Linux shell generates Apache certificate script

Certificate Generation method in Apache+mod_ssl
The certificate request is generated first:

The code is as follows
#openssl req-new > SERVER.CSR

After you follow the prompts to enter the relevant information, will automatically generate SERVER.CSR and Privkey.pem two files in the current directory, PRIVKEY.PEM is the private key file, the default will be passphrase, if not removed, every time you run Apache will be prompted to enter the passphrase, so if the server restart if you do not In front of the server, Apache does not function correctly.

Therefore, the second step is to remove the passphrase:

The code is as follows
#openssl rsa-in privkey.pem-out Server.key

This step will let you enter the previous set of passphrase, so in the front of the time do not randomly set a passphrase ha.

The third step is to generate the server certificate:

The code is as follows
#openssl req-x509-days 3650-key server.key-in SERVER.CSR > Server.crt

Days parameter is the specified certificate validity period, 3650 is 10, long enough?

Finally, add in the corresponding domain name configuration in the httpd.conf:

The code is as follows
Sslcertificatefile/etc/httpd/conf/key/server.crt Sslcertificatekeyfile/etc/httpd/conf/key/server.key

Then restart Apache.

The code is as follows
==== UPDATE:

There is also a way to first generate the key according to the specified algorithm:

The code is as follows
#openssl Genrsa-des3 1024-new > Server.old.key

Then remove the passphrase:

The code is as follows
#openssl rsa-in server.old.key-out Server.key

Then generate the certificate request:

The code is as follows
#openssl Req-new-key server.key > SERVER.CSR

Finally generate the certificate:

The code is as follows

#openssl req-x509-days 3650-key server.key-in SERVER.CSR > Server.crt For convenience, someone on the web is making a shell. Easy to generate. As follows: #!/bin/sh # # The root directory for SSL certificate output. ssloutputroot= "/etc/apache_ssl" If [$#-eq 1]; Then Ssloutputroot=$1 Fi if [!-D ${ssloutputroot}]; Then Mkdir-p ${ssloutputroot} Fi CD ${ssloutputroot} echo "starts creating CA Root Certificates ..." # # Create the CA root certificate, which is later used to sign the certificate for the server. If it is through a commercial CA such as # Verisign or Thawte signed the certificate, you do not need to create the root certificate themselves, but should # Post the generated server CSR file content into a Web form, pay the signing fee and # Waiting for a signed certificate. For more information on commercial CAs, see: # Generate CA Root certificate private key OpenSSL genrsa-des3-out Ca.key 1024 # Generate CA Root certificate # Fill in each field as prompted, but note that Common name is preferably a valid root domain (such as zeali.net), # and it cannot be exactly the same as the Common Name that was completed in the subsequent server certificate signing request file, otherwise # Occurs when a certificate is generated # error at 0 depth lookup:self signed certificate error OpenSSL req-new-x509-days 365-key ca.key-out ca.crt echo "CA root certificate creation completed. " echo "starts generating server certificate signing file and private key ..." # # Generate server Private key OpenSSL genrsa-des3-out Server.key 1024 # Generate server certificate signing request file, Common name is best to fill in the full domain name using the certificate # (eg: security.zeali.net) OpenSSL Req-new-key server.key-out SERVER.CSR LS-ALTRH ${ssloutputroot}/server.* echo "Server certificate signing file and private key generation completed. " echo "starts signing a server certificate with a CA root certificate signing file ..." Csr=server.csr Case $CSR in *.CSR) cert= "' Echo $CSR | Sed-e ' s/.csr/.crt/' ";; * cert= "$CSR. CRT";; Esac # Make sure environment exists if [!-D ca.db.certs]; Then mkdir Ca.db.certs Fi if [!-f ca.db.serial]; Then Echo ' >ca.db.serial ' Fi if [!-f Ca.db.index]; Then Cp/dev/null Ca.db.index Fi # Create an own Ssleay config # If you need to modify the validity period of a certificate, modify the following default_days parameter. # is currently set to 10. Cat >ca.config <<eot [CA] Default_ca = Ca_own [Ca_own] dir =. Certs =./certs New_certs_dir =./ca.db.certs Database =./ca.db.index serial =./ca.db.serial Randfile =./ca.db.rand Certificate =./ca.crt Private_key =./ca.key Default_days = 3650 Default_crl_days = 30 DEFAULT_MD = MD5 Preserve = no Policy = policy_anything [Policy_anything] CountryName = Optional Stateorprovincename = Optional Localityname = Optional OrganizationName = Optional Organizationalunitname = Optional CommonName = Supplied EmailAddress = Optional EOT # Sign the certificate echo CA signing: $CSR-> $CERT: " OpenSSL ca-config ca.config-out $CERT-infiles $CSR echo "CA verifying: $CERT <-> CA CERT" OpenSSL verify-cafile./certs/ca.crt $CERT # cleanup after Ssleay Rm-f Ca.config Rm-f Ca.db.serial.old Rm-f Ca.db.index.old # sign.sh End Echo signed the server certificate with the CA root certificate signed file completed. " # After using SSL, each time you start Apache requires the Server.key password to be entered. # You can use the following method to remove the password input (please note the following lines if you do not want to remove): Echo removes the restriction that Apache must manually enter the key password when it starts: " Cp-f Server.key server.key.org OpenSSL rsa-in server.key.org-out Server.key echo "Removal is complete. " # Modify Server.key permissions to ensure key security chmod Server.key echo "Now u can configure Apache SSL with following:" Echo-e "Tsslcertificatefile ${ssloutputroot}/server.crt" Echo-e "Tsslcertificatekeyfile ${ssloutputroot}/server.key" # die Gracefully Exit 0

