Shell script implementation generates SSL self signed certificate

Time:2022-6-20

Enable Apache Mod_ A certificate is required after SSL to function properly. Wrote a script to operate. First, make sure that OpenSSL already exists on the machine.

Copy codeThe codes are as follows:
#!/bin/sh
#

#Root directory of SSL certificate output.
sslOutputRoot=”/etc/apache_ssl”
if [ $# -eq 1 ]; then
 sslOutputRoot=$1
fi
if [ ! -d ${sslOutputRoot} ]; then
 mkdir -p ${sslOutputRoot}
fi

cd ${sslOutputRoot}

Echo “start creating CA root certificate…”
#
#Create a CA root certificate that will later be used to sign the certificate for the server. If it is through a commercial Ca, such as
#If VeriSign or Thawte signs the certificate, you do not need to create the root certificate yourself. Instead, you should
#Paste the contents of the server CSR file generated later into a web form, pay the signing fee, and
#Certificate waiting to be signed. For more information about commercial CAS, see:
# Verisign – http://digitalid.verisign.com/server/apacheNotice.htm
# Thawte Consulting – http://www.thawte.com/certs/server/request.html
# CertiSign Certificadora Digital Ltda. – http://www.certisign.com.br
# IKS GmbH – http://www.iks-jena.de/produkte/ca /
# Uptime Commerce Ltd. – http://www.uptimecommerce.com
# BelSign NV/SA – http://www.belsign.be
#Generate CA root certificate private key
openssl genrsa -des3 -out ca.key 1024

#Generate CA root certificate
#Fill in the fields according to the prompts, but note that common name should preferably be a valid root domain name (such as zeali.net),
#And it cannot be exactly the same as the common name filled in the server certificate signing request file later, otherwise it will
#Occurs when the certificate is generated
#Error 18 at 0 depth lookup:self signed certificate error
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Echo “the CA root certificate has been created.”

Echo “start generating server certificate signing file and private key…”
#
#Generate server private key
openssl genrsa -des3 -out server.key 1024
#Generate a server certificate signing request file. Common name should preferably fill in the complete domain name using the certificate
#(for example: security.zeali.net)
openssl req -new -key server.key -out server.csr 
ls -altrh  ${sslOutputRoot}/server.*
Echo “the server certificate signing file and private key have been generated.”

Echo “start signing server certificate signing file with Ca root certificate…”
#
#Sign the server certificate and generate the server CRT file
#See alsohttp://www.faqs.org/docs/securing/chap24sec195.html
#  sign.sh START
#
#  Sign a SSL Certificate Request (CSR)
#  Copyright (c) 1998-1999 Ralf S. Engelschall, All Rights Reserved.
#

CSR=server.csr

case $CSR in
*.csr ) CERT=”`echo $CSR | sed -e ‘s/\.csr/.crt/’`” ;;
* ) CERT=”$CSR.crt” ;;
esac

#   make sure environment exists
if [ ! -d ca.db.certs ]; then
 mkdir ca.db.certs
fi
if [ ! -f ca.db.serial ]; then
 echo ’01’ >ca.db.serial
fi
if [ ! -f ca.db.index ]; then
 cp /dev/null ca.db.index
fi

#   create an own SSLeay config
#If you need to modify the validity period of the certificate, please modify the following default_ Days parameter
#The current setting is 10 years
cat >ca.config <<EOT
[ ca ]
default_ca = CA_own
[ CA_own ]
dir = .
certs = ./certs
new_certs_dir = ./ca.db.certs
database = ./ca.db.index
serial = ./ca.db.serial
RANDFILE = ./ca.db.rand
certificate = ./ca.crt
private_key = ./ca.key
default_days = 3650
default_crl_days = 30
default_md = md5
preserve = no
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
EOT

#  sign the certificate
echo “CA signing: $CSR -> $CERT:”
openssl ca -config ca.config -out $CERT -infiles $CSR
echo “CA verifying: $CERT <-> CA cert”
openssl verify -CAfile ./certs/ca.crt $CERT

#  cleanup after SSLeay
rm -f ca.config
rm -f ca.db.serial.old
rm -f ca.db.index.old
#  sign.sh END
Echo “signing the server certificate using the CA root certificate is complete.”

#After using SSL, you need to enter server Password of key,
#You can remove the password input by the following method (if you do not want to remove it, please note the following lines of code):
Echo “remove the restriction that the key password must be entered manually when Apache starts:”
cp -f server.key server.key.org
openssl rsa -in server.key.org -out server.key
Echo “removal completed.”

#Modify server Key permissions to ensure key security
chmod 400 server.key

echo “Now u can configure apache ssl with following:”
echo -e “\tSSLCertificateFile ${sslOutputRoot}/server.crt”
echo -e “\tSSLCertificateKeyFile ${sslOutputRoot}/server.key”

#  die gracefully
exit 0

Tags: ,

Recommended Today

Drawing with JS

<object id=DirectDraw classid=”CLSID:369303C2-D7AC-11D0-89D5-00A0C90833E6″ style=”positiion:absolute;top:0;left:0;width:320;height:200″ > <param name= “line0001” value= “drawing instruction 1” ><param name= “line0002” value= “drawing instruction 2” >… </object> Drawing instruction classification:(1) Common shapes1. rectangular class //rotation refers to the rotation angle in degreesRect (x, y, width, height, rotation) / / rectangleOval (x, y, width, height, rotation) / / ellipseRoundRect(x ,y, width, height, […]