자체 서명된 인증서: 생성할 셸 스크립트
14432 단어 tlsscriptsecuritycertificate
자체 서명된 인증서를 생성하기 위해 Bash 스크립트를 만들었습니다. MariaDB 또는 PostgreSQL 연결에 대한 몇 가지 테스트를 시도했을 때였을 것입니다.
"글로벌 매개변수"를 설정한 후 아래 스크립트를 실행하면 서버/클라이언트/ca(인증기관)의 매개변수가 생성됩니다.
#!/bin/sh
# [ global parameters ]
# certificate configuration
readonly CERT_DAYS=36500
readonly RSA_STR_LEN=4096
readonly PREFIX=xxx-
readonly CERT_DIR=./ssl
readonly KEY_DIR=./ssl/private
# certificate content definition
readonly ADDRESS_COUNTRY_CODE=XX
readonly ADDRESS_PREFECTURE=XXXX
readonly ADDRESS_CITY=XXXX
readonly COMPANY_NAME=XXXXXXXX
readonly COMPANY_SECTION=XXXXXXXX
readonly CERT_PASSWORD= # no password
# - ca
readonly CA_DOMAIN=x.domain
readonly CA_EMAIL=[email protected]
# - server
readonly SERVER_DOMAIN=y.domain
readonly SERVER_EMAIL=[email protected]
# - client
readonly CLIENT_DOMAIN=z.domain
readonly CLIENT_EMAIL=[email protected]
# [ functions ]
echo_cert_params() {
local company_domain="$1"
local company_email="$2"
echo $ADDRESS_COUNTRY_CODE
echo $ADDRESS_PREFECTURE
echo $ADDRESS_CITY
echo $COMPANY_NAME
echo $COMPANY_SECTION
echo $company_domain
echo $company_email
echo $CERT_PASSWORD # password
echo $CERT_PASSWORD # password (again)
}
echo_ca_cert_params() {
echo_cert_params "$CA_DOMAIN" "$CA_EMAIL"
}
echo_server_cert_params() {
echo_cert_params "$SERVER_DOMAIN" "$SERVER_EMAIL"
}
echo_client_cert_params() {
echo_cert_params "$CLIENT_DOMAIN" "$CLIENT_EMAIL"
}
# [ main ]
# generate certificates
# - ca
openssl genrsa $RSA_STR_LEN > $KEY_DIR/${PREFIX}ca-key.pem
echo_ca_cert_params | \
openssl req -new -x509 -nodes -days $CERT_DAYS -key $KEY_DIR/${PREFIX}ca-key.pem -out $CERT_DIR/${PREFIX}ca-cert.pem
# - server
echo_server_cert_params | \
openssl req -newkey rsa:$RSA_STR_LEN -days $CERT_DAYS -nodes -keyout $KEY_DIR/${PREFIX}server-key.pem -out $CERT_DIR/${PREFIX}server-req.pem
openssl rsa -in $KEY_DIR/${PREFIX}server-key.pem -out $KEY_DIR/${PREFIX}server-key.pem
openssl x509 -req -in $CERT_DIR/${PREFIX}server-req.pem -days $CERT_DAYS -CA $CERT_DIR/${PREFIX}ca-cert.pem -CAkey $KEY_DIR/${PREFIX}ca-key.pem -set_serial 01 -out $CERT_DIR/${PREFIX}server-cert.pem
# - client
echo_client_cert_params | \
openssl req -newkey rsa:$RSA_STR_LEN -days $CERT_DAYS -nodes -keyout $KEY_DIR/${PREFIX}client-key.pem -out $CERT_DIR/${PREFIX}client-req.pem
openssl rsa -in $KEY_DIR/${PREFIX}client-key.pem -out $KEY_DIR/${PREFIX}client-key.pem
openssl x509 -req -in $CERT_DIR/${PREFIX}client-req.pem -days $CERT_DAYS -CA $CERT_DIR/${PREFIX}ca-cert.pem -CAkey $KEY_DIR/${PREFIX}ca-key.pem -set_serial 01 -out $CERT_DIR/${PREFIX}client-cert.pem
# clean up (before permission changed)
rm $KEY_DIR/${PREFIX}ca-key.pem
rm $CERT_DIR/${PREFIX}server-req.pem
rm $CERT_DIR/${PREFIX}client-req.pem
# validate permission
chmod 400 $KEY_DIR/${PREFIX}server-key.pem
chmod 400 $KEY_DIR/${PREFIX}client-key.pem
# verify relationship among certificates
openssl verify -CAfile $CERT_DIR/${PREFIX}ca-cert.pem $CERT_DIR/${PREFIX}server-cert.pem $CERT_DIR/${PREFIX}client-cert.pem
출력은 다음과 같습니다.
$ bash <the-script-above>.bash
Generating RSA private key, 4096 bit long modulus
................++++
........................................................++++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:State or Province Name (full name) []:Locality Name (eg, city) []:Organization Name (eg, company) []:Organizational Unit Name (eg, section) []:Common Name (eg, fully qualified host name) []:Email Address []:Generating a 4096 bit RSA private key
...................................................................................................++++
.......................................................................................++++
writing new private key to './ssl/private/xxx-server-key.pem'
----------
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----------
Country Name (2 letter code) []:State or Province Name (full name) []:Locality Name (eg, city) []:Organization Name (eg, company) []:Organizational Unit Name (eg, section) []:Common Name (eg, fully qualified host name) []:Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:writing RSA key
Signature ok
subject=/C=XX/ST=XXXX/L=XXXX/O=XXXXXXXX/OU=XXXXXXXX/CN=y.domain/[email protected]
Getting CA Private Key
Generating a 4096 bit RSA private key
...........................................................................++++
...........................................................++++
writing new private key to './ssl/private/xxx-client-key.pem'
----------
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----------
Country Name (2 letter code) []:State or Province Name (full name) []:Locality Name (eg, city) []:Organization Name (eg, company) []:Organizational Unit Name (eg, section) []:Common Name (eg, fully qualified host name) []:Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:writing RSA key
Signature ok
subject=/C=XX/ST=XXXX/L=XXXX/O=XXXXXXXX/OU=XXXXXXXX/CN=z.domain/[email protected]
Getting CA Private Key
./ssl/xxx-server-cert.pem: OK
./ssl/xxx-client-cert.pem: OK
결과:
$ ls -l ssl/*
-rw-r--r-- 1 <running-user> <running-user> 1980 May 22 15:17 ssl/xxx-ca-cert.pem
-rw-r--r-- 1 <running-user> <running-user> 1976 May 22 15:17 ssl/xxx-client-cert.pem
-rw-r--r-- 1 <running-user> <running-user> 1976 May 22 15:17 ssl/xxx-server-cert.pem
ssl/private:
total 16
-r-------- 1 <running-user> <running-user> 3243 May 22 15:17 xxx-client-key.pem
-r-------- 1 <running-user> <running-user> 3243 May 22 15:17 xxx-server-key.pem
Reference
이 문제에 관하여(자체 서명된 인증서: 생성할 셸 스크립트), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다 https://dev.to/nabbisen/bash-script-to-generate-self-signed-certificates-5hfj텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념 (Collection and Share based on the CC Protocol.)