TLS 证书生成方法

标签：TLS 证书 ca 生成 CertPath CertPD key server
##############################################


#!/bin/bash

function tls3.encry.ext(){
# 签发加密类型的X509证书文件
####################################################
#
# 创建CA(X509 version 3.0)加密根证书
#
####################################################

CertPath=/k8s/tlsv3
CertPD=huawei@123
DomainName=ca.huawei.com

#1、创建证书存放目录
mkdir -p ${CertPath} && cd ${CertPath}


#2、创建CA证书的私钥"cacert-key.pem"
openssl genrsa -des3 -out  ${CertPath}/ca.key -passout pass:${CertPD} 2048


#3、生产X509 Version3类型证书
openssl req -x509 -new -nodes \
-key  ${CertPath}/ca.key \
-sha256 \
-subj "/C=CN/ST=GuangDong/L=ShenZhen/O=HW/OU=IT/CN=${DomainName}" \
-days 7300 \
-out ${CertPath}/ca.crt \
-passin pass:${CertPD}

# 4、查看证书文件
openssl x509 -in  ${CertPath}/ca.crt  -text -noout


#####################################################
#
# 生成X509 3.0加密证书
# CA签署的服务器证书
#
#####################################################

# 服务器证书存放路径，需与CA证书存放路径保持一致
CertPath=/k8s/tlsv3
# 证书明文密码
CertPD=huawei@123
# 服务器证书域名
DomainName=www.huawei.com


# 1、创建服务器证书的私钥"server.key"
openssl genrsa -des3 -out ${CertPath}/server.key  -passout pass:${CertPD} 2048

# 2、创建服务器证书请求文件"server.csr"
openssl req -new \
-subj "/C=CN/ST=GuangDong/L=ShenZhen/O=HW/OU=IT/CN=${DomainName}" \
-key ${CertPath}/server.key \
-out ${CertPath}/server.csr \
-passin pass:${CertPD}

# 3、创建证书扩展文件"my-ssl.conf"
# 更改相应IP和DNS地址
#
cat > ${CertPath}/my-ssl.conf <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster
DNS.5 = kubernetes.default.svc.cluster.local
DNS.6 = www.huawei.com
DNS.7 = localhost
IP.1 = 168.7.10.201
IP.2 = 168.7.10.202
IP.3 = 168.7.10.203
IP.4 = 168.7.10.204
IP.4 = 127.0.0.1
EOF

# 4、签发X509 v3.0证书文件
openssl x509 -req \
-in ${CertPath}/server.csr \
-out ${CertPath}/server.crt \
-days 3650 \
-CAcreateserial \
-CA ${CertPath}/ca.crt \
-CAkey ${CertPath}/ca.key \
-CAserial serial \
-extfile ${CertPath}/my-ssl.conf \
-passin pass:${CertPD}


# 5、查看证书文件
openssl x509 -in ${CertPath}/server.crt -text -noout
chmod 777 ${CertPath}/ca* ${CertPath}/ser* && ls -l ${CertPath}/

}



function tls1{
#
# 签发X509 V1.0加密证书,不支持扩展属性
#####################################################
#
#  创建CA X509 version 1.0根证书
#  X509 1.0 无扩展属性
#
#####################################################

#创建证书存放目录
CertPath=/k8s/tlsv1
DomainName=ca.huawei.com

# 1、创建证书文件存放目录
mkdir -p ${CertPath} && cd ${CertPath}
     
# 2、创建CA证书的私钥"ca.key"
openssl genrsa -out  ${CertPath}/ca.key

# 3、 创建CA证书请求"ca.csr"
openssl req -new \
-subj "/C=CN/ST=GuangDong/L=DongGuan/O=HW/OU=IT/CN=${DomainName}"  \
-key  ${CertPath}/ca.key \
-out  ${CertPath}/ca.csr

# 4、 创建3年有效期的CA证书"ca.crt"
openssl x509 -req \
-days  3650 \
-in ${CertPath}/ca.csr \
-signkey ${CertPath}/ca.key \
-out ${CertPath}/ca.crt

# 5、查看证书文件
openssl x509 -in ${CertPath}/ca.crt -text -noout
chmod 777 ${CertPath}/ca* && ls -l ${CertPath}/


#####################################################
# 
# 生成X509 1.0证书
# CA签署的服务器证书
#
#####################################################

CertPath=/k8s/tlsv1
ServerName=server
DomainName=huawei.com

# 1、创建服务证书的私钥"xxx.key"
openssl genrsa -out ${CertPath}/${ServerName}.key


# 2、创建服务器证书请求文件 "xxx.csr"
openssl req -new \
-subj "/C=CN/ST=GuangDong/L=DongGuan/O=HW/OU=IT/CN=${ServerName}.${DomainName}"  \
-key ${CertPath}/${ServerName}.key \
-out ${CertPath}/${ServerName}.csr

# 3、CA签署X509 V1.0服务器证书，有效期3年,即: "xxx.crt"
openssl x509 -req \
-in  ${CertPath}/${ServerName}.csr \
-out  ${CertPath}/${ServerName}.crt \
-days 3650 \
-CAcreateserial -CA ${CertPath}/ca.crt \
-CAkey ${CertPath}/ca.key

# 4、查看证书文件
openssl x509 -in  ${CertPath}/${ServerName}.crt  -text -noout
chmod 777 ${CertPath}/${ServerName}.* && ls -l ${CertPath}/

}

function tls3.ext(){

#####################################################
#
# 创建CA X509 version 1.0根证书
#
#####################################################