Example 2, generating the Apache certificate (HTTPS application)

The code is as follows
# cd/usr/local/apache2/conf # tar ZXVF ssl.ca-0.1.tar.gz # CD ssl.ca-0.1

To generate a root certificate:

The code is as follows

#./new-root-ca.sh (Generate root certificate) No Root CA key round. Generating One Generating RSA private key, 1024 bit long modulus ...........................++++++ ....++++++ E is 65537 (0x10001) Enter pass phrase for Ca.key: (Enter a password) Verifying-enter Pass phrase for Ca.key: (again enter password) ...... Self-sign the root CA ... (Signed root certificate) Enter pass phrase for Ca.key: (Enter the password you just set) ........ ........ (sign now) Country Name (2 letter code) [MY]:CN State or province Name (full name) [Perak]:hainan Locality Name (eg, city) [Sitiawan]:haikou Organization Name (eg, company) [My Directory Sdn bhd]:wiscom System Co.,ltd Organizational unit Name (eg, section) [Certification Services Division]:acstar Common Name (eg, MD Root CA) []:wiscom CA Email Address []:acmail@wiscom.com.cn

This generates the Ca.key and ca.crt two files, and then generates a certificate for our server:
To generate the server certificate:

code is as follows

#./new-server-cert . SH server              (the name of this certificate is server) ...... ..... Country Name (2 letter code) [MY]:CN State or province name (full name) [Perak]:hainan locality name (eg, CIT y) [Sitiawan]:haikou Organization Name (eg, company) [My Directory Sdn bhd]:wiscom System co.,ltd Organizational U NIT name (eg, section) [Secure Web Server]:acstar Common Name (eg, www.domain.com) []:acmail.wiscom.com.cn Email A ddress []:acmail@wiscom.com.cn

This generates the two files SERVER.CSR and Server.key.
To sign a server certificate:

The code is as follows

#./sign-server-cert.sh Server CA SIGNING:SERVER.CSR-> SERVER.CRT: Using Configuration from Ca.config Enter pass phrase for./ca.key: (Enter the root certificate password set above) Check that the request matches the signature Signature OK The Subject ' s distinguished Name is as follows CountryName:P rintable: ' CN ' Stateorprovincename:P rintable: ' Jiangsu ' Localityname:P rintable: ' Nanjing ' OrganizationName:P rintable: ' wiscom System co.,ltd ' Organizationalunitname:printable: ' Acstar ' CommonName:P rintable: ' acmail.wiscom.com.cn ' Emailaddress:ia5string: ' acmail@wiscom.com.cn ' Certificate is to being certified until 12:55:34 (365 days) Sign the certificate? [Y/n]:y 1 out of 1 certificate requests certified, commit? [Y/n]y Write out database with 1 new entries Data Base Updated CA VERIFYING:SERVER.CRT <-> CA cert Server.crt:OK

(If there is an error, it's best to start over, delete the ssl.ca-0.1 directory, and restart from the decompression point.) )

Follow the settings in ssl.conf to place the certificate in the appropriate place.

The code is as follows
# chmod Server.key # CD ... # mkdir Ssl.key # MV Ssl.ca-0.1/server.key Ssl.key # mkdir SSL.CRT # MV Ssl.ca-0.1/server.crt SSL.CRT

And then it's ready to start!

code is as follows
# cd/usr/ Local/apache2 #./bin/apachectl startssl