openssl 生成证书

#!/bin/bash
# 生成SM2私钥
openssl ecparam -genkey -name SM2 -out sm2.key  -noout

# 生成证书签名请求(CSR)
openssl req -new -key sm2.key -out sm2.csr -subj "/C=CN/ST=Beijing/L=Beijing/O=Example/CN=sm2.example.com"

# 自签名生成证书(有效期365天)
# 生成crt格式证书
openssl x509 -req -days 365 -in sm2.csr -signkey sm2.key -out sm2.crt
# 生成pem格式证书
openssl x509 -req -days 365 -in sm2.csr -signkey sm2.key -out sm2.pem

# 转换为PKCS#12格式(可选)
#openssl pkcs12 -export -out sm2.p12 -inkey sm2.key -in sm2.crt
#openssl pkcs12 -export -out sm2.p12 -inkey sm2.key -in sm2.pem

echo "SM2证书生成完成:"
echo "私钥: sm2.key"
echo "证书: sm2.crt  sm2.pem"
echo "PKCS#12: sm2.p12"


# 生成SM2根证书
openssl ecparam -genkey -name SM2 -out ca.key -noout
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -subj "/C=CN/ST=Beijing/O=Root CA/CN=SM2 Root CA"
openssl req -new -x509 -days 3650 -key ca.key -out ca.pem -subj "/C=CN/ST=Beijing/O=Root CA/CN=SM2 Root CA"

# 生成加密证书
openssl ecparam -genkey -name SM2 -out enc.key -noout
openssl req -new -key enc.key -out enc.csr -subj "/C=CN/ST=Beijing/O=Example/CN=Encryption Cert"
openssl x509 -req -days 365 -in enc.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out enc.crt
openssl x509 -req -days 365 -in enc.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out enc.pem

# 生成签名证书
openssl ecparam -genkey -name SM2 -out sign.key -noout
openssl req -new -key sign.key -out sign.csr -subj "/C=CN/ST=Beijing/O=Example/CN=Signature Cert"
openssl x509 -req -days 365 -in sign.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out sign.crt
openssl x509 -req -days 365 -in sign.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out sign.pem

echo "证书生成完成："
echo "根证书：ca.crt ca.pem"
echo "加密证书：enc.crt enc.pem"
echo "签名证书：sign.crt sign.pem"