X509 TLS

标签：TLS 证书 X509 ca CertPath CertPD key
!/bin/bash

function tls3(){
####################################################
#
# 创建CA X509 version 3.0根证书
#
####################################################


CertPath=/k8s/tlsv3
CertPD=huawei@123
DomainName=ca.huawei.com

#1、创建证书存放目录
mkdir -p ${CertPath} && cd ${CertPath}


#2、创建CA证书的私钥"cacert-key.pem"
openssl genrsa -des3 -out  ${CertPath}/ca.key -passout pass:${CertPD} 2048


#3、生产X509 Version3类型证书
openssl req -x509 -new -nodes \
-key  ${CertPath}/ca.key \
-sha256 \
-subj "/C=CN/ST=GuangDong/L=ShenZhen/O=HW/OU=IT/CN=${DomainName}" \
-days 7300 \
-out ${CertPath}/ca.crt \
-passin pass:${CertPD}

# 4、查看证书文件
openssl x509 -in  ${CertPath}/ca.crt  -text -noout


#####################################################
#
# 生成X509 3.0证书
# CA签署的服务器证书
#
#####################################################

# 服务器证书存放路径，需与CA证书存放路径保持一致
CertPath=/k8s/tlsv1
# 证书明文密码
CertPD=huawei@123
# 服务器证书域名
DomainName=www.huawei.com


# 1、创建服务器证书的私钥"server.key"
openssl genrsa -des3 -out ${CertPath}/server.key  -passout pass:${CertPD} 2048

# 2、创建服务器证书请求文件"server.csr"
openssl req -new \
-subj "/C=CN/ST=GuangDong/L=ShenZhen/O=HW/OU=IT/CN=${DomainName}" \
-key ${CertPath}/server.key \
-out ${CertPath}/server.csr \
-passin pass:${CertPD}

# 3、创建证书扩展文件"my-ssl.conf"
# 更改相应IP和DNS地址
#
cat > ${CertPath}/my-ssl.conf <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster
DNS.5 = kubernetes.default.svc.cluster.local
DNS.6 = www.huawei.com
DNS.7 = localhost
IP.1 = 168.7.10.201
IP.2 = 168.7.10.202
IP.3 = 168.7.10.203
IP.4 = 168.7.10.204
IP.4 = 127.0.0.1
EOF

# 4、签发并生成服务器证书
openssl x509 -req \
-in ${CertPath}/server.csr \
-out ${CertPath}/server.crt \
-days 3650 \
-CAcreateserial \
-CA ${CertPath}/ca.crt \
-CAkey ${CertPath}/ca.key \
-CAserial serial \
-extfile ${CertPath}/my-ssl.conf \
-passin pass:${CertPD}


# 5、查看证书文件
openssl x509 -in ${CertPath}/server.crt -text -noout
chmod 777 ${CertPath}/ca* ${CertPath}/ser* && ls -l ${CertPath}/

}



function tls1(){

#####################################################
#
# 创建CA X509 version 1.0根证书
#
#####################################################

#创建证书存放目录
CertPath=/k8s/tlsv1
CertPD=huawei@123
DomainName=ca.huawei.com

# 1、创建证书文件存放目录
mkdir -p ${CertPath} && cd ${CertPath}
     
# 2、创建CA证书的私钥"ca.key"
openssl genrsa -out  ${CertPath}/ca.key

# 3、 创建CA证书请求"ca.csr"
openssl req -new \
-subj "/C=CN/ST=GuangDong/L=DongGuan/O=HW/OU=IT/CN=${DomainName}"  \
-key  ${CertPath}/ca.key \
-out  ${CertPath}/ca.csr

# 4、 创建3年有效期的CA证书"ca.crt"
openssl x509 -req \
-days  3650 \
-in ${CertPath}/ca.csr \
-signkey ${CertPath}/ca.key \
-out ${CertPath}/ca.crt

# 5、查看证书文件
openssl x509 -in ${CertPath}/ca.crt -text -noout
chmod 777 ${CertPath}/ca* && ls -l ${CertPath}/


#####################################################
# 
# 生成X509 1.0证书
# CA签署的服务器证书
#
#####################################################

