From e7e2f1f1ffc70e9bdf941a36598cf01271c5fb3d Mon Sep 17 00:00:00 2001
From: yutent <yutent.io@gmail.com>
Date: Thu, 12 Oct 2023 17:12:31 +0800
Subject: [PATCH] Add sign_ssl

---
 sign_ssl | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 78 insertions(+)
 create mode 100644 sign_ssl

diff --git a/sign_ssl b/sign_ssl
new file mode 100644
index 0000000..d70fffe
--- /dev/null
+++ b/sign_ssl
@@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+
+# 环境检测
+echo "openssl 环境检测中..."
+openssl version
+echo "请自行确认openssl版本, 如果为libressl的话(MacOS), 签发的CA证书无法在部分手机上安装..."
+echo "推荐使用openssl 1.1.1或3.x版"
+echo ""
+
+read -p "输入要签证书的根域名: " domain
+read -p "输入要签证的三级子域1(可选,默认为cdn): " third1
+read -p "输入要签证的三级子域2(可选,默认为m): " third2
+read -p "要保存的证书的名字: " cert_name
+
+if [ "$domain" = "" ]; then
+  exit 0;
+fi
+
+if [ "$third1" = "" ]; then
+ third1="cdn"
+fi
+
+if [ "$third2" = "" ]; then
+ third2="m"
+fi
+
+if [ "$cert_name" = "" ]; then
+  cert_name=$domain;
+fi
+
+
+if [ ! -e ca/my_ca.key ]; then
+  mkdir ca
+  openssl genrsa -out ca/my_ca.key
+fi
+
+# 签10年的根证书
+if [ ! -e ca/my_ca.pem ]; then
+  openssl req -x509 -new -subj "/C=CN/ST=GuangDong/L=GuangZhou/O=bytedo/OU=IT/CN=Self Sign CA" -nodes -key ca/my_ca.key -sha256 -days 3650 -out ca/my_ca.pem
+fi
+
+
+openssl genrsa -out "$cert_name.key"
+
+openssl req -new -subj "/C=CN/ST=GuangDong/L=GuangZhou/O=bytedo/OU=IT/CN=$domain/CN=*.$domain/CN=*.$third1.$domain/CN=*.$third2.$domain" -key "$cert_name.key" -out "$cert_name.csr"
+
+echo """
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = $domain
+DNS.2 = *.$domain
+DNS.3 = *.$third1.$domain
+DNS.4 = *.$third2.$domain
+""" > "$cert_name.ext"
+
+# 签2年的证书, 新版macos不支持超过2年的证书
+openssl x509 -req -in "$cert_name.csr" -CA ca/my_ca.pem -CAkey ca/my_ca.key -CAcreateserial -out "$cert_name.crt" -days 720 -sha256 -extfile "$cert_name.ext"
+
+rm "$cert_name.ext"
+rm "$cert_name.csr"
+
+echo ""
+echo ""
+echo ""
+# nginx 使用示例
+echo "nginx 使用示例"
+echo "server {"
+echo "    ..."
+echo "    listen 443 ssl http2;"
+echo "    ssl_certificate     /etc/nginx/ssl/$cert_name.crt;"
+echo "    ssl_certificate_key /etc/nginx/ssl/$cert_name.key;"
+echo "}"
+
+echo "最后浏览器导入根证书 ca/my_ca.pem 即可"
\ No newline at end of file