Shellスクリプトの実現によりSSL自己署名証明書を生成する。

#!/bin/sh

#
# ssl         。

sslOutputRoot="/etc/apache_ssl"

if [ $# -eq 1 ]; then

 sslOutputRoot=$1

fi

if [ ! -d ${sslOutputRoot} ]; then

 mkdir -p ${sslOutputRoot}

fi
cd ${sslOutputRoot}
echo "    CA   ..."

#

#   CA   ，              。        CA 

# Verisign   Thawte     ，            ，    

#           csr         web  ，       

#        。     CA        ： 

# Verisign - http://digitalid.verisign.com/server/apacheNotice.htm 

# Thawte Consulting - http://www.thawte.com/certs/server/request.html 

# CertiSign Certificadora Digital Ltda. - http://www.certisign.com.br 

# IKS GmbH - http://www.iks-jena.de/produkte/ca / 

# Uptime Commerce Ltd. - http://www.uptimecommerce.com 

# BelSign NV/SA - http://www.belsign.be 

#   CA     

openssl genrsa -des3 -out ca.key 1024
#   CA   

#           ,     Common Name         (  zeali.net ),

#                        Common Name     ，   

#             

# error 18 at 0 depth lookup:self signed certificate   

openssl req -new -x509 -days 365 -key ca.key -out ca.crt 

echo "CA       。"
echo "                 ..."

#

#        

openssl genrsa -des3 -out server.key 1024 

#              , Common Name               

# (  : security.zeali.net )

openssl req -new -key server.key -out server.csr  

ls -altrh  ${sslOutputRoot}/server.*

echo "                。"
echo "    CA               ..."

#

#        ，  server.crt  

#    http://www.faqs.org/docs/securing/chap24sec195.html

#  sign.sh START

#

#  Sign a SSL Certificate Request (CSR)

#  Copyright (c) 1998-1999 Ralf S. Engelschall, All Rights Reserved. 

#
CSR=server.csr
case $CSR in

*.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;

* ) CERT="$CSR.crt" ;;

esac
#   make sure environment exists

if [ ! -d ca.db.certs ]; then

 mkdir ca.db.certs

fi

if [ ! -f ca.db.serial ]; then

 echo '01' >ca.db.serial

fi

if [ ! -f ca.db.index ]; then

 cp /dev/null ca.db.index

fi
#   create an own SSLeay config

#              ，       default_days   .

#      10 .

cat >ca.config <<EOT

[ ca ]

default_ca = CA_own

[ CA_own ]

dir = .

certs = ./certs

new_certs_dir = ./ca.db.certs

database = ./ca.db.index

serial = ./ca.db.serial

RANDFILE = ./ca.db.rand

certificate = ./ca.crt

private_key = ./ca.key

default_days = 3650

default_crl_days = 30

default_md = md5

preserve = no

policy = policy_anything

[ policy_anything ]

countryName = optional

stateOrProvinceName = optional

localityName = optional

organizationName = optional

organizationalUnitName = optional

commonName = supplied

emailAddress = optional

EOT
#  sign the certificate

echo "CA signing: $CSR -> $CERT:"

openssl ca -config ca.config -out $CERT -infiles $CSR

echo "CA verifying: $CERT <-> CA cert"

openssl verify -CAfile ./certs/ca.crt $CERT
#  cleanup after SSLeay 

rm -f ca.config

rm -f ca.db.serial.old

rm -f ca.db.index.old

#  sign.sh END

echo "  CA                。"


#     ssl   ，     apache       server.key    ，

#                 (                )：

echo "   apache                 :"

cp -f server.key server.key.org

openssl rsa -in server.key.org -out server.key

echo "    。"


#    server.key    ，      

chmod 400 server.key
echo "Now u can configure apache ssl with following:"

echo -e "\tSSLCertificateFile ${sslOutputRoot}/server.crt"

echo -e "\tSSLCertificateKeyFile ${sslOutputRoot}/server.key"
#  die gracefully

exit 0