#!/bin/bash

function read_node_info_config

{

key=$1

grep -v '^#' crt_node_info.conf | grep $key | cut -d'=' -f2

}

function check_config

{

test -n " $2" \|\| { test -n "$ 3" && { echo "Set $1 to default value$ 3"; eval " $1=$ 3"; } || { echo "Missing $1 config"; exit 9; } }

}

function create_xxx_ca

{

create ca.key

openssl genrsa -aes256 -passout pass: ${CA_pass} -out$ {ca_dir}/ca.key 2048

openssl req -subj /C=CN/ST=ZJ/L=HZ/O=companyname/OU=DT/CN= ${project_name}/emailAddress=ca@xxx.com -new -key$ {ca_dir}/ca.key -passin pass: ${CA_pass} -out$ {ca_dir}/ca.req

create ca.crt

openssl x509 -req -in ${ca_dir}/ca.req -signkey$ {ca_dir}/ca.key -passin pass: ${CA_pass} -days 3650 -out$ {ca_dir}/ca.crt

}

function init_env

{

if [ ! -r ./crt_node_info.conf ]; then

echo "Create crt_node_info.conf first."

return 1

crt_node_type=`read_node_info_config crt_node_type`

project_name=`read_node_info_config project_name`

xxx_type=`read_node_info_config xxx_type`

node_names=`read_node_info_config node_name`

prefix_name=`read_node_info_config prefix_name`

name_count=`read_node_info_config name_count`

crt_expiration_days=`read_node_info_config crt_expiration_days`

CA_pass=`read_node_info_config CA_pass`

CA_path=`read_node_info_config CA_path`

cert_ST=`read_node_info_config cert_ST`

cert_L=`read_node_info_config cert_L`

cert_O=`read_node_info_config cert_O`

cert_CN=`read_node_info_config cert_CN`

#cert_Email=`read_node_info_config cert_Email`

cert_Title=`read_node_info_config cert_Title`

check_config CA_pass "$CA_pass" "123xxx"

check_config prefix_name " $prefix_name" "$ crt_node_type"

check_config name_count "$name_count" "0"

cert_Email="@xxxpri.com"

if [ ${xxx_type} == "XXX_Public" ]; then

cert_Email="@xxxpub.com"

#parse node names to a list

OLD_IFS="$IFS"

IFS=","

node_name_list=(${node_names})

IFS="$OLD_IFS"

echo ${node_name_list[*]}

ca_dir=${CA_path}

if [ ! -f ${ca_dir}/ca.key ]; then

if [ ! -d ${ca_dir} ]; then

mkdir -p ${ca_dir} >/dev/null 2>>/dev/null

create_xxx_ca

if [ $? -ne 0 ]; then

echo "create xxx ca failed."

return 1

return 0

}

function create_xxx_server_cert

{

cert_dir=`pwd`

create server.key

openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -out ${cert_dir}/xx_server_$ 1.key

create csr file

openssl req -subj /C=CN/ST= ${cert_ST}/L=$ {cert_L}/O= ${cert_O}/OU=$ {crt_node_type}/CN= $1/emailAddress=$ 1 ${cert_Email} -new -key$ {cert_dir}/xx_server_ $1.key -out$ {cert_dir}/xx_server_$1.csr

create server.crt

openssl x509 -req -days ${crt_expiration_days} -in$ {cert_dir}/xx_server_ $1.csr -CA$ {ca_dir}/ca.crt -CAkey ${ca_dir}/ca.key -CAcreateserial -passin pass:$ {CA_pass} -out ${cert_dir}/xx_server_$ 1.crt

}

function create_chain_node_cert

{

chain_cert_dir=`pwd`

create chain_node.key

openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -out ${chain_cert_dir}/tn_client_chain_node_$ 1.key

create csr file

openssl req -subj /C=CN/ST= ${cert_ST}/L=$ {cert_L}/O= ${cert_O}/OU=$ {crt_node_type}/title= ${cert_Title}/CN=$ 1/emailAddress= $1$ {cert_Email} -new -key ${chain_cert_dir}/xx_client_chain_node_$ 1.key -out ${chain_cert_dir}/xx_client_chain_node_$ 1.csr

create chain_node.crt

openssl x509 -req -days ${crt_expiration_days} -in$ {chain_cert_dir}/xx_client_chain_node_ $1.csr -CA$ {ca_dir}/ca.crt -CAkey ${ca_dir}/ca.key -CAcreateserial -passin pass:$ {CA_pass} -out ${chain_cert_dir}/xx_client_chain_node_$ 1.crt

}

function create_xxx_agent_cert

{

ba_cert_dir=`pwd`

create ect key

openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -out ${ba_cert_dir}/xx_client_ba_$ 1.key

create csr file

openssl req -subj /C=CN/ST= ${cert_ST}/L=$ {cert_L}/O= ${cert_O}/OU=$ {crt_node_type}/title= ${cert_Title}/CN=$ 1/emailAddress= $1$ {cert_Email} -new -key ${ba_cert_dir}/xx_client_ba_$ 1.key -out ${ba_cert_dir}/xx_client_ba_$ 1.csr

create ect crt

openssl x509 -req -days ${crt_expiration_days} -in$ {ba_cert_dir}/xx_client_ba_ $1.csr -CA$ {ca_dir}/ca.crt -CAkey ${ca_dir}/ca.key -CAcreateserial -passin pass:$ {CA_pass} -out ${ba_cert_dir}/xx_client_ba_$ 1.crt

}

function main {

1 init dir, var, CA

echo "1) init environment."

init_env

if [ $? -ne 0 ]; then

return 1

echo "2) create crt..."

#xxx_server, xxx_agent, chain_node;

if [ ${crt_node_type} == "xxx_server" ]; then

for((i=0; i<${#node_name_list[@]}; ++i)); do

create_xxx_server_cert ${node_name_list\[$ {i}]}

if [ $? -ne 0 ]; then

echo "create ${node_name_list\[$ {i}]} crt failed."

done

elif [ ${crt_node_type} == "chain_node" ]; then

for((i=0; i<${#node_name_list[@]}; ++i)); do

create_chain_node_cert ${node_name_list\[$ {i}]}

if [ $? -ne 0 ]; then

echo "create ${node_name_list\[$ {i}]} crt failed."

done

elif [ ${crt_node_type} == "xxx_agent" ]; then

if [ ${name_count} -gt 0 ]; then

for((i=1; i<=${name_count}; ++i)); do

node_name= ${prefix_name}$ i

create_xxx_agent_cert ${node_name}

if [ $? -ne 0 ]; then

echo "create ${node_name} crt failed."

done

else

for((i=0; i<${#node_name_list[@]}; ++i)); do

create_xxx_agent_cert ${node_name_list\[$ {i}]}

if [ $? -ne 0 ]; then

echo "create ${node_name_list\[$ {i}]} crt failed."

done

echo "create crt completed."

return 0

}

main $*

ssl安全证书制作过程

create ca.key

create ca.crt

create server.key

create csr file

create server.crt

create chain_node.key

create csr file

create chain_node.crt

create ect key

create csr file

create ect crt

1 init dir, var, CA