Openssl - 快速產生重要檔案

Linux

發布日期: 2023-05-30

文章字數: 717

閱讀時長: 4 分

閱讀次數:

easy to use

會需要的檔案有 rootca.pem server.pem dh1024.pem

Usage


# without SAN
./ec_create.sh

# with SAN

./ec_create.sh 10.0.0.1 10.0.0.2 ...

# clear all
./delete.sh

ec_create.sh

#!/bin/bash

CA_KEY="rootCA.key"
CA_CERT="rootCA.pem"
CA_SERIAL="rootCA.srl"
DH_PARAM="dh1024.pem"
SERVER_KEY="server.key"
SERVER_PUB="server_pub.pem"
SERVER_EC="serverec.pem"
SERVER_CSR="server.csr"
SERVER_CERT="server_cert.pem"
SERVER_PEM="server.pem"
P12_CERT="server_cert_key.p12"
ROOT_CA_CRT="rootCA.crt"
DAYS_VALID=1024
ROOT_CA_CONF="rootca.conf"
SERVER_CONF="server.conf"
SERVER_EXT="server.ext"

set -e

echo "create rootca.conf"
cat > $ROOT_CA_CONF << EOF
[ req ]
default_bits           = 2048
default_keyfile        = rootkeyfile.pem
distinguished_name     = req_distinguished_name
attributes             = req_attributes
prompt                 = no
output_password        = mypass

[ req_distinguished_name ]
C                      = TW
ST                     = Test State or Province
L                      = taipei
O                      = adv
OU                     = icg
CN                     = rootca
emailAddress           = test@email.address

[ req_attributes ]
challengePassword      =
EOF

echo "create server.conf............"
cat > $SERVER_CONF <<EOF
[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
prompt             = no
$( [ $# -ne 0 ] && echo "req_extensions     = req_ext" )

[ req_distinguished_name ]
C  = TW
ST = Test State or Province
L  = taipei
O  = adv
OU = icg
CN = server

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
EOF

echo "create server.ext............"
cat > $SERVER_EXT <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[ alt_names ]

EOF

for i in "$@"; do
    # Get the index of the argument
    index=$(($index+1))
    echo "IP.$index = $i" >> $SERVER_EXT
    echo "IP.$index = $i" >> $SERVER_CONF
done

echo "create rootCA.key............"
openssl ecparam -genkey -name prime256v1 -out $CA_KEY

echo "create rootCA.pem............"
openssl req -x509 -new -nodes -key $CA_KEY -sha256 -days $DAYS_VALID -out $CA_CERT -config $ROOT_CA_CONF

echo "create dh1024.pem............"
openssl dhparam -out $DH_PARAM 1024

echo "create server.key............"
openssl ecparam -name prime256v1 -genkey -noout -out $SERVER_KEY

echo "create server_pub.pem............"
openssl ec -in $SERVER_KEY -pubout -out $SERVER_PUB

echo "create serverec.pem............"
openssl ecparam -genkey -name prime256v1 -out $SERVER_EC

echo "create server.csr............"
openssl req -new -key $SERVER_EC -out $SERVER_CSR -config $SERVER_CONF

echo "create server_cert.pem............"
openssl x509 -req -days $DAYS_VALID -in $SERVER_CSR -CAkey $CA_KEY -CA $CA_CERT -force_pubkey $SERVER_PUB -CAcreateserial -out $SERVER_CERT \
 $([ $# -ne 0 ] && echo "-extfile $SERVER_EXT")

echo "convert to server.pem....."
cat $SERVER_CERT $SERVER_KEY > $SERVER_PEM

echo "create p12 crt file, for windows"
openssl pkcs12 -export -inkey $SERVER_KEY -in $SERVER_CERT -out $P12_CERT

cp $CA_CERT $ROOT_CA_CRT

echo "CA Key: $CA_KEY"
echo "CA Certificate: $CA_CERT"
echo "DH Params: $DH_PARAM"
echo "Server Key: $SERVER_KEY"
echo "Server Public Key: $SERVER_PUB"
echo "Server EC Key: $SERVER_EC"
echo "Server CSR: $SERVER_CSR"
echo "Server Certificate: $SERVER_CERT"
echo "Combined Server PEM: $SERVER_PEM"
echo "P12 Certificate: $P12_CERT"
echo "Root CA CRT: $ROOT_CA_CRT"

echo "clear files"
rm -f rootCA.key rootCA.srl s_prime256v1.pem server.csr server.key server_cert.pem server_pub.pem serverec.pem

delete.sh

#!/bin/bash
rm -f *.csr *.key *.srl *.pem *.p12 *.crt
rm -f server.conf server.ext rootca.conf

test command

# 用sed 統一新舊 openssl tool 打印格式的小差別。
> openssl dhparam -in ./dh1024.pem -text -noout | sed 's/P:/prime:/' | sed 's/G:/generator:/'
    DH Parameters: (1024 bit)
        prime:
            00:b5:be:5e:4d:5d:27:29:79:82:ce:99:6b:19:e1:
            8c:49:4a:2b:39:05:e0:31:c9:57:80:6d:35:09:be:
            06:c3:56:05:4d:19:d4:bb:e6:e0:31:e4:ae:b6:53:
            b9:0b:a1:f4:5f:88:92:5b:03:d4:f9:77:17:2a:3d:
            e3:dc:81:b2:c2:e8:19:1c:38:9b:09:a8:2a:db:23:
            48:2c:66:62:9c:07:ba:8d:35:e7:18:40:63:cb:61:
            e9:79:bb:63:b7:37:c0:92:33:cf:76:8c:c8:06:d9:
            2f:c6:3a:00:14:56:20:72:0b:ce:bc:5e:11:bb:a6:
            5b:5a:08:76:78:82:45:7a:a3
        generator: 2 (0x2)

> openssl x509 -in ./server.pem -fingerprint -dates -subject -issuer -noout
SHA1 Fingerprint=BE:AF:4F:65:71:06:9C:92:22:D1:EE:8C:F8:F5:30:6B:0D:1B:8A:6B
notBefore=May 31 02:02:05 2023 GMT
notAfter=Jun 30 02:02:05 2023 GMT
subject=C = TW, ST = Test State or Province, L = taipei, O = adv, OU = rd, CN = server, emailAddress = test@email.address
issuer=C = TW, ST = Test State or Province, L = taipei, O = adv, OU = rd, CN = rootca, emailAddress = test@email.address

轉載請註明: YuYan's blog Openssl - 快速產生重要檔案

Ubuntu uploading debian package to PPA

前言本篇假設已經擁有Ubuntu社群帳號。用ubuntu帳號登入 ppa (https://launchpad.net/) openg

2023-09-12 Linux

ubuntu ppa debian opengpg pbuilder debuild

Ubuntu 試用 gptcommit 懶人工具

請先申請 openAI key, 透過 chatgpt 網站申請 Reference and Source site cargo ins

2023-02-17 Linux

git ubuntu tools openAI chatgpt