【实验需求】

实现私有CA的生成,并完成证书的申请

【实验环境】

Rocky Linux release 8.5 (Green Obsidian)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
#!/bin/bash
# **********************************************************
# * Filename      : crt_install.sh
# * Author        : Herbert Wu
# * Version       : 2.0
# * Email         : wuhaolam@163.com
# * Website       : https://wuhaolam.github.io
# * Date          : 2023-06-11
# * Description   : 生成自签名CA证书,并使用CA证书颁发两个应用证书
# **********************************************************

# 证书信息
## 定义证书的信息,包括每个证书的主题相关信息,私钥的位置,生成的证书的位置,证书的有效期,密码的位数,证书的编号
## 0表示CA证书,1表示第一个应用证书相关信息,2表示第二个应用证书相关信息,应用证书还包含CSR的证书申请文件
declare -A CERT_INFO
CERT_INFO=([subject0]="/C=CN/ST=anhui/L=hefei/O=Universal/OU=tech/CN=www.hefei.com" \
           [keyfile0]="/etc/pki/CA/private/cakey.pem" \
           [certfile0]="/etc/pki/CA/cacert.pem" \
           [expire0]=3650 \
           [keybit0]=2048 \
           [serial0]=0 \
           [subject1]="/C=CN/ST=anhui/L=luzhou/O=Universal/OU=sale/CN=www.sale.com" \
           [keyfile1]="/data/app1/app1.key" \
           [certfile1]="/etc/pki/CA/certs/app1.crt" \
           [csrfile1]="/data/app1/app1.csr" \
           [expire1]=1095 \
           [keybit1]=2048 \
           [serial1]=01 \
           [subject2]="/C=CN/ST=anhui/L=zhoufu/O=Universal/OU=IT/CN=www.IT.com" \
           [keyfile2]="/data/app2/app2.key" \
           [certfile2]="/etc/pki/CA/certs/app2.crt" \
           [csrfile2]="/data/app2/app2.csr" \
           [expire2]=1095 \
           [keybit2]=2048 \
           [serial2]=02 )

# 创建CA相关目录和文件
mkdir -p /etc/pki/CA/{certs,crl,newcerts,private}
touch /etc/pki/CA/index.txt

# 设置颁发证书的编号从01开始
echo 01 > /etc/pki/CA/serial

echo -e "\E[1;32m开始生成自签名CA证书\E[0m"

# 生成CA自签名证书
openssl req -utf8 -newkey rsa:${CERT_INFO[keybit0]} -set_serial 0 -subj "${CERT_INFO[subject0]}" -days ${CERT_INFO[expire0]} -keyout ${CERT_INFO[keyfile0]} -nodes -x509 -out ${CERT_INFO[certfile0]}

if [ `echo $?` -eq 0 ] &> /dev/null;then
    echo -e "\E[1;32m自签名证书生成成功\E[0m"
else
    echo -e "\E[1;31m自签名CA证书生成失败\E[0m"
fi

echo -e "\E[1;32m开始颁发应用证书\E[0m"

# 生成用户1私钥和证书申请文件
mkdir -p /data/app1
(umask 066; openssl genrsa -out ${CERT_INFO[keyfile1]} ${CERT_INFO[keybit1]})
openssl req -set_serial ${CERT_INFO[serial1]} -subj "${CERT_INFO[subject1]}" -new -key ${CERT_INFO[keyfile1]} -out ${CERT_INFO[csrfile1]}

# 颁发应用1证书
echo -e 'y\ny\n'| openssl ca -in ${CERT_INFO[csrfile1]} -out ${CERT_INFO[certfile1]} -cert ${CERT_INFO[certfile0]} -keyfile ${CERT_INFO[keyfile0]} -days ${CERT_INFO[expire1]}

echo -e "\E[1;32m开始颁发第二个应用证书\E[0m"

# 生成应用2证书的私钥和证书申请文件
mkdir -p /data/app2
(umask 066; openssl genrsa -out ${CERT_INFO[keyfile2]} ${CERT_INFO[keybit2]})
openssl req -set_serial ${CERT_INFO[serial2]} -subj "${CERT_INFO[subject2]}" -new -key ${CERT_INFO[keyfile2]} -out ${CERT_INFO[csrfile2]}

# 颁发应用2证书
echo -e 'y\ny\n'| openssl ca -in ${CERT_INFO[csrfile2]} -out ${CERT_INFO[certfile2]} -cert ${CERT_INFO[certfile0]} -keyfile ${CERT_INFO[keyfile0]} -days ${CERT_INFO[expire2]}

echo -e "\E[1;32m应用证书颁发完成,如下所示:\E[0m"

# 查看生成的应用证书
ls -l /etc/pki/CA/certs