[root@node2 ~]# cat https.sh # 生成https证书
#!/bin/bashhostname=192.168.192.157rm -rf /etc/pki/CA &>/dev/nullmkdir -p /etc/pki/CA/private && cd /etc/pki/CAyum -y install expect &>/dev/null#CA生成一对密钥
(umask 077;openssl genrsa -out private/cakey.pem 2048)
#提取公钥
openssl rsa -in private/cakey.pem -pubout
#生成自签署证书
expect << EOF
set timeout 60 spawn openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 expect "letter code" {send "cn\r"}
expect "full name" {send "HB\r"}
expect "city" {send "WH\r"}
expect "company" {send "runtime\r"}
expect "section" {send "teach\r"}
expect "hostname" {send "${hostname}\r"}
expect "Email" {send "1@2.com\r"}
expect "#"EOF
#读出cacert.pem证书的内容
openssl x509 -text -in cacert.pemmkdir certs newcerts crltouch index.txt && echo 01 > serial
#安装httpdyum -y remove httpd &>/dev/nullyum -y install httpd &>/dev/nullsystemctl enable --now httpd &>/dev/null#httpd服务器生成密钥
cd /etc/httpd && mkdir ssl && cd ssl
(umask 077;openssl genrsa -out httpd.key 2048)
#生成证书签署请求
expect << EOF
set timeout 60 spawn openssl req -new -key httpd.key -days 365 -out httpd.csr
expect "letter code" {send "cn\r"}
expect "full name" {send "HB\r"}
expect "city" {send "WH\r"}
expect "company" {send "runtime\r"}
expect "section" {send "teach\r"}
expect "hostname" {send "${hostname}\r"}
expect "Email" {send "1@2.com\r"}
expect "password" {send "\r"}
expect "company name" {send "\r"}
expect "#"EOF
#CA签署客户端提交上来的证书
expect << EOF
set timeout 60 spawn openssl ca -in ./httpd.csr -out httpd.crt -days 365 expect "certificate" {send "y\r"}
expect "commit" {send "y\r"}
expect "#"EOF
#修改配置文件yum -y remove mod_ssl &>/dev/nullyum -y install mod_ssl &>/dev/nullsed -i "s/#DocumentRoot/DocumentRoot/g" /etc/httpd/conf.d/ssl.confsed -i "s/#ServerName www.example.com:443/ServerName ${hostname}:443/g"sed -i "s#/etc/pki/tls/certs/localhost.crt#/etc/httpd/ssl/httpd.crt#g" /etc/httpd/conf.d/ssl.confsed -i "s#/etc/pki/tls/private/localhost.key#/etc/httpd/ssl/httpd.key#g" /etc/httpd/conf.d/ssl.conf
#重启httpd
systemctl restart httpd &>/dev/nullss -antl
执行脚本
[root@node2 ~]# bash https.sh Generating RSA private key, 2048 bit long modulus (2 primes) .............+++++...............+++++e is 65537 (0x010001) writing RSA key-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvVrkYQBu5rjlwUMpFVWx 033ZU9XM1YY0XSFmaceoXS7H8KnFiys3qtxho0yrtNzMOUSP7zLRkg7h+mcKVKe6 Ecl9JdpQ3vzUv+DsZMGy9QGiUQYb/mgdi6UR8rP2xRXIjRnYBMmVRG5GcW0fBWAi CG8GU+Di3N9pXlHN41hZx+PPve17lKBOvlS342gNfyptGwUHeRvHf8cpn3yN3P4P vr1b/qh3hajZqxXUdybrFQ7HkrOHl/LrPvVbToh1US3+jIK2aDs//SbxoJ735iSx7gLDGpKRJxAFaxl2dznkUvvyQ9abKr4++rxL16/8YcGyt0O74NKIc7jkY0f05bun KwIDAQAB-----END PUBLIC KEY-----spawn openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:HB Locality Name (eg, city) [Default City]:WH Organization Name (eg, company) [Default Company Ltd]:runtime Organizational Unit Name (eg, section) []:teach Common Name (eg, your name or your server's hostname) []:192.168.192.157Email Address []:1@2.com Certificate: Data: Version: 3 (0x2) Serial Number: 1b:d8:0a:58:bc:df:9d:62:5e:2f:39:02:5b:25:a2:ac:32:b8:d8:14Signature Algorithm: sha256WithRSAEncryption Issuer: C = cn, ST = HB, L = WH, O = runtime, OU = teach, CN = 192.168.192.157, emailAddress = 1@2.com Validity Not Before: Apr 2 00:17:42 2021 GMT Not After : Apr 2 00:17:42 2022 GMT Subject: C = cn, ST = HB, L = WH, O = runtime, OU = teach, CN = 192.168.192.157, emailAddress = 1@2.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus:00:bd:5a:e4:61:00:6e:e6:b8:e5:c1:43:29:15:55: b1:d3:7d:d9:53:d5:cc:d5:86:34:5d:21:66:69:c7: a8:5d:2e:c7:f0:a9:c5:8b:2b:37:aa:dc:61:a3:4c: ab:b4:dc:cc:39:44:8f:ef:32:d1:92:0e:e1:fa:67: 0a:54:a7:ba:11:c9:7d:25:da:50:de:fc:d4:bf:e0: ec:64:c1:b2:f5:01:a2:51:06:1b:fe:68:1d:8b:a5:11:f2:b3:f6:c5:15:c8:8d:19:d8:04:c9:95:44:6e:46:71:6d:1f:05:60:22:08:6f:06:53:e0:e2:dc:df:69:5e:51:cd:e3:58:59:c7:e3:cf:bd:ed:7b:94:a0: 4e:be:54:b7:e3:68:0d:7f:2a:6d:1b:05:07:79:1b: c7:7f:c7:29:9f:7c:8d:dc:fe:0f:be:bd:5b:fe:a8:77:85:a8:d9:ab:15:d4:77:26:eb:15:0e:c7:92:b3:87:97:f2:eb:3e:f5:5b:4e:88:75:51:2d:fe:8c:82: b6:68:3b:3f:fd:26:f1:a0:9e:f7:e6:24:b1:ee:02: c3:1a:92:91:27:10:05:6b:19:76:77:39:e4:52:fb: f2:43:d6:9b:2a:be:3e:fa:bc:4b:d7:af:fc:61:c1: b2:b7:43:bb:e0:d2:88:73:b8:e4:63:47:f4:e5:bb: a7:2b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: DE:E8:7C:91:81:C7:8C:F7:EF:2D:0E:01:E8:AA:B5:20:48:8A:0A:70X509v3 Authority Key Identifier: keyid:DE:E8:7C:91:81:C7:8C:F7:EF:2D:0E:01:E8:AA:B5:20:48:8A:0A:70X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: sha256WithRSAEncryption 8f:a5:3c:9c:e5:f0:8d:fe:e1:54:4b:67:0d:8b:b5:10:b7:9f: cf:dd:cb:48:11:d6:ac:d2:76:2d:94:cc:e3:fe:fc:45:cd:28: f9:00:15:13:4e:57:2f:7a:cd:91:86:45:51:26:48:89:2a:9f: 37:b4:15:af:d7:80:96:c9:bd:8f:90:7f:ed:3a:9d:7a:0f:60: 79:93:76:99:a8:df:c8:7a:83:cc:69:44:54:16:8f:8e:44:d2: 19:aa:58:cd:c9:b8:94:ea:78:f4:3a:b4:eb:e9:10:22:cd:74: c8:d4:84:83:ba:8f:a5:7d:33:e9:57:81:04:bf:43:17:7f:54: 67:81:f0:1e:2f:b4:89:e6:70:25:50:86:6c:a9:9d:71:16:27: a1:ba:cf:77:b9:76:46:ab:ad:6b:bb:34:2c:f7:7a:6c:a7:d4: 50:2b:59:a4:b1:bc:a7:da:ce:a3:44:0c:cf:8e:d9:1b:d7:cc: 55:7b:14:8b:50:76:28:f1:21:2b:f0:5a:56:cc:6c:3a:5c:fd: 6b:4a:f6:45:22:ab:30:e3:92:35:60:66:e3:42:94:cc:8d:38: 30:71:71:fe:91:24:88:cf:1c:74:14:f8:13:0e:cf:23:79:4b: d9:4c:44:e0:1d:66:cc:41:43:ab:49:2d:55:6f:1e:39:8b:c7: 85:da:2e:27-----BEGIN CERTIFICATE-----MIID1zCCAr+gAwIBAgIUG9gKWLzfnWJeLzkCWyWirDK42BQwDQYJKoZIhvcNAQEL BQAwezELMAkGA1UEBhMCY24xCzAJBgNVBAgMAkhCMQswCQYDVQQHDAJXSDEQMA4G A1UECgwHcnVudGltZTEOMAwGA1UECwwFdGVhY2gxGDAWBgNVBAMMDzE5Mi4xNjgu