生成证书脚本

注：如果复制之后，在Centos里边出现Windows和Linux格式不匹配，使用以下命令修改文件格式，然后再执行脚本即可。

1、yum -y install dos2unix

2、dos2unix 文件名

1、如下是生成国密证书的脚本

#!/bin/bash
  
set -e
dir=`dirname $0`
expire_days=3650
subj=/C="CN"/ST="Beijing"/L="Beijing"/O="Hy"/OU="hy"/CN="hyR"
subji=/C="CN"/ST="Beijing"/L="Beijing"/O="Hy"/OU="hy"/CN="hyI"
subjs=/C="CN"/ST="Beijing"/L="Beijing"/O="Hy"/OU="hy"/CN="hyS"
subj2=/C="CN"/ST="Beijing"/L="Beijing"/O="Hy"/OU="hy"/CN="hy"
subj3=/C="CN"/ST="Beijing"/L="Beijing"/O="Hy"/OU="hy"/CN="hy1"
server="server-gmchain"
param=$server
if [ -d $param ]; then
            rm -r $param
    fi
    mkdir -p $param
    cd $param
    ca_name=ca-root-$param
    root_cacer=$ca_name.cer
    root_cakey=$ca_name.key
    ca_name=ca-sub1-$param
    sub1_cacer=$ca_name.cer
    sub1_cakey=$ca_name.key
    ca_name=ca-sub2-$param
    cacer=$ca_name.cer
    cakey=$ca_name.key
    cer=$param.cer
    csr=$param.csr
    key=$param.key
    #add
    server_name=client-$param
    cer1=$server_name.cer
    csr1=$server_name.csr
    key1=$server_name.key

    mkdir -p $dir/demoCA/{private,newcerts}
    touch $dir/demoCA/index.txt
    echo 01 > $dir/demoCA/serial
    echo 01 > $dir/demoCA/crlnumber
    cd demoCA
    ln -sf ../$root_cacer cacert.pem
    cd -
    cd demoCA/private
    ln -sf ../../$root_cakey cakey.pem
    cd -


    #Root CA
    gmssl ecparam -genkey -name sm2p256v1 -out $root_cakey
    gmssl req -x509 -sm3 -key $root_cakey -out $root_cacer -subj $subj -days $expire_days
    echo "===================Gen Root CA OK===================="

    #Sub1 CA
    gmssl ecparam -genkey -name sm2p256v1 -out $sub1_cakey
    gmssl req -new -sm3 -extensions v3_req -key $sub1_cakey -out $csr -subj $subji -days $expire_days
    gmssl ca -md sm3 -extensions v3_ca -batch -notext -in $csr -out $sub1_cacer
    echo "===================Gen Sub1 CA OK===================="

    #Sub2 CA
    gmssl ecparam -genkey -name sm2p256v1 -out $cakey
    gmssl req -new -sm3 -key $cakey -extensions v3_req -out $csr -subj $subjs -days $expire_days
    gmssl ca -md sm3 -extensions v3_ca -batch -notext -in $csr -out $cacer -cert $sub1_cacer -keyfile $sub1_cakey

    echo "===================Gen Sub2 CA OK===================="

    #Server cert
    gmssl ecparam -genkey -name sm2p256v1 -out $key
    gmssl req -new -key $key -out $csr -subj $subj2 -days $expire_days
    gmssl ca -md sm3 -batch -notext -in $csr -out $cer -cert $sub1_cacer -keyfile $sub1_cakey

    echo "===================Gen Server cert OK===================="

    #Server1 cert
    gmssl ecparam -genkey -name sm2p256v1 -out $key1
    gmssl req -new -key $key1 -out $csr1 -subj $subj3 -days $expire_days
    gmssl ca -md sm3 -batch -notext -in $csr1 -out $cer1 -cert $sub1_cacer -keyfile $sub1_cakey
    rm -f *.csr *.srl

    echo "===================Gen Server1 cert OK===================="

    cat $cer $cacer $sub1_cacer |tee $param.pem
    echo "===================Gen All OK===================="

 2、如下是生成国际证书脚本

#!/bin/bash

set -e
dir=`dirname $0`
key_bits=2048  
expire_days=3650
subj=/C="CN"/ST="Beijing"/L="Beijing"/O="Hy"/OU="hy"/CN="hyR"
subji=/C="CN"/ST="Beijing"/L="Beijing"/O="Hy"/OU="hy"/CN="hyI"
subjs=/C="CN"/ST="Beijing"/L="Beijing"/O="Hy"/OU="hy"/CN="hyS"
subj2=/C="CN"/ST="Beijing"/L="Beijing"/O="Hy"/OU="hy"/CN="hy"
server="server-gmchain"
param=$server
if [ -d $param ]; then
        rm -r $param
    fi
    mkdir -p $param
    cd $param
    ca_name=ca-root-$param
    root_cacer=$ca_name.cer
    root_cakey=$ca_name.key
    ca_name=ca-sub1-$param
    sub1_cacer=$ca_name.cer
    sub1_cakey=$ca_name.key
    ca_name=ca-sub2-$param
    cacer=$ca_name.cer
    cakey=$ca_name.key
    cer=$param.cer
    csr=$param.csr
    key=$param.key

    mkdir -p $dir/demoCA/{private,newcerts}
    touch $dir/demoCA/index.txt
    echo 01 > $dir/demoCA/serial
    echo 01 > $dir/demoCA/crlnumber
    cd demoCA
    ln -sf ../$root_cacer cacert.pem
    cd -
    cd demoCA/private
    ln -sf ../../$root_cakey cakey.pem
    cd -

    # -------------------------------------GenRSA---------------------------------

    #Root CA
    openssl genrsa -out $root_cakey $key_bits
    openssl req -x509 -newkey rsa:$key_bits -keyout $root_cakey -nodes -out $root_cacer -subj $subj -days $expire_days
    echo "===================Gen Root CA OK===================="

    #Sub1 CA
    openssl genrsa -out $sub1_cakey $key_bits
    openssl req -new -key $sub1_cakey -sha256 -out $csr -subj $subji -days $expire_days
    openssl ca -extensions v3_ca -batch -notext -in $csr -out $sub1_cacer
    echo "===================Gen Sub1 CA OK===================="

    #Sub2 CA
    openssl genrsa -out $cakey $key_bits
    openssl req -new -key $cakey -sha256 -out $csr -subj $subjs -days $expire_days
    openssl ca -extensions v3_ca -batch -notext -in $csr -out $cacer -cert $sub1_cacer -keyfile $sub1_cakey
    echo "===================Gen Sub2 CA OK===================="

    #Server cert
    openssl genrsa -out $key $key_bits
    openssl req -new -key $key -sha256 -out $csr -subj $subj2 -days $expire_days
    openssl x509 -req -in $csr -sha256 -out $cer -CA $cacer -CAkey $cakey -CAserial t_ssl_ca.srl -CAcreateserial -days $expire_days -extensions v3_req
    #openssl pkcs12 -export -clcerts -in client.cer -inkey client.key -out client.p12

    rm -f *.csr *.srl

    cat $cer $cacer $sub1_cacer |tee $param.pem
    echo "===================Gen All OK===================="