X509 TLS

!/bin/bash

function tls3(){
####################################################
#
# 創建CA X509 version 3.0根證書
#
####################################################


CertPath=/k8s/tlsv3
CertPD=huawei@123
DomainName=ca.huawei.com

#1、創建證書存放目錄
mkdir -p ${CertPath} && cd ${CertPath}


#2、創建CA證書的私鑰"cacert-key.pem"
openssl genrsa -des3 -out  ${CertPath}/ca.key -passout pass:${CertPD} 2048


#3、生產X509 Version3類型證書
openssl req -x509 -new -nodes \
-key  ${CertPath}/ca.key \
-sha256 \
-subj "/C=CN/ST=GuangDong/L=ShenZhen/O=HW/OU=IT/CN=${DomainName}" \
-days 7300 \
-out ${CertPath}/ca.crt \
-passin pass:${CertPD}

# 4、查看證書文件
openssl x509 -in  ${CertPath}/ca.crt  -text -noout


#####################################################
#
# 生成X509 3.0證書
# CA簽署的服務器證書
#
#####################################################

# 服務器證書存放路徑，需與CA證書存放路徑保持一致
CertPath=/k8s/tlsv1
# 證書明文密碼
CertPD=huawei@123
# 服務器證書域名
DomainName=www.huawei.com


# 1、創建服務器證書的私鑰"server.key"
openssl genrsa -des3 -out ${CertPath}/server.key  -passout pass:${CertPD} 2048

# 2、創建服務器證書請求文件"server.csr"
openssl req -new \
-subj "/C=CN/ST=GuangDong/L=ShenZhen/O=HW/OU=IT/CN=${DomainName}" \
-key ${CertPath}/server.key \
-out ${CertPath}/server.csr \
-passin pass:${CertPD}

# 3、創建證書擴展文件"my-ssl.conf"
# 更改相應IP和DNS地址
#
cat > ${CertPath}/my-ssl.conf <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster
DNS.5 = kubernetes.default.svc.cluster.local
DNS.6 = www.huawei.com
DNS.7 = localhost
IP.1 = 168.7.10.201
IP.2 = 168.7.10.202
IP.3 = 168.7.10.203
IP.4 = 168.7.10.204
IP.4 = 127.0.0.1
EOF

# 4、簽發並生成服務器證書
openssl x509 -req \
-in ${CertPath}/server.csr \
-out ${CertPath}/server.crt \
-days 3650 \
-CAcreateserial \
-CA ${CertPath}/ca.crt \
-CAkey ${CertPath}/ca.key \
-CAserial serial \
-extfile ${CertPath}/my-ssl.conf \
-passin pass:${CertPD}


# 5、查看證書文件
openssl x509 -in ${CertPath}/server.crt -text -noout
chmod 777 ${CertPath}/ca* ${CertPath}/ser* && ls -l ${CertPath}/

}



function tls1(){

#####################################################
#
# 創建CA X509 version 1.0根證書
#
#####################################################

#創建證書存放目錄
CertPath=/k8s/tlsv1
CertPD=huawei@123
DomainName=ca.huawei.com

# 1、創建證書文件存放目錄
mkdir -p ${CertPath} && cd ${CertPath}
     
# 2、創建CA證書的私鑰"ca.key"
openssl genrsa -out  ${CertPath}/ca.key

# 3、 創建CA證書請求"ca.csr"
openssl req -new \
-subj "/C=CN/ST=GuangDong/L=DongGuan/O=HW/OU=IT/CN=${DomainName}"  \
-key  ${CertPath}/ca.key \
-out  ${CertPath}/ca.csr

# 4、 創建3年有效期的CA證書"ca.crt"
openssl x509 -req \
-days  3650 \
-in ${CertPath}/ca.csr \
-signkey ${CertPath}/ca.key \
-out ${CertPath}/ca.crt

# 5、查看證書文件
openssl x509 -in ${CertPath}/ca.crt -text -noout
chmod 777 ${CertPath}/ca* && ls -l ${CertPath}/


#####################################################
# 
# 生成X509 1.0證書
# CA簽署的服務器證書
#
#####################################################

