Shell script implementation generates SSL self-signed certificate _linux Shell

Source: Internet
Author: User
Tags mkdir openssl openssl rsa ssl certificate self signed certificate

After you enable Apache Mod_ssl, you need a certificate to function properly. Wrote a script to manipulate it. The first thing to make sure is that there are OpenSSL on the machine.

Copy Code code as follows:

#!/bin/sh
#

# The root directory for SSL certificate output.
ssloutputroot= "/etc/apache_ssl"
If [$#-eq 1]; Then
Ssloutputroot=$1
Fi
if [!-D ${ssloutputroot}]; Then
Mkdir-p ${ssloutputroot}
Fi

CD ${ssloutputroot}

echo "starts creating CA Root Certificates ..."
#
# Create the CA root certificate, which is later used to sign the certificate for the server. If it is through a commercial CA such as
# Verisign or Thawte signed the certificate, you do not need to create the root certificate themselves, but should
# Post the generated server CSR file content into a Web form, pay the signing fee and
# Waiting for a signed certificate. For more information on commercial CAs, see:
# verisign-http://digitalid.verisign.com/server/apachenotice.htm
# Thawte Consulting-http://www.thawte.com/certs/server/request.html
# certisign Certificadora Digital Ltda.-http://www.certisign.com.br
# IKS GMBH-HTTP://WWW.IKS-JENA.DE/PRODUKTE/CA/
# Uptime Commerce Ltd.-http://www.uptimecommerce.com
# belsign nv/sa-http://www.belsign.be
# Generate CA Root certificate private key
OpenSSL genrsa-des3-out Ca.key 1024

# Generate CA Root certificate
# Fill in each field as prompted, but note that Common name is preferably a valid root domain (such as zeali.net),
# and it cannot be exactly the same as the Common Name that was completed in the subsequent server certificate signing request file, otherwise
# Occurs when a certificate is generated
# error at 0 depth lookup:self signed certificate error
OpenSSL req-new-x509-days 365-key ca.key-out ca.crt
echo "CA root certificate creation completed. "

echo "starts generating server certificate signing file and private key ..."
#
# Generate server Private key
OpenSSL genrsa-des3-out Server.key 1024
# Generate server certificate signing request file, Common name is best to fill in the full domain name using the certificate
# (eg: security.zeali.net)
OpenSSL Req-new-key server.key-out SERVER.CSR
LS-ALTRH ${ssloutputroot}/server.*
echo "Server certificate signing file and private key generation completed. "

echo "starts signing a server certificate with a CA root certificate signing file ..."
#
# sign server certificate, generate SERVER.CRT file
# See http://www.faqs.org/docs/securing/chap24sec195.html
# sign.sh START
#
# Sign a SSL certificate Request (CSR)
# Copyright (c) 1998-1999 Ralf S. Engelschall, all Rights Reserved.
#

Csr=server.csr

Case $CSR in
*.CSR) cert= "' Echo $CSR | Sed-e ' s/\.csr/.crt/' ";;
* cert= "$CSR. CRT";;
Esac

#   Make sure environment exists
if [!-D ca.db.certs]; then
 mkdir ca.db.certs
Fi
If [!-f ca.db.serial]; Then
 echo ' >ca.db.serial
fi
If [!-f Ca.db.index]; then
 cp/dev/null ca.db.index
Fi

#   Create an own Ssleay config
If you need to modify the validity period of a certificate, modify the following default_days parameter.
# is currently set to 10.
Cat >ca.co Nfig <<eot
[CA]
default_ca = ca_own
[Ca_own]
dir =.
certs =./certs
New_ certs_dir =./ca.db.certs
database =./ca.db.index
serial =./ca.db.serial
RANDFILE  =./ca.db.rand
certificate =./CA.CRT
private_key =./ca.key
default_days = 3650
default_crl_days =
default_md = MD5
preserve = no
policy = policy_anything
[ Policy_anything]
countryname = optional
stateorprovincename = optional
localityname = Optional
organizationname = optional
organizationalunitname = optional
commonname = Supplied
emailaddress = Optional
EOT

# Sign the certificate
echo CA signing: $CSR-> $CERT: "
OpenSSL ca-config ca.config-out $CERT-infiles $CSR
echo "CA verifying: $CERT <-> CA CERT"
OpenSSL verify-cafile./certs/ca.crt $CERT

# cleanup after Ssleay
Rm-f Ca.config
Rm-f Ca.db.serial.old
Rm-f Ca.db.index.old
# sign.sh End
Echo signed the server certificate with the CA root certificate signed file completed. "


# After using SSL, each time you start Apache requires the Server.key password to be entered.
# You can use the following method to remove the password input (please note the following lines if you do not want to remove):
Echo removes the restriction that Apache must manually enter the key password when it starts: "
Cp-f Server.key server.key.org
OpenSSL rsa-in server.key.org-out Server.key
echo "Removal is complete. "


# Modify Server.key permissions to ensure key security
chmod Server.key

echo "Now u can configure Apache SSL with following:"
Echo-e "\tsslcertificatefile ${ssloutputroot}/server.crt"
Echo-e "\tsslcertificatekeyfile ${ssloutputroot}/server.key"

# die Gracefully
Exit 0

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.