利用shell脚本实现https证书认证

生成证书

脚本内容

#!/bin/bash

#简介
echo "-----------------------"
echo "作者：leidazhuang"
echo "时间：2021/4/1"
echo "本脚本用于生成httpd证书"
echo "-----------------------"

#变量
hostname=192.168.110.40

#删除
rm -rf /etc/pki/CA &>/dev/null
mkdir -p /etc/pki/CA/private && cd /etc/pki/CA
yum -y install expect &>/dev/null

#CA生成一对密钥
echo "正在生成密钥..."
sleep 1s
(umask 077;openssl genrsa -out private/cakey.pem 2048)

#提取公钥
echo "正在提取公钥..."
sleep 1s
openssl rsa -in private/cakey.pem -pubout

#生成自签署证书
echo "正在生成签署证书..."
sleep 1s
expect << EOF
     set timeout 60
     spawn openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
     expect "letter code"	  {send "cn
"}
     expect "full name"		  {send "hb
"}
     expect "city"    	          {send "wh
"}
     expect "company"		  {send "runtime
"}
     expect "section"	      	  {send "abc
"}
     expect "hostname"		  {send "${hostname}
"}
     expect "Email"		  {send "123@qq.com
"}
     expect "#"
EOF

#读出cacert.pem证书的内容
echo "正在读取证书内容..."
sleep 1s
openssl x509 -text -in cacert.pem
mkdir certs newcerts crl
touch index.txt && echo 01 > serial

#安装httpd
echo "正在安装httpd..."
sleep 1s
yum -y remove httpd &>/dev/null
yum -y install httpd &>/dev/null
systemctl enable --now httpd &>/dev/null

#httpd服务器生成密钥
echo "httpd服务器生成密钥中..."
sleep 1s
cd /etc/httpd && mkdir ssl && cd ssl
(umask 077;openssl genrsa -out httpd.key 2048)

#生成证书签署请求
echo "生成证书请求中..."
sleep 1s
expect << EOF
     set timeout 60
     spawn openssl req -new -key httpd.key -days 365 -out httpd.csr 
     expect "letter code"         {send "cn
"}
     expect "full name"           {send "hb
"}
     expect "city"                {send "wh
"}
     expect "company"             {send "runtime
"}
     expect "section"             {send "abc
"}
     expect "hostname"            {send "${hostname}
"}
     expect "Email"               {send "123@qq.com
"}
     expect "password"		  {send "
"}
     expect "company name"	  {send "
"}
     expect "#"
EOF

#CA签署客户端提交上来的证书
expect << EOF
     set timeout 60
     spawn openssl ca -in ./httpd.csr -out httpd.crt -days 365
     expect "certificate"        {send "y
"}
     expect "commit"	         {send "y
"}
     expect "#"
EOF

#安装mod_ssl
echo "安装mod_ssl..."
sleep 1s
yum -y remove mod_ssl &>/dev/null
yum -y install mod_ssl &>/dev/null
sed -i "s/#DocumentRoot/DocumentRoot/g" /etc/httpd/conf.d/ssl.conf
sed -i "s/#ServerName www.example.com:443/ServerName ${hostname}:443/g" /etc/httpd/conf.d/ssl.conf
sed -i "s#/etc/pki/tls/certs/localhost.crt#/etc/httpd/ssl/httpd.crt#g" /etc/httpd/conf.d/ssl.conf
sed -i "s#/etc/pki/tls/private/localhost.key#/etc/httpd/ssl/httpd.key#g" /etc/httpd/conf.d/ssl.conf

#重启httpd
echo "重启httpd服务..."
sleep 1s
systemctl restart httpd &>/dev/null
echo "查看端口"
ss -antl

查看端口验证

State     Recv-Q     Send-Q         Local Address:Port         Peer Address:Port    
LISTEN    0          128                  0.0.0.0:22                0.0.0.0:*       
LISTEN    0          128                     [::]:22                   [::]:*       
LISTEN    0          128                        *:443                     *:*       
LISTEN    0          128                        *:80                      *:* 

验证

访问本机ip

点击高级--->继续访问

完成