blog/article
2
1
Fork 0
Code Pull Requests Activity

update ca

Browse Source
This commit is contained in:
xking
2025-07-30 21:09:30 +08:00
parent f01421d2f6
commit 53d2f55c21
1 changed files with 203 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

204
私有CA.md
View File

@ -209,4 +209,206 @@ curl --cacert ca.pem https://server.example.com
- 如需撤销证书可使用CFSSL生成证书撤销列表(CRL)
- 更新 `ca-config.json` 添加CRL配置
通过以上步骤你已成功创建了一个有效期10年的私有CA并使用它签署了服务器和客户端证书。
通过以上步骤你已成功创建了一个有效期10年的私有CA并使用它签署了服务器和客户端证书。
### 八、附快速签发脚本
```bash
#!/bin/bash
# 证书快速签发脚本
# 依赖: cfssl, cfssljson 已安装并初始化好CA证书
# 颜色定义
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[0;33m'
NC='\033[0m' # No Color
# 默认配置
CA_KEY="/root/ckw/cfssl/ca/ca-ecdsa-key.pem"
CA_CERT="/root/ckw/cfssl/ca/ca-ecdsa.pem"
CA_CONFIG="/root/ckw/cfssl/ca/ca-config.json"
OUTPUT_DIR="certs"
MERGE_CA="true" # 默认合并根证书
# 使用帮助
function show_help {
echo -e "${GREEN}证书快速签发脚本${NC}"
echo "用法: $0 [选项]"
echo "选项:"
echo " -h, --help 显示此帮助信息"
echo " -n, --name NAME 证书名称 (必填)"
echo " -t, --type TYPE 证书类型: server, client, peer (默认: server)"
echo " -c, --ca CA_CERT CA证书路径 (默认: $CA_CERT)"
echo " -k, --ca-key CA_KEY CA私钥路径 (默认: $CA_KEY)"
echo " -C, --ca-config CONF CA配置文件路径 (默认: $CA_CONFIG)"
echo " -o, --output DIR 输出目录 (默认: $OUTPUT_DIR)"
echo " -d, --domains LIST 域名列表 (逗号分隔)"
echo ""
echo "示例:"
echo " $0 -n server1 -d example.com,www.example.com "
}
# 参数解析
NAME=""
TYPE="server"
DOMAINS=""
while [[ $# -gt 0 ]]; do
case $1 in
-h|--help)
show_help
exit 0
;;
-n|--name)
NAME="$2"
shift 2
;;
-t|--type)
TYPE="$2"
shift 2
;;
-c|--ca)
CA_CERT="$2"
shift 2
;;
-k|--ca-key)
CA_KEY="$2"
shift 2
;;
-C|--ca-config)
CA_CONFIG="$2"
shift 2
;;
-o|--output)
OUTPUT_DIR="$2"
shift 2
;;
-d|--domains)
DOMAINS="$2"
shift 2
;;
--no-merge-ca)
MERGE_CA="false"
shift
;;
*)
echo -e "${RED}未知参数: $1${NC}" >&2
show_help
exit 1
;;
esac
done
# 验证必填参数
if [[ -z "$NAME" ]]; then
echo -e "${RED}错误: 必须指定证书名称 (-n/--name)${NC}" >&2
show_help
exit 1
fi
# 验证证书类型
if [[ "$TYPE" != "server" && "$TYPE" != "client" && "$TYPE" != "peer" ]]; then
echo -e "${RED}错误: 证书类型必须是 server, client 或 peer${NC}" >&2
exit 1
fi
# 验证文件是否存在
for file in "$CA_CERT" "$CA_KEY" "$CA_CONFIG"; do
if [[ ! -f "$file" ]]; then
echo -e "${RED}错误: 文件 $file 不存在${NC}" >&2
exit 1
fi
done
# 当类型为server且未指定域名时默认将name作为域名
if [[ "$TYPE" == "server" && -z "$DOMAINS" ]]; then
DOMAINS="$NAME"
echo -e "${YELLOW}注意: 证书类型为server且未指定域名默认添加 ${NAME} 作为域名${NC}"
fi
# 创建证书单独目录
CERT_DIR="$OUTPUT_DIR/$NAME"
mkdir -p "$CERT_DIR" || { echo -e "${RED}无法创建证书目录: $CERT_DIR${NC}"; exit 1; }
# 生成证书签名请求配置
CSR_CONFIG="$CERT_DIR/${NAME}-csr.json"
cat > "$CSR_CONFIG" <<EOF
{
"CN": "$NAME",
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "CUA",
"OU": "IT"
}
]
}
EOF
# 生成SAN列表
SAN_LIST=""
if [[ -n "$DOMAINS" ]]; then
SAN_LIST+="$DOMAINS,"
fi
# 移除末尾逗号
SAN_LIST="${SAN_LIST%,}"
# 根据证书类型选择profile
case "$TYPE" in
server)
PROFILE="server"
;;
client)
PROFILE="client"
;;
peer)
PROFILE="peer"
;;
esac
# 生成证书
echo -e "${YELLOW}正在生成 $TYPE 证书: $NAME${NC}"
echo -e "${YELLOW}SAN列表: $SAN_LIST${NC}"
cfssl gencert \
-ca="$CA_CERT" \
-ca-key="$CA_KEY" \
-config="$CA_CONFIG" \
-profile="$PROFILE" \
${SAN_LIST:+-hostname="$SAN_LIST"} \
"$CSR_CONFIG" | cfssljson -bare "$CERT_DIR/$NAME"
# 验证生成结果
if [[ -f "$CERT_DIR/${NAME}.pem" && -f "$CERT_DIR/${NAME}-key.pem" ]]; then
echo -e "${GREEN}证书生成成功!${NC}"
echo -e "${GREEN}证书路径: ${CERT_DIR}/${NAME}.pem${NC}"
echo -e "${GREEN}私钥路径: ${CERT_DIR}/${NAME}-key.pem${NC}"
echo -e "${GREEN}证书签名请求: ${CSR_CONFIG}${NC}"
# 合并根证书
if [[ "$MERGE_CA" == "true" ]]; then
FULL_CHAIN="${CERT_DIR}/${NAME}-fullchain.pem"
cat "$CERT_DIR/${NAME}.pem" "$CA_CERT" > "$FULL_CHAIN"
echo -e "${GREEN}合并后的完整证书链: ${FULL_CHAIN}${NC}"
fi
# 显示证书信息
echo -e "\n${YELLOW}证书信息:${NC}"
openssl x509 -noout -text -in "$CERT_DIR/${NAME}.pem" | grep -A 5 "Subject Alternative Name"
else
echo -e "${RED}证书生成失败!${NC}"
exit 1
fi
```