#!/bin/bash

#author Sun Ying

#date:2015-12-17

if [ $# -lt 1 ];then

	echo -e "\033[34mUsage: `basename $0` -h|--help for help\033[0m"

	exit 0

fi

[ -e ./CA_config ] && source ./CA_config

ERRLOG=`date +%Y%H%M`.log

PASSWORD=${PASSWORD-"1234"}

CO_S=${CN_S-"CN"}

ST_S=${ST_S-"BJ"}

LO_S=${LO_S-"BJ"}

OG_S=${OG_S-"Centos"}

OU_S=${OU_S-"Linux"}

HS_S=${HS_S-"centos.example.com"}

CO_C=${CN_C-"CN"}

ST_C=${ST_C-"LN"}

LO_C=${LO_C-"SY"}

OG_C=${OG_C-"Client1"}

OU_C=${OU_C-"Operation System"}

HS_C=${HS_C-"client1.example.com"}

DAYS=${DAYS-"365"}

P_KEY=${P_KEY-/etc/pki/CA/private/cakey.pem}

CACERT=${CACERT-/etc/pki/CA/cacert.pem}

M_SIZE=${M_SIZE-"2048"}

CSR_pem=${CSR_pem-/etc/pki/CA/newcerts/${HOSTNAME}.csr}

S_DAYS=${S_DAYS-365}

DIR_F=/etc/pki/CA

umask=077

[ ! -d /tmp/CA ] && mkdir -p /tmp/CA/

touch /tmp/CA/$ERRLOG

V_Key(){

	if [ -f $temp ]; then

		openssl rsa -noout -text -in $temp

	else

		echo -e "\033[32mYou must assign a private Key with parameter -v|--verify\033[0m"

		exit 3

	fi

}

V_Cert(){

	if [ -f $temp ]; then

		openssl x509 -noout -text -in $temp

	else

		echo -e "\033[32mYou must assign a cert file with parameter -k|--check\033[0m"

		exit 3

	fi

}

V_Csr(){

	if [ -f $temp ]; then

		openssl req -noout -text -in $temp

	else

		echo -e "\033[32mYou must assign a CSR file with parameter -i|--identify\033[0m"

		exit 3

	fi

}

genPriKey(){

	[ -e $P_KEY ] && rm -f $P_KEY

        openssl genrsa -des3 -passout pass:$PASSWORD -out $P_KEY $M_SIZE >>/tmp/CA/$ERRLOG 2>&1

        if [ $? -eq 0 ];then

                echo -e "Create private key in $P_KEY \033[033msuccess\033[0m"

        else

                echo "please check the error log under /tmp/CA/$ERRLOG"

		exit 1

        fi

}

selfSign(){

        [ -e $CACERT ] && rm -f $CACERT

	if [ ! -e $P_KEY ] ;then

		echo "Please create the private key first"

		exit 1

	fi

	openssl req -new -x509 -passin pass:$PASSWORD -key $P_KEY -out $CACERT -days $DAYS -subj "/C=${CO_S}/ST=${ST_S}/L=${LO_S}/O=${OG_S}/OU=${OU_S} Department/CN=$HS_S" >>/tmp/CA/$ERRLOG 2>&1

        if [ $? -eq 0 ];then

                echo -e "Self Sign ROOT CA in $CACERT \033[033msuccess\033[0m"

        else

                echo "please check the error og under /tmp/CA/$ERRLOG"

		exit 2

	fi

}

CSR_P(){

	[ -e $CSR_pem ] && rm -f $CSR_pem

	openssl req -new -passin pass:$PASSWORD -key $P_KEY -out $CSR_pem  -subj "/C=${CO_C}/ST=${ST_C}/L=${LO_C}/O=${OG_C}/OU=${OU_C} Department/CN=${HS_C}" >>/tmp/CA/$ERRLOG 2>&1

	if [ $? -eq 0 ];then

		echo -e "Create the CSR under $CSR_pem \033[033msuccess\033[0m"

	else

		echo "please check the error log under /tmp/CA/$ERRLOG"