#创建证书存放目录
CertPath=/k8s/tlsv2
DomainName=ca.huawei.com

# 1、创建证书文件存放目录
mkdir -p ${CertPath} && cd ${CertPath}
     
# 2、创建CA证书的私钥"ca.key"
openssl genrsa -out  ${CertPath}/ca.key

# 3、 创建CA证书请求"ca.csr"
openssl req -new \
-subj "/C=CN/ST=GuangDong/L=DongGuan/O=HW/OU=IT/CN=${DomainName}"  \
-key  ${CertPath}/ca.key \
-out  ${CertPath}/ca.csr

# 4、 创建3年有效期的CA证书"ca.crt"
openssl x509 -req \
-days  3650 \
-in ${CertPath}/ca.csr \
-signkey ${CertPath}/ca.key \
-out ${CertPath}/ca.crt

# 5、查看证书文件
openssl x509 -in ${CertPath}/ca.crt -text -noout
chmod 777 ${CertPath}/ca* && ls -l ${CertPath}/


#####################################################
# 
# 生成X509 3.0证书,证书key文件不加密
# CA签署的服务器证书
#
#####################################################

ServerName=server
DomainName=huawei.com

# 1、创建服务证书的私钥"xxx.key"
openssl genrsa -out ${CertPath}/${ServerName}.key


# 2、创建服务器证书请求文件 "xxx.csr"
openssl req -new \
-subj "/C=CN/ST=GuangDong/L=DongGuan/O=HW/OU=IT/CN=${ServerName}.${DomainName}"  \
-key ${CertPath}/${ServerName}.key \
-out ${CertPath}/${ServerName}.csr


# 3、创建证书扩展文件
cat > ${CertPath}/my-ssl.conf <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster
DNS.5 = kubernetes.default.svc.cluster.local
DNS.6 = www.huawei.com
DNS.7 = localhost
IP.1 = 168.7.10.201
IP.2 = 168.7.10.202
IP.3 = 168.7.10.203
IP.4 = 168.7.10.204
IP.4 = 127.0.0.1
EOF


# 4、签发X509 3.0服务器证书文件
openssl x509 -req \
-in  ${CertPath}/${ServerName}.csr \
-out  ${CertPath}/${ServerName}.crt \
-days 3650 \
-CAcreateserial -CA ${CertPath}/ca.crt \
-CAkey ${CertPath}/ca.key \
-CAserial serial \
-extfile ${CertPath}/my-ssl.conf




# 4、签发X509 1.0服务器证书文件,即: "xxx.crt"
# openssl x509 -req \
# -in  ${CertPath}/${ServerName}.csr \
# -out  ${CertPath}/${ServerName}.crt \
# -days 3650 \
# -CAcreateserial -CA ${CertPath}/ca.crt \
# -CAkey ${CertPath}/ca.key

# 5、查看证书文件
openssl x509 -in  ${CertPath}/${ServerName}.crt  -text -noout
chmod 777 ${CertPath}/${ServerName}.* && ls -l ${CertPath}/
}

 


function tls3.encry.ext(){

####################################################
#
# 创建CA(X509 version 3.0)加密根证书
#
####################################################

CertPath=/k8s/tlsv4
CertPD=huawei@123
DomainName=ca.huawei.com

#1、创建证书存放目录
mkdir -p ${CertPath} && cd ${CertPath}


#2、创建CA证书的私钥"cacert-key.pem"
openssl genrsa -des3 -out  ${CertPath}/ca.key -passout pass:${CertPD} 2048


#3、生产X509 Version3类型证书
openssl req -x509 -new -nodes \
-key  ${CertPath}/ca.key \
-sha256 \
-subj "/C=CN/ST=GuangDong/L=ShenZhen/O=HW/OU=IT/CN=${DomainName}" \
-days 7300 \
-out ${CertPath}/ca.crt \
-passin pass:${CertPD}

# 4、查看证书文件
openssl x509 -in  ${CertPath}/ca.crt  -text -noout


#####################################################
#
# 生成X509 3.0证书,证书key文件不加密
# CA签署的服务器证书
#
#####################################################

# 服务器证书存放路径，需与CA证书存放路径保持一致

CertPath=/k8s/tlsv4
# 证书明文密码
CertPD=huawei@123
# 服务器证书域名
DomainName=www.huawei.com


# 1、创建服务器证书的私钥"server.key"
openssl genrsa -out ${CertPath}/server.key 2048

# 2、创建服务器证书请求文件"server.csr"
openssl req -new \
-subj "/C=CN/ST=GuangDong/L=ShenZhen/O=HW/OU=IT/CN=${DomainName}" \
-key ${CertPath}/server.key \
-out ${CertPath}/server.csr \


# 3、创建证书扩展文件"my-ssl.conf"
# 更改相应IP和DNS地址
#
cat > ${CertPath}/my-ssl.conf <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster
DNS.5 = kubernetes.default.svc.cluster.local
DNS.6 = www.huawei.com
DNS.7 = localhost
IP.1 = 168.7.10.201
IP.2 = 168.7.10.202
IP.3 = 168.7.10.203
IP.4 = 168.7.10.204
IP.4 = 127.0.0.1
EOF

# 4、签发X509 v3.0证书文件
openssl x509 -req \
-in ${CertPath}/server.csr \
-out ${CertPath}/server.crt \
-days 3650 \
-CAcreateserial \
-CA ${CertPath}/ca.crt \
-CAkey ${CertPath}/ca.key \
-CAserial serial \
-extfile ${CertPath}/my-ssl.conf \
-passin pass:${CertPD}


# 5、查看证书文件
openssl x509 -in ${CertPath}/server.crt -text -noout
chmod 777 ${CertPath}/ca* ${CertPath}/ser* && ls -l ${CertPath}/

}


***********************************************************************************************************
*
***********************************************************************************************************
标签：TLS,证书,ca,生成,CertPath,CertPD,key,server
From： https://www.cnblogs.com/vmsysjack/p/17624967.html
相关文章

赞助商

阅读排行