ServerName=ldap
DomainName=huawei.com

# 1、创建服务证书的私钥"xxx.key"
openssl genrsa -out ${CertPath}/${ServerName}.key


# 2、创建服务器证书请求文件 "xxx.csr"
openssl req -new \
-subj "/C=CN/ST=GuangDong/L=DongGuan/O=HW/OU=IT/CN=${ServerName}.${DomainName}"  \
-key ${CertPath}/${ServerName}.key \
-out ${CertPath}/${ServerName}.csr

# 3、CA签署服务器证书，有效期3年,即: "xxx.crt"
openssl x509 -req \
-in  ${CertPath}/${ServerName}.csr \
-out  ${CertPath}/${ServerName}.crt \
-days 3650 \
-CAcreateserial -CA ${CertPath}/ca.crt \
-CAkey ${CertPath}/ca.key

# 4、查看证书文件
openssl x509 -in  ${CertPath}/${ServerName}.crt  -text -noout
chmod 777 ${CertPath}/${ServerName}.* && ls -l ${CertPath}/

}

function tls3.bak(){

#####################################################
#
# 创建CA X509 version 1.0根证书
#
#####################################################

#创建证书存放目录
CertPath=/k8s/tlsv2
CertPD=huawei@123
DomainName=ca.huawei.com

# 1、创建证书文件存放目录
mkdir -p ${CertPath} && cd ${CertPath}
     
# 2、创建CA证书的私钥"ca.key"
openssl genrsa -out  ${CertPath}/ca.key

# 3、 创建CA证书请求"ca.csr"
openssl req -new \
-subj "/C=CN/ST=GuangDong/L=DongGuan/O=HW/OU=IT/CN=${DomainName}"  \
-key  ${CertPath}/ca.key \
-out  ${CertPath}/ca.csr

# 4、 创建3年有效期的CA证书"ca.crt"
openssl x509 -req \
-days  3650 \
-in ${CertPath}/ca.csr \
-signkey ${CertPath}/ca.key \
-out ${CertPath}/ca.crt

# 5、查看证书文件
openssl x509 -in ${CertPath}/ca.crt -text -noout
chmod 777 ${CertPath}/ca* && ls -l ${CertPath}/


#####################################################
# 
# 生成X509 3.0证书
# CA签署的服务器证书
#
#####################################################

ServerName=server
DomainName=huawei.com

# 1、创建服务证书的私钥"xxx.key"
openssl genrsa -out ${CertPath}/${ServerName}.key


# 2、创建服务器证书请求文件 "xxx.csr"
openssl req -new \
-subj "/C=CN/ST=GuangDong/L=DongGuan/O=HW/OU=IT/CN=${ServerName}.${DomainName}"  \
-key ${CertPath}/${ServerName}.key \
-out ${CertPath}/${ServerName}.csr


# 3、创建证书扩展文件
cat > ${CertPath}/my-ssl.conf <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster
DNS.5 = kubernetes.default.svc.cluster.local
DNS.6 = www.huawei.com
DNS.7 = localhost
IP.1 = 168.7.10.201
IP.2 = 168.7.10.202
IP.3 = 168.7.10.203
IP.4 = 168.7.10.204
IP.4 = 127.0.0.1
EOF


# 4、签发X509 3.0服务器证书文件
openssl x509 -req \
-in  ${CertPath}/${ServerName}.csr \
-out  ${CertPath}/${ServerName}.crt \
-days 3650 \
-CAcreateserial -CA ${CertPath}/ca.crt \
-CAkey ${CertPath}/ca.key \
-CAserial serial \
-extfile ${CertPath}/my-ssl.conf




# 4、签发X509 3.0服务器证书文件,即: "xxx.crt"
# openssl x509 -req \
# -in  ${CertPath}/${ServerName}.csr \
# -out  ${CertPath}/${ServerName}.crt \
# -days 3650 \
# -CAcreateserial -CA ${CertPath}/ca.crt \
# -CAkey ${CertPath}/ca.key

# 5、查看证书文件
openssl x509 -in  ${CertPath}/${ServerName}.crt  -text -noout
chmod 777 ${CertPath}/${ServerName}.* && ls -l ${CertPath}/


}
标签：TLS,证书,X509,ca,CertPath,CertPD,key
From： https://www.cnblogs.com/vmsysjack/p/17624649.html
相关文章

赞助商

阅读排行
