diff --git a/sign_ssl b/sign_ssl new file mode 100644 index 0000000..d70fffe --- /dev/null +++ b/sign_ssl @@ -0,0 +1,78 @@ +#!/usr/bin/env bash + +# 环境检测 +echo "openssl 环境检测中..." +openssl version +echo "请自行确认openssl版本, 如果为libressl的话(MacOS), 签发的CA证书无法在部分手机上安装..." +echo "推荐使用openssl 1.1.1或3.x版" +echo "" + +read -p "输入要签证书的根域名: " domain +read -p "输入要签证的三级子域1(可选,默认为cdn): " third1 +read -p "输入要签证的三级子域2(可选,默认为m): " third2 +read -p "要保存的证书的名字: " cert_name + +if [ "$domain" = "" ]; then + exit 0; +fi + +if [ "$third1" = "" ]; then + third1="cdn" +fi + +if [ "$third2" = "" ]; then + third2="m" +fi + +if [ "$cert_name" = "" ]; then + cert_name=$domain; +fi + + +if [ ! -e ca/my_ca.key ]; then + mkdir ca + openssl genrsa -out ca/my_ca.key +fi + +# 签10年的根证书 +if [ ! -e ca/my_ca.pem ]; then + openssl req -x509 -new -subj "/C=CN/ST=GuangDong/L=GuangZhou/O=bytedo/OU=IT/CN=Self Sign CA" -nodes -key ca/my_ca.key -sha256 -days 3650 -out ca/my_ca.pem +fi + + +openssl genrsa -out "$cert_name.key" + +openssl req -new -subj "/C=CN/ST=GuangDong/L=GuangZhou/O=bytedo/OU=IT/CN=$domain/CN=*.$domain/CN=*.$third1.$domain/CN=*.$third2.$domain" -key "$cert_name.key" -out "$cert_name.csr" + +echo """ +authorityKeyIdentifier=keyid,issuer +basicConstraints=CA:FALSE +keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment +subjectAltName = @alt_names + +[alt_names] +DNS.1 = $domain +DNS.2 = *.$domain +DNS.3 = *.$third1.$domain +DNS.4 = *.$third2.$domain +""" > "$cert_name.ext" + +# 签2年的证书, 新版macos不支持超过2年的证书 +openssl x509 -req -in "$cert_name.csr" -CA ca/my_ca.pem -CAkey ca/my_ca.key -CAcreateserial -out "$cert_name.crt" -days 720 -sha256 -extfile "$cert_name.ext" + +rm "$cert_name.ext" +rm "$cert_name.csr" + +echo "" +echo "" +echo "" +# nginx 使用示例 +echo "nginx 使用示例" +echo "server {" +echo " ..." +echo " listen 443 ssl http2;" +echo " ssl_certificate /etc/nginx/ssl/$cert_name.crt;" +echo " ssl_certificate_key /etc/nginx/ssl/$cert_name.key;" +echo "}" + +echo "最后浏览器导入根证书 ca/my_ca.pem 即可" \ No newline at end of file