MTkyLjE1NzEWMBQGCSqGSIb3DQEJARYHMUAyLmNvbTAeFw0yMTA0MDIwMDE3NDJa Fw0yMjA0MDIwMDE3NDJaMHsxCzAJBgNVBAYTAmNuMQswCQYDVQQIDAJIQjELMAkG A1UEBwwCV0gxEDAOBgNVBAoMB3J1bnRpbWUxDjAMBgNVBAsMBXRlYWNoMRgwFgYD VQQDDA8xOTIuMTY4LjE5Mi4xNTcxFjAUBgkqhkiG9w0BCQEWBzFAMi5jb20wggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9WuRhAG7muOXBQykVVbHTfdlT 1czVhjRdIWZpx6hdLsfwqcWLKzeq3GGjTKu03Mw5RI/vMtGSDuH6ZwpUp7oRyX0l 2lDe/NS/4OxkwbL1AaJRBhv+aB2LpRHys/bFFciNGdgEyZVEbkZxbR8FYCIIbwZT 4OLc32leUc3jWFnH48+97XuUoE6+VLfjaA1/Km0bBQd5G8d/xymffI3c/g++vVv+qHeFqNmrFdR3JusVDseSs4eX8us+9VtOiHVRLf6MgrZoOz/9JvGgnvfmJLHuAsMa kpEnEAVrGXZ3OeRS+/JD1psqvj76vEvXr/xhwbK3Q7vg0ohzuORjR/Tlu6crAgMB AAGjUzBRMB0GA1UdDgQWBBTe6HyRgceM9+8tDgHoqrUgSIoKcDAfBgNVHSMEGDAW gBTe6HyRgceM9+8tDgHoqrUgSIoKcDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3 DQEBCwUAA4IBAQCPpTyc5fCN/uFUS2cNi7UQt5/P3ctIEdas0nYtlMzj/vxFzSj5 ABUTTlcves2RhkVRJkiJKp83tBWv14CWyb2PkH/tOp16D2B5k3aZqN/IeoPMaURU Fo+ORNIZqljNybiU6nj0OrTr6RAizXTI1ISDuo+lfTPpV4EEv0MXf1RngfAeL7SJ 5nAlUIZsqZ1xFiehus93uXZGq61ruzQs93psp9RQK1mksbyn2s6jRAzPjtkb18xV exSLUHYo8SEr8FpWzGw6XP1rSvZFIqsw45I1YGbjQpTMjTgwcXH+kSSIzxx0FPgT Ds8jeUvZTETgHWbMQUOrSS1Vbx45i8eF2i4n-----END CERTIFICATE-----mkdir: cannot create directory ‘ssl’: File exists Generating RSA private key, 2048 bit long modulus (2 primes) .....................+++++..............................................................................+++++e is 65537 (0x010001) spawn openssl req -new -key httpd.key -days 365 -out httpd.csr Ignoring -days; not generating a certificate You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:HB Locality Name (eg, city) [Default City]:WH Organization Name (eg, company) [Default Company Ltd]:runtime Organizational Unit Name (eg, section) []:teach Common Name (eg, your name or your server's hostname) []:192.168.192.157Email Address []:1@2.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: spawn openssl ca -in ./httpd.csr -out httpd.crt -days 365Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Apr 2 00:17:49 2021 GMT Not After : Apr 2 00:17:49 2022 GMT Subject: countryName = cn stateOrProvinceName = HB organizationName = runtime organizationalUnitName = teach commonName = 192.168.192.157emailAddress = 1@2.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: DC:C3:78:6F:33:F1:7D:AD:10:23:B8:CC:D2:95:E2:AD:06:4D:9F:86X509v3 Authority Key Identifier: keyid:DE:E8:7C:91:81:C7:8C:F7:EF:2D:0E:01:E8:AA:B5:20:48:8A:0A:70Certificate is to be certified until Apr 2 00:17:49 2022 GMT (365 days) Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updatedsed: no input files State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 128 *:80 *:* LISTEN 0 128 [::]:22 [::]:* LISTEN 0 128 *:443 *:*
验证
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