		exit 3

	fi

}

Cat_CA(){

	[ -e /root/ca.config ] && rm -f /root/ca.config

	cat > /root/ca.config <<EOF

[ ca ]

default_ca = CA_own

[ CA_own ]

dir = /etc/pki/CA

certs = \$dir/certs

new_certs_dir = \$dir/newcerts

database = \$dir/index.txt

serial = \$dir/serial

RANDFILE = \$dir/private/.rand

certificate = \$dir/cacert.pem

private_key = \$dir/private/cakey.pem

default_days = 3650

default_crl_days = 30

default_md = md5

preserve = no

policy = policy_anything

[ policy_anything ]

countryName = optional

stateOrProvinceName = optional

localityName = optional

organizationName = optional

organizationalUnitName = optional

commonName = supplied

emailAddress = optional

[req]

x509_extensions	=v3_ca

[v3_ca]

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid:always,issuer

basicConstraints = critical, CA:true

keyUsage = critical, digitalSignature, cRLSign, keyCertSign

EOF

	if [ $? -eq 0 ]; then

		echo -e "Create configuration file on /root/ca.config \033[033msuccess\033[0m"

	else

		echo -e "Create configuration file on /root/ca.config \033[031failed\033[0m"

	fi

}

Sign_v3(){

	openssl req -in $temp -noout -text >> /tmp/CA/$ERRLOG 2>&1

	if [ $? -eq 0 ] ;then

		Cat_CA

		[ ! -f $DIR_F/index.txt ] && touch $DIR_F/index.txt

		if [ ! -f $DIR_F/serial ];then

			touch $DIR_F/serial

			echo 01 > $DIR_F/serial

		fi

		openssl ca -extensions v3_ca -passin pass:$PASSWORD -in $temp -config /root/ca.config -days $S_DAYS -out ${temp}_V3.crt  -batch  >>/tmp/CA/$ERRLOG 2>&1

		if [ $? -eq 0 ];then

			echo -e "Create the cert file on ${temp}_V3.crt \033[033msuccess\033[0m"

		else

			echo -e "Cannot Create the Cert file. Please check the error under /tmp/CA/$ERRLOG"

			exit 4

		fi

	else

		echo -e "\033[32mYou must assign a CSR file with parameter -s3|--sign3\033[0m"

		exit 5

	fi

}

Trans_key(){

	openssl rsa -passin pass:$PASSWORD -noout -text -in $temp > /dev/null 2>/tmp/CA/$ERRLOG

	if [ $? -eq 0 ];then

		openssl rsa -passin pass:$PASSWORD -in $temp -out ${temp}.key

		echo -e "Create the ${temp}.key \033[033msuccess\033[0m"

	else

		echo -e "\033[32mYou must assign a CSR file with parameter -t|--trans\033[0m"

		exit 5

	fi

}

Sign_CSR(){

	openssl req -in $temp -noout -text >> /tmp/CA/$ERRLOG 2>&1

	if [ $? -eq 0 ]; then

                [ ! -f $DIR_F/index.txt ] && touch $DIR_F/index.txt

                if [ ! -f $DIR_F/serial ];then

                        touch $DIR_F/serial

                        echo 01 > $DIR_F/serial

                fi

		openssl x509 -req -in $temp -CA $CACERT -CAkey $P_KEY -CAcreateserial -passin pass:$PASSWORD -out $temp.crt >>/tmp/CA/$ERRLOG 2>&1

		if [ $? -eq 0 ];then

                        echo -e "Create the cert file on $temp.crt \033[033msucess\033[0m"

                else

                        echo -e "Cannot Create the Cert file. Please check the error under /tmp/CA/$ERRLOG"

