1
0
Fork 0
code-pieces/sign_ssl

78 lines
2.0 KiB
Bash

#!/usr/bin/env bash
# 环境检测
echo "openssl 环境检测中..."
openssl version
echo "请自行确认openssl版本, 如果为libressl的话(MacOS), 签发的CA证书无法在部分手机上安装..."
echo "推荐使用openssl 1.1.1或3.x版"
echo ""
read -p "输入要签证书的根域名: " domain
read -p "输入要签证的三级子域1(可选,默认为cdn): " third1
read -p "输入要签证的三级子域2(可选,默认为m): " third2
read -p "要保存的证书的名字: " cert_name
if [ "$domain" = "" ]; then
exit 0;
fi
if [ "$third1" = "" ]; then
third1="cdn"
fi
if [ "$third2" = "" ]; then
third2="m"
fi
if [ "$cert_name" = "" ]; then
cert_name=$domain;
fi
if [ ! -e ca/my_ca.key ]; then
mkdir ca
openssl genrsa -out ca/my_ca.key
fi
# 签10年的根证书
if [ ! -e ca/my_ca.pem ]; then
openssl req -x509 -new -subj "/C=CN/ST=GuangDong/L=GuangZhou/O=bytedo/OU=IT/CN=Self Sign CA" -nodes -key ca/my_ca.key -sha256 -days 3650 -out ca/my_ca.pem
fi
openssl genrsa -out "$cert_name.key"
openssl req -new -subj "/C=CN/ST=GuangDong/L=GuangZhou/O=bytedo/OU=IT/CN=$domain/CN=*.$domain/CN=*.$third1.$domain/CN=*.$third2.$domain" -key "$cert_name.key" -out "$cert_name.csr"
echo """
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $domain
DNS.2 = *.$domain
DNS.3 = *.$third1.$domain
DNS.4 = *.$third2.$domain
""" > "$cert_name.ext"
# 签2年的证书, 新版macos不支持超过2年的证书
openssl x509 -req -in "$cert_name.csr" -CA ca/my_ca.pem -CAkey ca/my_ca.key -CAcreateserial -out "$cert_name.crt" -days 720 -sha256 -extfile "$cert_name.ext"
rm "$cert_name.ext"
rm "$cert_name.csr"
echo ""
echo ""
echo ""
# nginx 使用示例
echo "nginx 使用示例"
echo "server {"
echo " ..."
echo " listen 443 ssl http2;"
echo " ssl_certificate /etc/nginx/ssl/$cert_name.crt;"
echo " ssl_certificate_key /etc/nginx/ssl/$cert_name.key;"
echo "}"
echo "最后浏览器导入根证书 ca/my_ca.pem 即可"
代码碎片
Shell 100%