CN=$domain/CN=*.$domain/CN=*.$third1.$domain/CN=*.$third2.$domain" -key "$cert_name.key" -out "$cert_name.csr"
|
||
|
|
||
|
echo """
|
||
|
authorityKeyIdentifier=keyid,issuer
|
||
|
basicConstraints=CA:FALSE
|
||
|
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
|
||
|
subjectAltName = @alt_names
|
||
|
|
||
|
[alt_names]
|
||
|
DNS.1 = $domain
|
||
|
DNS.2 = *.$domain
|
||
|
DNS.3 = *.$third1.$domain
|
||
|
DNS.4 = *.$third2.$domain
|
||
|
""" > "$cert_name.ext"
|
||
|
|
||
|
# 签2年的证书, 新版macos不支持超过2年的证书
|
||
|
openssl x509 -req -in "$cert_name.csr" -CA ca/my_ca.pem -CAkey ca/my_ca.key -CAcreateserial -out "$cert_name.crt" -days 720 -sha256 -extfile "$cert_name.ext"
|
||
|
|
||
|
rm "$cert_name.ext"
|
||
|
rm "$cert_name.csr"
|
||
|
|
||
|
echo ""
|
||
|
echo ""
|
||
|
echo ""
|
||
|
# nginx 使用示例
|
||
|
echo "nginx 使用示例"
|
||
|
echo "server {"
|
||
|
echo " ..."
|
||
|
echo " listen 443 ssl http2;"
|
||
|
echo " ssl_certificate /etc/nginx/ssl/$cert_name.crt;"
|
||
|
echo " ssl_certificate_key /etc/nginx/ssl/$cert_name.key;"
|
||
|
echo "}"
|
||
|
|
||
|
echo "最后浏览器导入根证书 ca/my_ca.pem 即可"
|