ServerName=ldap
DomainName=huawei.com

# 1、創建服務證書的私鑰"xxx.key"
openssl genrsa -out ${CertPath}/${ServerName}.key


# 2、創建服務器證書請求文件 "xxx.csr"
openssl req -new \
-subj "/C=CN/ST=GuangDong/L=DongGuan/O=HW/OU=IT/CN=${ServerName}.${DomainName}"  \
-key ${CertPath}/${ServerName}.key \
-out ${CertPath}/${ServerName}.csr

# 3、CA簽署服務器證書，有效期3年,即: "xxx.crt"
openssl x509 -req \
-in  ${CertPath}/${ServerName}.csr \
-out  ${CertPath}/${ServerName}.crt \
-days 3650 \
-CAcreateserial -CA ${CertPath}/ca.crt \
-CAkey ${CertPath}/ca.key

# 4、查看證書文件
openssl x509 -in  ${CertPath}/${ServerName}.crt  -text -noout
chmod 777 ${CertPath}/${ServerName}.* && ls -l ${CertPath}/

}

function tls3.bak(){

#####################################################
#
# 創建CA X509 version 1.0根證書
#
#####################################################

#創建證書存放目錄
CertPath=/k8s/tlsv2
CertPD=huawei@123
DomainName=ca.huawei.com

# 1、創建證書文件存放目錄
mkdir -p ${CertPath} && cd ${CertPath}
     
# 2、創建CA證書的私鑰"ca.key"
openssl genrsa -out  ${CertPath}/ca.key

# 3、 創建CA證書請求"ca.csr"
openssl req -new \
-subj "/C=CN/ST=GuangDong/L=DongGuan/O=HW/OU=IT/CN=${DomainName}"  \
-key  ${CertPath}/ca.key \
-out  ${CertPath}/ca.csr

# 4、 創建3年有效期的CA證書"ca.crt"
openssl x509 -req \
-days  3650 \
-in ${CertPath}/ca.csr \
-signkey ${CertPath}/ca.key \
-out ${CertPath}/ca.crt

# 5、查看證書文件
openssl x509 -in ${CertPath}/ca.crt -text -noout
chmod 777 ${CertPath}/ca* && ls -l ${CertPath}/


#####################################################
# 
# 生成X509 3.0證書
# CA簽署的服務器證書
#
#####################################################

ServerName=server
DomainName=huawei.com

# 1、創建服務證書的私鑰"xxx.key"
openssl genrsa -out ${CertPath}/${ServerName}.key


# 2、創建服務器證書請求文件 "xxx.csr"
openssl req -new \
-subj "/C=CN/ST=GuangDong/L=DongGuan/O=HW/OU=IT/CN=${ServerName}.${DomainName}"  \
-key ${CertPath}/${ServerName}.key \
-out ${CertPath}/${ServerName}.csr


# 3、創建證書擴展文件
cat > ${CertPath}/my-ssl.conf <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster
DNS.5 = kubernetes.default.svc.cluster.local
DNS.6 = www.huawei.com
DNS.7 = localhost
IP.1 = 168.7.10.201
IP.2 = 168.7.10.202
IP.3 = 168.7.10.203
IP.4 = 168.7.10.204
IP.4 = 127.0.0.1
EOF


# 4、簽發X509 3.0服務器證書文件
openssl x509 -req \
-in  ${CertPath}/${ServerName}.csr \
-out  ${CertPath}/${ServerName}.crt \
-days 3650 \
-CAcreateserial -CA ${CertPath}/ca.crt \
-CAkey ${CertPath}/ca.key \
-CAserial serial \
-extfile ${CertPath}/my-ssl.conf




# 4、簽發X509 3.0服務器證書文件,即: "xxx.crt"
# openssl x509 -req \
# -in  ${CertPath}/${ServerName}.csr \
# -out  ${CertPath}/${ServerName}.crt \
# -days 3650 \
# -CAcreateserial -CA ${CertPath}/ca.crt \
# -CAkey ${CertPath}/ca.key

# 5、查看證書文件
openssl x509 -in  ${CertPath}/${ServerName}.crt  -text -noout
chmod 777 ${CertPath}/${ServerName}.* && ls -l ${CertPath}/


}