#!/bin/bash set -x WORK_PATH="/opt/arrokoth/ca-mini" if [ ! -d "$WORK_PATH" ]; then mkdir -p "$WORK_PATH" fi cd "$WORK_PATH" if [ ! -d "$WORK_PATH/ca" ]; then mkdir -p $WORK_PATH/ca cd $WORK_PATH/ca # 签发根CA证书 openssl req -newkey rsa:2048 -nodes -keyout CaRoot.key -x509 -days 10950 -out CaRoot.crt -subj "/C=CN/ST=BeiJing/L=BeiJing/O=Arrokoth/OU=Arrokoth CA Center/CN=Arrokoth CaRoot/emailAddress=CaRoot@yyds8848.com" -extensions v3_ca # 建立凭据数据库文件 touch certindex # 建立 crlnumber 文件 echo 1000000000000001 > crlnumber # 建立 certserial 文件 echo 1000000000000001 > certserial # 建立 ca.conf 配置文件 cat > ca.conf << EOF [ ca ] default_ca = myca [ crl_ext ] # issuerAltName=issuer:copy #this would copy the issuer name to altname authorityKeyIdentifier=keyid:always [ myca ] dir = /opt/arrokoth/ca-mini/ca new_certs_dir = \$dir unique_subject = no certificate = \$dir/CaRoot.crt database = \$dir/certindex private_key = \$dir/CaRoot.key serial = \$dir/certserial default_days = 3650 default_md = sha256 policy = myca_policy x509_extensions = myca_extensions crlnumber = \$dir/crlnumber default_crl_days = 3650 [ myca_policy ] commonName = supplied stateOrProvinceName = supplied countryName = optional emailAddress = optional organizationName = supplied organizationalUnitName = optional [ myca_extensions ] basicConstraints = CA:false subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always keyUsage = digitalSignature,keyEncipherment extendedKeyUsage = serverAuth crlDistributionPoints = URI:http://www.yyds8848.com/ca/crl/CaRoot.crl EOF fi # 生成证书吊销列表目录 if [ ! -d "$WORK_PATH/crl" ]; then mkdir -p $WORK_PATH/crl # 生成空的CRL(证书吊销列表) openssl ca -config $WORK_PATH/ca/ca.conf -gencrl -out $WORK_PATH/crl/CaRoot.crl fi # 生成证书存放目录 if [ ! -d "$WORK_PATH/cert" ]; then mkdir -p $WORK_PATH/cert fi # 加入系统服务,启动服务,并设置开机自启 if [ ! -f "/usr/lib/systemd/system/ca-server.service" ]; then cp ca-server.service /usr/lib/systemd/system/ca-server.service systemctl start ca-server systemctl enable ca-server fi