OpenSSL 自签名证书颁发脚本 —— 筑梦之路

#!/bin/bash
#openssl生成自签名证书脚本

read -p "请输入你的组织：" organization
read -p "请输入你的域名：" FQ

#生成CA证书私钥ca.key
openssl genrsa -out ca.key 4096

#根据ca证书私钥生成CA证书ca.crt
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=${organization}/OU=${organization}/CN=${FQ}" \
-key ca.key \
-out ca.crt

#生成服务器私钥 yourdomain.com.key
openssl genrsa -out ${FQ}.key 4096

#生成证书签名请求CSR yourdomain.com.csr
openssl req  -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=${organization}/OU=${organization}/CN=${FQ}" \
-key ${FQ}.key \
-out ${FQ}.csr

#生成x509 v3扩展文件
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=${FQ}
DNS.2=${organization}
EOF

#使用该v3.ext文件生成证书 yourdomain.com.crt
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in ${FQ}.csr \
-out ${FQ}.crt

#使用说明
echo "a. 将服务器证书${FQ}.crt和密钥${FQ}.key复制到cert或ssl目录下"
mkdir -p /data/cert
cp ${FQ}.crt /data/cert/
cp ${FQ}.key /data/cert/
echo "b. 将服务器证书${FQ}.crt编码格式转换为${FQ}.cert,提供给Docker使用"
openssl x509 -inform PEM -in ${FQ}.crt -out ${FQ}.cert
echo "c. 将服务器证书、密钥和CA文件复制到Harbor主机上的Docker certificate文件夹中"
# 创建证书文件夹
mkdir -p /etc/docker/certs.d/${FQ}
# 拷贝服务器证书
cp ${FQ}.cert /etc/docker/certs.d/${FQ}/
# 拷贝服务器私钥
cp ${FQ}.key /etc/docker/certs.d/${FQ}/
# 拷贝自签的颁发证书机构ca证书
cp ca.crt /etc/docker/certs.d/${FQ}/

systemctl restart docker