Shell script implementation generates SSL self-signed certificate _linux Shell

After you enable Apache Mod_ssl, you need a certificate to function properly. Wrote a script to manipulate it. The first thing to make sure is that there are OpenSSL on the machine.

Copy Code code as follows:

#!/bin/sh
#

# The root directory for SSL certificate output.
ssloutputroot= "/etc/apache_ssl"
If [$#-eq 1]; Then
Ssloutputroot=$1
Fi
if [!-D ${ssloutputroot}]; Then
Mkdir-p ${ssloutputroot}
Fi

CD ${ssloutputroot}

echo "starts creating CA Root Certificates ..."
#
# Create the CA root certificate, which is later used to sign the certificate for the server. If it is through a commercial CA such as
# Verisign or Thawte signed the certificate, you do not need to create the root certificate themselves, but should
# Post the generated server CSR file content into a Web form, pay the signing fee and
# Waiting for a signed certificate. For more information on commercial CAs, see:
# verisign-http://digitalid.verisign.com/server/apachenotice.htm
# Thawte Consulting-http://www.thawte.com/certs/server/request.html
# certisign Certificadora Digital Ltda.-http://www.certisign.com.br
# IKS GMBH-HTTP://WWW.IKS-JENA.DE/PRODUKTE/CA/
# Uptime Commerce Ltd.-http://www.uptimecommerce.com
# belsign nv/sa-http://www.belsign.be
# Generate CA Root certificate private key
OpenSSL genrsa-des3-out Ca.key 1024

# Generate CA Root certificate
# Fill in each field as prompted, but note that Common name is preferably a valid root domain (such as zeali.net),
# and it cannot be exactly the same as the Common Name that was completed in the subsequent server certificate signing request file, otherwise
# Occurs when a certificate is generated
# error at 0 depth lookup:self signed certificate error
OpenSSL req-new-x509-days 365-key ca.key-out ca.crt
echo "CA root certificate creation completed. "

echo "starts generating server certificate signing file and private key ..."
#
# Generate server Private key
OpenSSL genrsa-des3-out Server.key 1024
# Generate server certificate signing request file, Common name is best to fill in the full domain name using the certificate
# (eg: security.zeali.net)
OpenSSL Req-new-key server.key-out SERVER.CSR
LS-ALTRH ${ssloutputroot}/server.*
echo "Server certificate signing file and private key generation completed. "

echo "starts signing a server certificate with a CA root certificate signing file ..."
#
# sign server certificate, generate SERVER.CRT file
# See http://www.faqs.org/docs/securing/chap24sec195.html
# sign.sh START
#
# Sign a SSL certificate Request (CSR)
# Copyright (c) 1998-1999 Ralf S. Engelschall, all Rights Reserved.
#

Csr=server.csr

Case $CSR in
*.CSR) cert= "' Echo $CSR | Sed-e ' s/\.csr/.crt/' ";;
* cert= "$CSR. CRT";;
Esac

#   Make sure environment exists
if [!-D ca.db.certs]; then
 mkdir ca.db.certs
Fi
If [!-f ca.db.serial]; Then
 echo ' >ca.db.serial
fi
If [!-f Ca.db.index]; then
 cp/dev/null ca.db.index
Fi

#   Create an own Ssleay config
If you need to modify the validity period of a certificate, modify the following default_days parameter.
# is currently set to 10.
Cat >ca.co Nfig <<eot
[CA]
default_ca = ca_own
[Ca_own]
dir =.
certs =./certs
New_ certs_dir =./ca.db.certs
database =./ca.db.index
serial =./ca.db.serial
RANDFILE  =./ca.db.rand
certificate =./CA.CRT
private_key =./ca.key
default_days = 3650
default_crl_days =
default_md = MD5
preserve = no
policy = policy_anything
[ Policy_anything]
countryname = optional
stateorprovincename = optional
localityname = Optional
organizationname = optional
organizationalunitname = optional
commonname = Supplied
emailaddress = Optional
EOT

# Sign the certificate
echo CA signing: $CSR-> $CERT: "
OpenSSL ca-config ca.config-out $CERT-infiles $CSR
echo "CA verifying: $CERT <-> CA CERT"
OpenSSL verify-cafile./certs/ca.crt $CERT

# cleanup after Ssleay
Rm-f Ca.config
Rm-f Ca.db.serial.old
Rm-f Ca.db.index.old
# sign.sh End
Echo signed the server certificate with the CA root certificate signed file completed. "

# After using SSL, each time you start Apache requires the Server.key password to be entered.
# You can use the following method to remove the password input (please note the following lines if you do not want to remove):
Echo removes the restriction that Apache must manually enter the key password when it starts: "
Cp-f Server.key server.key.org
OpenSSL rsa-in server.key.org-out Server.key
echo "Removal is complete. "

# Modify Server.key permissions to ensure key security
chmod Server.key

echo "Now u can configure Apache SSL with following:"
Echo-e "\tsslcertificatefile ${ssloutputroot}/server.crt"
Echo-e "\tsslcertificatekeyfile ${ssloutputroot}/server.key"

# die Gracefully
Exit 0