一个shell脚本，实现利用OpenSSL生成X509证书

#!/bin/bash
#
Copyright (C) 2015 Nicolas TANDE
#
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
 
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.
 
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
#
function usage() { cat << EOUSAGE
Usage : $0 CN [altnames]
      : example : $0 mail.example.net
      : example : $0 www.example.net alt.example.net secure.example.net
      :
      : for .example.net you can either put '.example.net' or 'wildcard.example.net'
EOUSAGE
}
#
Configuration
#
Path to openssl binary
openssl=$(which openssl)
Crypto ciphers rsa 4096 + sha 512
openssl_crypto="rsa:4096 -sha512"
Certificate Authority that will sign our certificates
ca=
Details to be added to every certificates
organization=""
organizationunitname=""
locality=""
province=""
country=""
you may also define those variables in your home directory
userconfig="$HOME/.certifishrc"
[ -r "$userconfig" ] && source "$userconfig"
#
Sanity checks
#
function error()
{
  echo "-- $1 --" >&2
  exit 1
}
[ "$country" = "" -o "$province" = "" -o "$locality" = "" -o "$organization" = "" -o "$organizationunitname" = "" ] &&
  error "Please set configuration at the begin of the script"
[ ! -r "$ca" ] && error "CA is not readable (path=$ca), please check configuration at the begin of the script"
[ ! -x "$openssl" ] && error "Could not find openssl binary (path=$openssl), please check configuration at the begin of the script"
#
Do no edit below this line
#
set -e
function notice()
{
  echo "-- $1 --"
}
function confirmation()
{
  notice "Is it correct ? [y/N]"
  read confirmation
if [ "$confirmation" != "y" ]; then return 1; fi
}
Reading parameters
n=$#
if [ $n -lt 1 ]; then 
  usage
  error "Invalid parameters"
fi
you can either input '*' or 'wildcard'
real_cn=$(echo "$1" | sed 's/wildcard/*/g')
cn=$(echo "$1"|sed 's/*/wildcard/g')
shift
altname=$@
Only display parameters
notice "You called this script with the following parameters"
echo CommonName: $real_cn
havealtname=0
if [ ${#altname[@]} -ne 0 ]; then
  for i in ${altname[@]} ; do
    havealtname=1
    echo "AltName: $i";
  done
fi
confirmation
mkdir "$cn"
cp "$ca" "$cn"
cd "$cn"
Display OpenSSL parameters
(
  echo "[req]"
  echo "distinguished_name = req_distinguished_name"
  echo "req_extensions = req_ext"
  echo "prompt = no"
  echo ""
  echo "[req_distinguished_name]"
  echo "CN = $real_cn"
  echo "O = $organization"
  echo "OU = $organizationunitname"
  echo "L = $locality"
  echo "ST = $province"
  echo "C = $country"
  echo ""
  echo "[req_ext]"
dns=1
if [ $havealtname -ne 0 ]; then
  echo "subjectAltName = @alt_names"
  echo ""
  echo "[alt_names]"
  for i in ${altname[@]} ; do
    echo "DNS.$dns  = $i";
    dns=$((dns + 1))
  done
fi
) > "$cn.cnf"
notice "We are going to generate keys with following parameters"
notice "The Crypto will be $openssl_crypto and the config will be"
cat "$cn.cnf"
confirmation
Generate key + csr
$openssl req -new -newkey $openssl_crypto -nodes -keyout "$cn.key" -out "$cn.csr" -config "$cn.cnf"
chmod 600 "$cn.key"
notice "This is the CSR, copy paste it in your CA website"
cat "$cn.csr"
read user certificate
ok=0
until [ "$ok" = 1 ] ; do
  notice "Copy paste here the certificate from your CA website, Control-D to finish"
  while read line; do
    cert+=( "$line" )
  done
notice "You entered"
  for line in "${cert[@]}"; do
    echo "$line"
  done
confirmation && ok=1
done
for line in "${cert[@]}"; do
  echo "$line" >> "${cn}".crt
done
generate chained certificate
cat "${cn}.crt" $(basename "${ca}") > "${cn}.chained.crt"
generate DNSSEC/TLSA record
notice "TLSA"
notice "If you with to use DNSSEC/TLSA, add this in DNS zone (replace host with real hostname):"
fpr=$( $openssl x509 -noout -fingerprint -sha512 < "${cn}.crt" |sed -e "s/.*=//g" | sed -e "s/\://g" )
echo "_port._tcp.host IN TLSA ( 3 0 2 $fpr )" > "${cn}.tlsa.txt"
echo "_port._tcp.host IN TLSA ( 3 0 2 $fpr )"</pre>