Add sign_ssl
parent
8f004d5e99
commit
e7e2f1f1ff
|
|
@ -0,0 +1,78 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
# 环境检测
|
||||
echo "openssl 环境检测中..."
|
||||
openssl version
|
||||
echo "请自行确认openssl版本, 如果为libressl的话(MacOS), 签发的CA证书无法在部分手机上安装..."
|
||||
echo "推荐使用openssl 1.1.1或3.x版"
|
||||
echo ""
|
||||
|
||||
read -p "输入要签证书的根域名: " domain
|
||||
read -p "输入要签证的三级子域1(可选,默认为cdn): " third1
|
||||
read -p "输入要签证的三级子域2(可选,默认为m): " third2
|
||||
read -p "要保存的证书的名字: " cert_name
|
||||
|
||||
if [ "$domain" = "" ]; then
|
||||
exit 0;
|
||||
fi
|
||||
|
||||
if [ "$third1" = "" ]; then
|
||||
third1="cdn"
|
||||
fi
|
||||
|
||||
if [ "$third2" = "" ]; then
|
||||
third2="m"
|
||||
fi
|
||||
|
||||
if [ "$cert_name" = "" ]; then
|
||||
cert_name=$domain;
|
||||
fi
|
||||
|
||||
|
||||
if [ ! -e ca/my_ca.key ]; then
|
||||
mkdir ca
|
||||
openssl genrsa -out ca/my_ca.key
|
||||
fi
|
||||
|
||||
# 签10年的根证书
|
||||
if [ ! -e ca/my_ca.pem ]; then
|
||||
openssl req -x509 -new -subj "/C=CN/ST=GuangDong/L=GuangZhou/O=bytedo/OU=IT/CN=Self Sign CA" -nodes -key ca/my_ca.key -sha256 -days 3650 -out ca/my_ca.pem
|
||||
fi
|
||||
|
||||
|
||||
openssl genrsa -out "$cert_name.key"
|
||||
|
||||
openssl req -new -subj "/C=CN/ST=GuangDong/L=GuangZhou/O=bytedo/OU=IT/CN=$domain/CN=*.$domain/CN=*.$third1.$domain/CN=*.$third2.$domain" -key "$cert_name.key" -out "$cert_name.csr"
|
||||
|
||||
echo """
|
||||
authorityKeyIdentifier=keyid,issuer
|
||||
basicConstraints=CA:FALSE
|
||||
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
|
||||
subjectAltName = @alt_names
|
||||
|
||||
[alt_names]
|
||||
DNS.1 = $domain
|
||||
DNS.2 = *.$domain
|
||||
DNS.3 = *.$third1.$domain
|
||||
DNS.4 = *.$third2.$domain
|
||||
""" > "$cert_name.ext"
|
||||
|
||||
# 签2年的证书, 新版macos不支持超过2年的证书
|
||||
openssl x509 -req -in "$cert_name.csr" -CA ca/my_ca.pem -CAkey ca/my_ca.key -CAcreateserial -out "$cert_name.crt" -days 720 -sha256 -extfile "$cert_name.ext"
|
||||
|
||||
rm "$cert_name.ext"
|
||||
rm "$cert_name.csr"
|
||||
|
||||
echo ""
|
||||
echo ""
|
||||
echo ""
|
||||
# nginx 使用示例
|
||||
echo "nginx 使用示例"
|
||||
echo "server {"
|
||||
echo " ..."
|
||||
echo " listen 443 ssl http2;"
|
||||
echo " ssl_certificate /etc/nginx/ssl/$cert_name.crt;"
|
||||
echo " ssl_certificate_key /etc/nginx/ssl/$cert_name.key;"
|
||||
echo "}"
|
||||
|
||||
echo "最后浏览器导入根证书 ca/my_ca.pem 即可"
|
||||
Loading…
Reference in New Issue