                        exit 4

		fi

	else

		echo -e "\033[32mYou must assign a CSR file with parameter -s|--sign\033[0m"

		exit 6

	fi

}

Revoke_cert (){

	if [ -f $temp ];then

		openssl ca -revoke $temp >>/tmp/CA/$ERRLOG 2>&1

		if [ $? -eq 0 ];then

			echo -e "Revoke the cert file $temp \033[033msucess\033[0m"

		else

			echo -e "Cannot Revoke the cert file,please check the /tmp/CA/$ERRLOG"

			exit 4

		fi

	else

		echo -e "\033[32mYou must assign a Cert file with parameter -e|--revoke\033[0m"

		exit 6

	fi

}

help_P(){

        echo -e "\033[34mUsage: `basename $0`\033[031m [option] [file]\033[0m"

        echo -e "	\033[32m-h|--help : usage for help page\033[0m"

        echo -e "	\033[32m-c|--ca: usage to sign self root CA certification\033[0m"

	echo -e "	\033[32m-p|--private: usage to generate a private key\033[0m"

	echo -e "	\033[32m-r|--request: usage to create a CSR request\033[0m"

	echo -e "	\033[32m-s|--sign: usage to sign a Certification\033[0m"

	echo -e "	\033[32m-s3|--sign3: usage to sign v3 Certification\033[0m"

	echo -e "	\033[32m-v|--verify: usage to verify a private key\033[0m"

	echo -e "	\033[32m-i|--identify: usage to verify a CSR file\033[0m"

	echo -e "	\033[32m-k|--check: usage to verify a Certication file\033[0m"

	echo -e "	\033[32m-t|--trans: usage to trans a private key with pass to no pass\033[0m"

	exit 0

}

while [ $# -ge 1 ]; do

case $1 in

	-p|--private)

			genPriKey

			shift

		;;

	-c|--ca)

			selfSign

			shift

		;;

	-r|--request)

			CSR_P

			shift

		;;

	-s3|--sign3)

			temp=$2

			Sign_v3

			rm /root/ca.config

			shift 2

		;;

	-s|--sign)

			temp=$2

			Sign_CSR

			shift 2

		;;

	-v|--verfiy)

			temp=$2

			temp=${temp:-null}

			V_Key

			shift 2

		;;

	-i|--identify)

			temp=$2

			temp=${temp:-null}

			V_Csr

			shift 2

		;;

	-k|--check)

			temp=$2

			temp=${temp:-null}

			V_Cert

			shift 2

		;;

	-e|--revoke)

			temp=$2

			Revoke_cert

			shift 2

		;;

	-h|--help)

			help_P

			shift

		;;

	-t|--trans)

			temp=$2

			Trans_key

			shift 2

		;;

	*)

			echo -e "\033[34mUsage: `basename $0` -h|--help for help\033[0m"

			exit 0

		;;

esac

done

[ -e /tmp/CA/$ERRLOG ] && rm /tmp/CA/$ERRLOG

  默认配置

############configuration for the server side###########

##define private Key password

PASSWORD=1234

##define the valid days

DAYS=3650

##define the DN info

CO_S=CN

ST_S=BJ

LO_S=BJ

OG_S=Centos

OU_S=Linux

HS_S=centos.example.com

##define the Private Key Path

P_Key=/etc/pki/CA/private/cakey.pem

##define the CA Path

CACERT=/etc/pki/CA/cacert.pem

############configuration for the request CSR############

##define the DN info########

CO_C=CN

ST_C=LN

LO_C=DL

OG_C=server

OU_C="Operation System"

HS_C=server.example.com

  

CA签发工具的更多相关文章

  1. 使用CA签发的服务器证书搭建Tomcat双向SSL认证服务

    第一部分,先说证书的申请. 这步是要到正规的CA公司申请正式的设备证书必须走的步骤. 1.先生成证书的密钥对 打开命令行,切换到某个自己新建的目录下,执行如下命令 keytool -genkey -k ...

  2. openssl 自建CA签发证书 网站https的ssl通信

    <<COMMENTX509 文件扩展名 首先我们要理解文件的扩展名代表什么.DER.PEM.CRT和CER这些扩展名经常令人困惑.很多人错误地认为这些扩展名可以互相代替.尽管的确有时候有些 ...

  3. 使用openssl模拟CA和CA证书的签发

    使用openssl模拟CA和CA证书的签发     当使用ssl/tls进行加密通信时,必须要有数字证书.若通信只限制在局域网内,可以不向第三方机构申请签发证书,可以通过openssl模拟CA(Cer ...

