# !/bin/bash
# 一键生成tls和ca证书
# create : 2021-08-25
# update : 2021-08-25
# @autor : wuduoqiang
# 服务器主机名
server=”6c377ffb8e86″
# 密码
password=”2cx&bujsv4u%3tw9″
# 国家
country=”cn”
# 省份
state=”海南省”
# 城市
city=”海口市”
# 机构名称
organization=”小强崽公司”
# 机构单位
organizational_unit=”小强崽单位”
# 邮箱
email=”875667601@qq.com”
# 生成ca密钥
openssl genrsa -aes256 -passout pass:$password -out ca-key.pem 2048
# 生成ca证书
openssl req -new -x509 -passin “pass:$password” -days 3650 -key ca-key.pem -sha256 -out ca-cert.pem -subj “/c=$country/st=$state/l=$city/o=$organization/ou=$organizational_unit/cn=$server/emailaddress=$email”
# 生成服务端密钥
openssl genrsa -out server-key.pem 2048
# 生成服务端证书签名的请求文件
openssl req -subj “/cn=$server” -new -key server-key.pem -out server-req.csr
# 生成服务端证书
openssl x509 -req -days 3650 -in server-req.csr -ca ca-cert.pem -cakey ca-key.pem -passin “pass:$password” -cacreateserial -out server-cert.pem
# 生成客户端密钥
openssl genrsa -out client-key.pem 2048
# 生成客户端证书签名的请求文件
openssl req -subj /cn=client -new -key client-key.pem -out client-req.csr
# 生成客户端证书
sh -c echo “extendedkeyusage=clientauth” >> extfile.cnf
openssl x509 -req -days 3650 -in client-req.csr -ca ca-cert.pem -cakey ca-key.pem -passin “pass:$password” -cacreateserial -out client-cert.pem -extfile extfile.cnf
# 更改密钥权限
chmod 0400 ca-key.pem server-key.pem client-key.pem
# 更改证书权限
chmod 0444 ca-cert.pem server-cert.pem client-cert.pem
# 删除无用文件
# rm ca-cert.srl client-req.csr server-req.csr extfile.cnf