基于openssl的CA证书服务器 你可以用它搭建自己的专属CA服务器，以方便为用户生成私钥、证书请求、颁发证书、吊销证书、证书

#!/bin/bash ############################################################################# # Create By: zhf_sy # License: GNU GPLv3 # Test On: CentOS 7 ############################################################################# # 生成openssl.cnf文件 # 使用前需要一些变量 F_ECHO_OPENSSL_CNF() { echo " # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # # This definition stops the following lines choking if HOME isn't # defined. HOME = . RANDFILE = \$ENV::HOME/.rnd # 额外的对象标识符信息 # Extra OBJECT IDENTIFIER info: #oid_file = \$ENV::HOME/.oid oid_section = new_oids # 当【openssl x509】实用程序和【-extfile】选项一起用时，在此处命名要使用的 X.509v3 扩展section名称。（也可以直接在命令行带上参数选项【-extensions section名称】吧） # To use this configuration file with the "-extfile" option of the # "openssl x509" utility, name here the section containing the # X.509v3 extensions to use: #extensions = # 或者使用【在主要[= default]section中仅包含 X.509v3 扩展】的配置文件 # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) #################################################################### [ new_oids ] # 我们可以在这里添加新的OID供"ca"，"req"和"ts"使用 # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. # Add a simple OID like this: #testoid1 = 1.2.3.4 # Or use config file substitution like this: #testoid2 = \${testoid1}.5.6 # TSA策略示例 # Policies used by the TSA examples. tsa_policy1 = 1.2.3.4.1 tsa_policy2 = 1.2.3.4.5.6 tsa_policy3 = 1.2.3.4.5.7 #################################################################### [ ca ] # 调用CA服务器信息段：CA_default default_ca = CA_default # The default ca section #################################################################### [ CA_default ] dir = $PWD # Where everything is kept # 颁发的证书路径 new_certs_dir = \$dir/newcerts # default place for new certs. certs = \$dir/certs # Where the issued certs are kept crl = \$dir/ca.crl.pem # The current CRL crl_dir = \$dir/crl # Where the issued crl are kept unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject. # ca数据库 database = \$dir/index.txt # database index file. serial = \$dir/serial # The current serial number，手动设置初始值01 crlnumber = \$dir/crlnumber # the current crl number，手动设置初始值01 # must be commented out to leave a V1 CRL(当保持crl为V1版本时，需要注释掉此项) # ca证书等 certificate = \$dir/ca.pem.crt # The CA certificate private_key = \$dir/private/ca.pem.key # The private key RANDFILE = \$dir/private/.rand # private random number file # 调用证书扩展段：usr_cert x509_extensions = usr_cert # The extentions to add to the cert # 传统格式需要注释掉以下两行 # Comment out the following two lines for the "traditional" # (and highly broken) format. name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options # 拷贝扩展信息（小心使用） # Extension copying option: use with caution. #copy_extensions = copy # 调用吊销列表扩展：crl_ext # 当保持crl为V1版本时，需要注释掉此项，同时crlnumber也要注释掉 (Netscape 浏览器不支持V2 crl) # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crlnumber must also be commented out to leave a V1 CRL. crl_extensions = crl_ext # default_days = ${CERT_DAYS} # how long to certify for default_crl_days = 30 # how long before next CRL default_md = sha256 # use SHA-256 by default preserve = no # keep passed DN ordering # 指定相似请求的不同方法 # 对于CA类型，列出的属性必须相同，可选字段和必须提供的字段 # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match # 调用CA策略段：policy_match #################################################################### # CA策略 # For the CA policy [ policy_match ] # 如果值为"match"，则客户端证书请求时，相应信息必须和CA证书保持一致；反之如果为"optional"，则不用 #countryName = match countryName = optional stateOrProvinceName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### # 列出所有策略对象类型 # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### [ req ] default_bits = ${CERT_BITS} default_md = sha256 default_keyfile = privkey.pem distinguished_name = req_distinguished_name # 调用用户信息段[req_distinguished_name] attributes = req_attributes # 调用密码属性段[req_attributes] # 调用证书请求扩展段：v3_req req_extensions = v3_req # The extensions to add to a certificate request # 调用自签名证书扩展段：v3_ca x509_extensions = v3_ca # The extentions to add to the self signed cert # 私钥密码。如果没有设置私钥密码，则提示输入 # Passwords for private keys if not present they will be prompted for #input_password = secret #output_password = secret # 设置允许的字符串类型 # This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString (PKIX recommendation before 2004) # utf8only: only UTF8Strings (PKIX recommendation after 2004). # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK:XXXX a literal mask value. # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. string_mask = utf8only #################################################################### # 用户信息 [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = $countryName_default countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = $stateOrProvinceName_default localityName = Locality Name (eg, city) localityName_default = $localityName_default 0.organizationName = Organization Name (eg, company) 0.organizationName_default = $organizationName_default0 # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = $organizationalUnitName_default commonName = Common Name (eg, your name or your server\'s hostname) commonName_default = $commonName_default commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 emailAddress_default = $emailAddress_default # SET-ex3 = SET extension number 3 ####################################################