  4. 使用keytool工具产生带根CA和二级CA的用户证书

    使用keytool工具产生带根CA和二级CA的用户证书 1 生成根CA 1.1 生成根CA证书   根CA实际是一张自签CA,自签CA的使用者和颁发者都是它自己.使用下面的命令生成根证书,如果没有指定 ...

  5. 基于CFSSL工具创建CA证书,服务端证书,客户端证书

    背景描述 在局域网中部署组件时,想要通过证书来实现身份的认证,确保通信的安全性,可以通过cfssl工具来进行CA证书,服务端证书,客户端证书的创建. 目录 背景描述 部署cfssl工具 下载,上传cf ...

  6. 基于 OpenSSL 的 CA 建立及证书签发 【转】

    建立 CA 建立 CA 目录结构 按照 OpenSSL 的默认配置建立 CA ,需要在文件系统中建立相应的目录结构.相关的配置内容一般位于 /usr/ssl/openssl.cnf 内,详情可参见 c ...

  7. 基于 OpenSSL 的 CA 建立及证书签发

    http://rhythm-zju.blog.163.com/blog/static/310042008015115718637/ 建立 CA 建立 CA 目录结构 按照 OpenSSL 的默认配置建 ...

  8. 自建 CA 中心并签发 CA 证书

    目录 文章目录 目录 CA 认证原理浅析 基本概念 PKI CA 认证中心(证书签发) X.509 标准 证书 证书的签发过程 自建 CA 签发证书并认证 HTTPS 网站的过程 使用 OpenSSL ...

  9. 通过Go语言创建CA与签发证书

    本篇文章中,将描述如何使用go创建CA,并使用CA签署证书.在使用openssl创建证书时,遵循的步骤是 创建秘钥 > 创建CA > 生成要颁发证书的秘钥 > 使用CA签发证书.这种 ...

随机推荐

  1. ASP.NET Razor - C# 逻辑条件

    编程逻辑:根据条件执行代码. If 条件 C# 允许根据条件执行代码. 使用 if 语句来判断条件.根据判断结果,if 语句返回 true 或者 false: if 语句开始一个代码块 条件写在括号里 ...

  2. qsort C++ VS2013 leetcode

    class Solution { private: static int compare(const void * a, const void * b) { return (*(int*)a - *( ...

  3. 怎么用BarTender的格式刷

    BarTender的新格式刷使您能够轻松地在模板上的多个对象之间共享格式.您可以在单个模板中以及在多个BarTender模板和文档之间复制对象样式.下面小编给大家来讲讲BarTender格式刷这一可用 ...

  4. js实现页面局部弹窗打印

    原文出自:http://www.haorooms.com/post/css3media 在网页中经常看到有打印功能,点击之后,只针对特定区域进行的打印.网上看了一下,大体上有2中实现方法,一种是用cs ...

  5. RAID简介

    RAID(独立磁盘冗余阵列)可以提供较普通磁盘更高的速度,安全性,所以服务器在安装时会选择创建RAID.RAID的创建有两种方式:软RAID(通过操作系统软件来实现)和硬raid(使用硬件整列卡) r ...

  6. 回调函数透彻理解Java

    http://blog.csdn.net/allen_zhao_2012/article/details/8056665 回调函数透彻理解Java 标签: classjavastringinterfa ...

  7. delete file by bat

    @echo off set logFile=AmazonDeleteFiles.log set Feeds="E:\AmazonProject\AmazonListing\AmazonLis ...

  8. Bash Shell 获取进程 PID

    转载地址:http://weyo.me/pages/techs/linux-get-pid/ 导读 Linux 的交互式 Shell 与 Shell 脚本存在一定的差异,主要是由于后者存在一个独立的运 ...

  9. parse output

    if ((line = br.readLine()).contains("PID")){ TestResultDTO t = new TestResultDTO(); t.pid ...

  10. 评论alpha版本发布

    讲解顺序: 1.  新蜂:俄罗斯方块 俄罗斯方块已经完成了核心的游戏部分,可以流畅的进行游戏,经验值功能也已经完成,目前进度很好:不足之处主要有:后续的显示内容还没完成,所以界面空出来很多板块,alp ...