自签证书脚本

自签证书脚本

在之前的脚本上面做了改动，加了自动转为pem格式证书，使用的openssl命令也有稍微改动

#!/bin/bash

#********************************************************************
# File Name: cert.sh
# Version: V3.0
# Author: dahuangji
# Email:
# Created Time : 2023-12-23 18:47:13
# Description:
#********************************************************************
set -eo pipefail

RED='\E[31;2m'
GREEN='\E[32;1m'
BLUE='\E[34;1m'
END='\E[0m'

ca_subj='/O=ca-hj/CN=ca.hj.com'
subj='/C=CN/ST=HB/L=WH/O=dev/CN=www.hj.com'
serial=34
days=3600
cert_file=www.hj.com
#创建单个证书时，证书绑定的域名，要多个域名在此处加
dns_name=(
    $cert_file
)
#生成多个证书时使用，自己的证书名称，改这里；不支持.做间隔（shell的数组语法不支持）
cert_files="
    www-hj img-hj
"
#声明数组，subjs为证书信息，dns_names为证书绑定的dns域名
declare -A subjs dns_names
#证书名称做key，证书信息做value
subjs=(
    [www-hj]='/C=CN/ST=HB/L=WH/O=dev/CN=www.hj.com'
    [img-hj]='/C=CN/ST=HB/L=JZ/O=dev/CN=img.hj.com'
)
#证书名称为key，证书允许解析的dns为value
dns_names=(
    [www-hj]='www.hj.com admin.hj.com '
    [img-hj]='img.hj.com static.hj.com'
)

gen_ext(){
    #dns名称序列号
    count1=1
    count2=1

    #证书属性配置
    cat > san.conf <<eof
[req]
utf8 = yes
default_md = sha256
default_bits = 4096
req_extensions = req_ext
x509_extensions = req_ext
distinguished_name = req_distinguished_name

[req_distinguished_name]
commonName = $1

[req_ext]
subjectAltName = @alt_names
subjectKeyIdentifier = hash
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign

[alt_names]
eof
    while [ "$#" -gt 0 ]; do
        #以数字开头，匹配为ip地址
        if [[ $1 =~ ^[0-9]{1,3} ]] ;then
            sed -i "/^\[alt_names/a\IP.$count1 = $1" san.conf
            let count1++
        #以"*"、字母开头，匹配为域名
        elif [[ $1 =~ ^\*|^[[:alpha:]] ]] ;then
            sed -i "/^\[alt_names/a\DNS.$count2 = $1" san.conf
            let count2++
        fi
        shift
    done
}

create_ca() {
    if [ -f ca.key -a -f ca.crt ] ;then
        echo -e "$GREEN 已有ca证书 $END"
    else
        (umask 066; openssl genrsa -out ca.key 4096)
        openssl req -new -x509 -key ca.key -out ca.crt -nodes -days $days -subj $ca_subj
    fi
}

create_cert() {
    gen_ext ${dns_name[*]}
    (umask 066; openssl genrsa -out ${cert_file}.key 4096)
    openssl req -new -key ${cert_file}.key -out ${cert_file}.csr -nodes -subj $subj -config san.conf
    openssl x509 -req -in ${cert_file}.csr -CA ca.crt -CAkey ca.key -set_serial $serial -days $days -out ${cert_file}.crt -extfile san.conf -extensions v3_req
    cat ${cert_file}.crt ca.crt > ${cert_file}.pem
    rm -rf ./*.csr ./san.conf
}

create_certs() {
    for i in $cert_files ;do
        gen_ext ${dns_names[$i]}
        (umask 066; openssl genrsa -out ${i}.key 4096)
        openssl req -new -key ${i}.key -out ${i}.csr -nodes -days $days -subj ${subjs[$i]} -config san.conf
        openssl x509 -req -in ${i}.csr -CA ca.crt -CAkey ca.key -set_serial $serial -days $days -out ${i}.crt -extfile san.conf -extensions v3_req
        cat ${i}.crt ca.crt > ${i}.pem
    done
    rm -rf ./*.csr ./san.conf
}

PS3="请选择创建的证书数量："
select num in 创建CA证书 创建1个用户证书 创建多个用户证书 ;do
case $REPLY in
    1)
        echo -e "$BLUE 仅创建CA证书 $END"
        create_ca
        break ;;
    2)
        echo -e "$BLUE 创建证书 $cert_file $END"
        create_ca
        create_cert
        break ;;
    3)
        echo -e "$BLUE 创建多个证书 $cert_files $END"
        create_ca
        create_certs
        break ;;
    *)
        echo -e "$RED 不正确参数 $END"
        break ;;
esac
done