admin/certificate-management
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
certificate-management/ca-server/bin/initCa.sh
wangjianhong 5e4e272b3a init
2025-07-23 17:30:33 +08:00

79 lines
2.2 KiB
Bash
Executable File
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/bin/bash
set -x
WORK_PATH="/opt/arrokoth/ca-mini"
if [ ! -d "$WORK_PATH" ]; then
mkdir -p "$WORK_PATH"
fi
cd "$WORK_PATH"
if [ ! -d "$WORK_PATH/ca" ]; then
mkdir -p $WORK_PATH/ca
cd $WORK_PATH/ca
# 签发根CA证书
openssl req -newkey rsa:2048 -nodes -keyout CaRoot.key -x509 -days 10950 -out CaRoot.crt -subj "/C=CN/ST=BeiJing/L=BeiJing/O=Arrokoth/OU=Arrokoth CA Center/CN=Arrokoth CaRoot/emailAddress=CaRoot@yyds8848.com" -extensions v3_ca
# 建立凭据数据库文件
touch certindex
# 建立 crlnumber 文件
echo 1000000000000001 > crlnumber
# 建立 certserial 文件
echo 1000000000000001 > certserial
# 建立 ca.conf 配置文件
cat > ca.conf << EOF
[ ca ]
default_ca = myca
[ crl_ext ]
# issuerAltName=issuer:copy #this would copy the issuer name to altname
authorityKeyIdentifier=keyid:always
[ myca ]
dir = /opt/arrokoth/ca-mini/ca
new_certs_dir = \$dir
unique_subject = no
certificate = \$dir/CaRoot.crt
database = \$dir/certindex
private_key = \$dir/CaRoot.key
serial = \$dir/certserial
default_days = 3650
default_md = sha256
policy = myca_policy
x509_extensions = myca_extensions
crlnumber = \$dir/crlnumber
default_crl_days = 3650
[ myca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = optional
emailAddress = optional
organizationName = supplied
organizationalUnitName = optional
[ myca_extensions ]
basicConstraints = CA:false
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth
crlDistributionPoints = URI:http://www.yyds8848.com/ca/crl/CaRoot.crl
EOF
fi
# 生成证书吊销列表目录
if [ ! -d "$WORK_PATH/crl" ]; then
mkdir -p $WORK_PATH/crl
# 生成空的CRL证书吊销列表
openssl ca -config $WORK_PATH/ca/ca.conf -gencrl -out $WORK_PATH/crl/CaRoot.crl
fi
# 生成证书存放目录
if [ ! -d "$WORK_PATH/cert" ]; then
mkdir -p $WORK_PATH/cert
fi
# 加入系统服务,启动服务,并设置开机自启
if [ ! -f "/usr/lib/systemd/system/ca-server.service" ]; then
cp ca-server.service /usr/lib/systemd/system/ca-server.service
systemctl start ca-server
systemctl enable ca-server
fi
Reference in New Issue View Git Blame Copy Permalink