Using shell scripts to automatically build OpenSSL CAs, etc.

In fact, it has been written before, but only to achieve the automatic creation of CA certificates and other documents, the recent time is quite well-off, plus the use of this dongdong almost ubiquitous, and therefore, on its basis to do some tinkering.

Implementation features:

1, the full automatic creation CA private organization and the test certificate set

2, in the existing CA from issuing certificates or test certificates based on a number of adjustments or re-created or to other applications issued

Considering the code is slightly more, so this article to do a detailed use of the introduction, and then paste the code and upload attachments, impatient code of the classmate, you can directly down to view or download the attachment.

Environment: rhel5.8 32bit OpenSSL for CD yum source installation

Usage:

command [option]

You can not use the option, and the options are not much, otherwise it will lose the meaning of the script, using the section is described in detail

/etc/sysconfig/mos_ca.conf: Configuration file, can make custom adjustment, also can not use, the script all has the default value

First, get the script, to execute permissions, move to the system path, direct execution can generate CA self-signed and demo certificate: it generates all the files required in/etc/pki/ca/, and generates a set of demo certificates within the/opt/mos_demo directory, which is fully functional. The operation is as follows:

[root @ test scripts] # chmod 700 mos_ca.sh
[root @ test scripts] # ll mos_ca.sh
-rwx ------ 1 root root 3.3K Jan 8 12:24 mos_ca.sh
[root @ test scripts] # cp mos_ca.sh / bin / mos_ca
[root @ test scripts] # mos_ca # The execution is OK, the following operations are mainly to check the results
[root @ test scripts] # ls / etc / pki / CA / #View the generated CA self-signed file
cacert.pem crl / index.txt.attr newcerts / serial
certs / index.txt index.txt.old private / serial.old
[root @ test scripts] # openssl x509 -text -in / opt / mos_demo / demo. #View the generated demo certificate
demo.crt demo.csr demo.key
[root @ test scripts] # openssl x509 -text -in /opt/mos_demo/demo.crt #View the certificate signed by the script just now
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C = CN, ST = Henan, L = Zhengzhou, O = Youguess, OU = Tech, CN=ca.mos.com/emailAddress=root@mos.com
        Validity
            Not Before: Jan 8 05:54:52 2013 GMT
            Not After: Jan 8 05:54:52 2014 GMT
        Subject: C = CN, ST = Henan, O = Youguess, OU = Tech, CN = demo.mos.com
.......

Two, when the system has a CA since the signing and demo certificate already exists, the script again, will be prompted whether the original file, the time to name the backup to its current directory, as follows

[root @ test opt] # mos_ca
CA existe, Continue? Y: Move file; n-> Quit. [Y | n] y #Enter y to move the file, n to exit
Demo certificate existe, Continue? Y: Move file; n: Quit. [Y | n] y #Same as above
[root @ test opt] # ls / etc / pki / CA /
2013-01-08-13: 54: 48tmp / crl / index.txt.old serial
cacert.pem index.txt newcerts / serial.old
certs / index.txt.attr private /
[root @ test opt] # ls / etc / pki / CA / 2013-01-08-13 \: 54 \: 48tmp /
cacert.pem crl / index.txt.attr newcerts / serial
certs / index.txt index.txt.old private / serial.old
[root @ test opt] # ls / opt / mos_demo /
2013-01-08-13: 54: 51tmp / demo.crt demo.csr demo.key
[root @ test opt] # ls / opt / mos_demo / 2013-01-08-13 \: 54 \: 51tmp / demo.
demo.crt demo.csr demo.key

Third, to a custom domain name issued a certificate, using the-n option, it should be noted that before the operation, it is necessary to modify the/etc/sysconfig/mos_ca.conf in the dhost= "your domain name", if the direct use of-N, the current CA can not be issued, Because it is not allowed to be the same as the domain name of the demo certificate, just as a real CA cannot issue two certificates to a different customer for a domain name. The demo is as follows:

[root @ test scripts] # grep -Ev "^ $ | ^ #" /etc/sysconfig/mos_ca.conf
Dname = mos # Newly created certificate, whose name starts with mos
Dhost = www.mos.com # Issuing this domain name
De=root@mos.com # define their email address
[root @ test scripts] # ll / opt / mos_demo /
[root @ test scripts] # mos_ca -n
2013-01-08-13: 54: 51tmp / demo.csr mos.crt mos.key
demo.crt demo.key mos.csr
[root @ test scripts] # openssl x509 -text -in /opt/mos_demo/mos.crt #View the new certificate just issued
Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 2 (0x2)
         Signature Algorithm: sha1WithRSAEncryption
         Issuer: C = CN, ST = Henan, L = Zhengzhou, O = Youguess, OU = Tech, CN=ca.mos.com/emailAddress=root@mos.com
         Validity
             Not Before: Jan 8 06:14:00 2013 GMT
             Not After: Jan 8 06:14:00 2014 GMT
         Subject: C = CN, ST = Henan, O = Youguess, OU = Tech, CN = www.mos.com
..................

Iv. Use the-s option to generate unsigned certificates for applications to other CA organizations, which need to modify their country, province, state, city, company, part, domain name, and mail in the configuration file. The operation is as follows:

[root @ test scripts] # grep -Ev "^ $ | ^ #" /etc/sysconfig/mos_ca.conf #Configuration file, make the following changes
Cny = CN #Country
Pve = Henan # Province / State
Cty = Zhengzhou #City
Bis = Youguess #Company
Bnh = Tech #Department
Dname = tech #Certificate name starts with
Dhost = tech.test.com # Certificate domain name to apply for
De=root@test.com # its email address
[root @ test scripts] # mos_ca -s
[root @ test scripts] # ls / opt / mos_demo / tech.
tech.csr tech.key

V. Use-O to the existing CSR certificate issuance request file, you need to configure the file to specify the path and part of the name, for example, the absolute path of the certificate is:/OPT/MOS_DEMO/TECH.CSR, in the configuration file, remove. CSR can be, for example:/opt/mos_demo/ Tech Issued for a certificate not just issued. (Again, a private CA issues the same country, province, city, company, and department that needs to be filled in by the CSR.) ) actions are as follows:

[root @ test scripts] # grep Other /etc/sysconfig/mos_ca.conf
Other = / opt / mos_demo / tech
[root @ test scripts] # mos_ca -o
[root @ test scripts] # ll / opt / mos_demo / tech.
tech.crt tech.csr tech.key # The crt file generated after signing up has appeared, and the content is as follows:
[root @ test scripts] # openssl x509 -text -in /opt/mos_demo/tech.crt
Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 3 (0x3)
         Signature Algorithm: sha1WithRSAEncryption
         Issuer: C = CN, ST = Henan, L = Zhengzhou, O = Youguess, OU = Tech, CN=ca.mos.com/emailAddress=root@mos.com
         Validity
             Not Before: Jan 8 06:49:53 2013 GMT
             Not After: Jan 8 06:49:53 2014 GMT
         Subject: C = CN, ST = Henan, O = Youguess, OU = Tech, CN = tech.test.com
......... 

Use the CA option to reconfigure and build the CA, F without creating a test certificate, you need to modify the properties of the self-signed CA in the configuration file (country, province, city, company, department, domain name, mail, etc., of course, not configured, still regenerated, old moved to save). The operation is as follows: