Small black daily tossing-quick creation of shell scripts for private CA

Source: Internet
Author: User

Small black daily tossing-quick creation of shell scripts for private CA

Tom started to make new things again. He just learned how to build a private CA through openssl last week and spent some time writing this script on Saturday. After that, he went to renew DNS, if you have any bugs, please forgive me. This script is purely an exercise for practicing openssl, awk, sed, and other knowledge points.

First, we will introduce the simple steps for building a private CA (the default installation path is as follows ):

(1) generate a private key;

~] # (Umask 077; openssl genrsa-out/etc/pki/CA/private/cakey. pem4096)

(2) generate self-signed documents;

~] # Openssl req-new-x509-key/etc/pki/CA/private/cakey. pem-out/etc/pki/CA/cacert. pem-days 3655

-New: generate a new Certificate Signing Request;

-X509: generate a self-signed certificate for private CA creation;

-Key: the private file path used to generate the request;

-Out: the path of the generated request file. If the self-Signed operation is performed, the signed certificate is generated directly;

-Days: The validity period of the certificate. The unit is day;

(3) provide the required directories and files for CA;

~] # Mkdir-pv/etc/pki/CA/{certs, crl, newcerts}

~] # Touch/etc/pki/CA/{serial,index.txt}

~] # Echo 01>/etc/pki/CA/serial

This script analyzes the openssl. conf file to obtain the relevant path, and then builds a private CA using commands. The information about the self-signed certificate is saved in an array and sent to the command that generates the self-signed certificate through the echo command. The specific script content is as follows:

#! /Bin/bash # Program: # ThisprogramisusedtocreatCA # History: #2016/4/9 xiaoheiv1.0 # blog: http://zww577593841.blog.51cto.com/6145493/1750689## Private CA storage directory # dir # storage directory of issued certificates # certs # storage directory of revoked certificates # crl_dir # storage directory of new certificates # new_certs_dir # Storage of the current certificate serial number file # serial # issued certificate index file # database # CA self-signed certificate # CA private key # private_key # openssl. location of the conf configuration file: declareconffile =/etc/pki/tls/openssl. cnf # define an array to save the attributes to be saved in the CA configuration file: declare-avarvar = ("dir" "certs" "crl_dir" "new_certs_dir" "serial" "database "" certificate "" private_key ") # temporary files and directories declare-atempfiletempfile = (". /ca_default.txt "". /ca_value. Txt ") # necessary files and directories declare-acreatfiledeclare-acreatdircreatfile = (" serial "" database ") creatdir = (" certs "" crl_dir "" new_certs_dir ") # openssl. conf about CA attributes declare-Aca # Information required in the Self-signed certificate: Country (two uppercase letters), province, city, company, department, host name, email (optional) cainfo = ("CN" "Beijing" "Beijing" "blackboy" "ops" "ca.blackboy.com" "blackboy@163.com") # signal capture trap 'mytrap 'INTmytrap () {clean_tempecho-e "\ 033 [31mexit \ 033 [0 m" exit} # Clear temporary files and variables and arrays clean_temp () {for (I = 0; I <$ {# tempfile [*]}; I ++ )); domv-f $ {tempfile [$ I]}/tmp/doneunset-variable-vvarunset-vtempfileunset-vcaunset-vcreatfileunset-vcreatdirunset-vcainfo} # Check whether analyse_file_dir () exists in () {if [-f "$1"]; thenecho-e "\ 033 [32 mfile $ 1exist \ 033 [0 m" return0elif [-d "$1"]; thenecho-e "\ 033 [32 m $ 1isexist \ 033 [0 m" return0elseecho-e "\ 033 [31 m $ 1isnotexist \ 033 [0 m" return1fi} # create the required file creat_file () {touch "$1" analyse_file_dir "$1" &>/dev/null & echo-e "\ 03 3 [32 mcreat $ 1successful \ 033 [0 m "| return1return0} # create the required directory creat_dir () {mkdir-pv "$1" analyse_file_dir "$1" &>/dev/null & echo-e "\ 033 [33 mcreat $ 1successful \ 033 [0 m" | return1return0} # analyze and obtain the openssl indicated by the path in which the conffile variable is saved. some information about the conf file: analyse_conf () {analyse_file_dir $1 | exit1 # Use sed to obtain the desired part of the configuration file sed-n'/\ [CA_default /, // ##/s @ [#]. * @ gp '$1 | sed's/=/g' >$ {tempfile [0]} # Get the content from the previous step through awk formatting and save it to the temporary file awk '/^ [^ [: space:]/{a [$1] = $3} END {fo R (iina) {printf "" I "= % s \ n", a [I]};} '$ {tempfile [0] }>$ {tempfile [1]} # define the path of the local variable to save the dir item localdir =$ (sed-n's/^ dir = // p' $ {tempfile [1]}) # In the configuration file, $ dir replaces the dir path and restores it to its actual path, and save it in the temporary file sed-I "s @ [$] dir @ $ dir @ g" $ {tempfile [1]} echo "ThecurrentOpenSSLconfiguration" cat. /ca_value.txtecho "################################" # configure save the property information found in the file to the associated array for (I = 0; I <$ {# var [*]}; I ++ )); doca ["$ {var [$ I]}"] = $ (awk-F "=" '{if ($1 ~ /^ '$ {Var [$ I]}' $/) {print $2} '$ {tempfile [1]}) done} # create private key creat_private_key () {# Name of the directory where the file is located. If the directory does not exist, create analyse_file_dir $ {1%/*} | creat_dir $ {1%/*} | return1 # create a private key, the size is 4096, and the permission of the created private key file is set to read and write only to the current user (umask077; opensslgenrsa-out $14096) # Check whether the private key has been created. analyse_file_dir $1 &>/dev/null & echo-e "\ 033 [32mcreatprivatekeysuccessful \ 033 [0 m" | return1echo "OK" return0} # generate a self-signed certificate creat_cacert () {localinfo # information to be filled in when the certificate is generated (I = 0; I <$ {# cainfo [*]}; I ++ )); doinfo = "$ info $ {cainfo [$ I]} \ n" done # issue a certificate echo-e "$ info" | opensslreq-new-x509-key $1-out $2-days3655 # analyze whether the certificate is normal generate analyse_file_dir $2 &>/dev/null & echo-e "\ 033 [32mcreatcacertsuccessful \ 033 [0 m" | return1} # If openssl. if the conf file does not exist, directly exit analyse_conf $ conffile | exit1 # create necessary files and directories. If creation fails, exit for (I = 0; I <$ {# creatfile [*]}; I ++ )); doanalyse_file_dir $ {ca [$ {creatfile [$ I]} | creat_file $ {ca [$ {creatfile [$ I]} | exit1donefor (I = 0; I <$ {# creatdir [*]}; I ++ )); doanalyse_file_dir $ {ca [$ {creatdir [$ I]} | creat_dir $ {ca [$ {creatdir [$ I]} | exit1done # ID file to the certificate add the ID echo "01 >>>>> {ca [serial]}" echo "01" >$ {ca [serial]} # Call the function to create the private key of the CA. creat_private_key $ {ca [private_key]} | exit1 # create CA self-Visa book creat_cacert $ {ca [private_key]} $ {ca [certificate]} | exit1 # view certificate content opensslx509-in $ {ca [certificate]}-noout-serial-subject # Clears the variables, arrays, and temporary files generated during installation. clean_temp

The script runs as follows:

Please forgive me for the time rush.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.