先制作一个假的CA机构
#!/bin/bash
read_input() {
while true; do
read -p "Enter the name of the root certificate (e.g., MyCorp_CA): " cert_name
[[ -n "$cert_name" ]] && break || echo "Certificate name cannot be empty, please try again!"
done
while true; do
read -p "Enter the country code (e.g., CN): " country
[[ -n "$country" ]] && break || echo "Country code cannot be empty, please try again!"
done
while true; do
read -p "Enter the state or province (e.g., Shanghai): " state
[[ -n "$state" ]] && break || echo "State or province cannot be empty, please try again!"
done
while true; do
read -p "Enter the city or location (e.g., Shanghai): " location
[[ -n "$location" ]] && break || echo "City or location cannot be empty, please try again!"
done
while true; do
read -p "Enter the organization name (e.g., MyCorp): " organization
[[ -n "$organization" ]] && break || echo "Organization name cannot be empty, please try again!"
done
while true; do
read -p "Enter the common name (e.g., MyCorp_CA): " common_name
[[ -n "$common_name" ]] && break || echo "Common name cannot be empty, please try again!"
done
}
# Construct the DN string
create_dn_string() {
dn="/C=${country}/ST=${state}/L=${location}/O=${organization}/CN=${common_name}"
echo "$dn"
}
# Generate the root certificate private key
generate_private_key() {
openssl genrsa -out "${cert_name}.key" 4096
if [ $? -ne 0 ]; then
echo "Failed to generate the private key."
exit 1
else
echo "Private key generated: ${cert_name}.key"
fi
}
# Create the root certificate CSR
generate_csr() {
local dn=$(create_dn_string)
openssl req -new -key "${cert_name}.key" -subj "$dn" -out "${cert_name}.csr"
if [ $? -ne 0 ]; then
echo "Failed to create the CSR."
exit 1
else
echo "CSR generated: ${cert_name}.csr"
fi
}
# Self-sign the root certificate
self_sign_certificate() {
openssl x509 -req -days 730 -in "${cert_name}.csr" -signkey "${cert_name}.key" -out "${cert_name}.crt"
if [ $? -ne 0 ]; then
echo "Failed to self-sign the certificate."
exit 1
else
echo "Self-signed certificate generated: ${cert_name}.crt"
fi
}
# Show the generated files
show_generated_files() {
echo "Root certificate generated:"
ls -l "${cert_name}".*
}
main() {
read_input
generate_private_key
generate_csr
self_sign_certificate
show_generated_files
}
main
根据假的CA机构生成你的IP/域名的假证书
#!/bin/bash
# Read user input and validate
read_input() {
while true; do
read -p "Enter the name of the server certificate (e.g., mytest.mycrop.mymain): " server_cert_name
[[ -n "$server_cert_name" ]] && break || echo "Server certificate name cannot be empty, please try again!"
done
while true; do
read -p "Enter the country code (e.g., CN): " country
[[ -n "$country" ]] && break || echo "Country code cannot be empty, please try again!"
done
while true; do
read -p "Enter the state or province (e.g., Shanghai): " state
[[ -n "$state" ]] && break || echo "State or province cannot be empty, please try again!"
done
while true; do
read -p "Enter the city or location (e.g., Shanghai): " location
[[ -n "$location" ]] && break || echo "City or location cannot be empty, please try again!"
done
while true; do
read -p "Enter the organization name (e.g., MyCorp): " organization
[[ -n "$organization" ]] && break || echo "Organization name cannot be empty, please try again!"
done
while true; do
read -p "Enter the common name, recommend server_cert_name and common_name be the same (e.g., mytest.mycrop.mymain): " common_name
[[ -n "$common_name" ]] && break || echo "Common name cannot be empty, please try again!"
done
while true; do
read -p "Enter the IP address (e.g., 192.168.9.52): " ip_address
[[ -n "$ip_address" ]] && break || echo "IP address cannot be empty, please try again!"
done
while true; do
read -p "Enter the DNS name (e.g., mytest.mycrop.mymain): " dns_name
[[ -n "$dns_name" ]] && break || echo "DNS name cannot be empty, please try again!"
done
while true; do
read -p "Enter the name of the CA certificate (e.g., MyCorp_CA): " ca_cert_name
[[ -n "$ca_cert_name" ]] && break || echo "CA certificate name cannot be empty, please try again!"
done
}
# Create .ext configuration file
create_ext_file() {
local ext_file="${server_cert_name}.ext"
cat > "$ext_file" <<EOF
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
C = $country
ST = $state
L = $location
O = $organization
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
IP.1 = $ip_address
DNS.1 = $dns_name
[ v3_ca ]
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
[ SAN ]
subjectAltName = @alt_names
EOF
}
# Generate private key
generate_private_key() {
openssl genrsa -out "${server_cert_name}.key" 4096
if [ $? -ne 0 ]; then
echo "Failed to generate the private key."
exit 1
else
echo "Private key generated: ${server_cert_name}.key"
fi
}
# Generate CSR
generate_csr() {
local dn="/C=${country}/ST=${state}/L=${location}/O=${organization}/CN=${common_name}"
openssl req -new -key "${server_cert_name}.key" -subj "$dn" -sha256 -out "${server_cert_name}.csr"
if [ $? -ne 0 ]; then
echo "Failed to create the CSR."
exit 1
else
echo "CSR generated: ${server_cert_name}.csr"
fi
}
# Sign the server certificate using the CA
sign_certificate() {
local ca_cert="${ca_cert_name}.crt"
local ca_key="${ca_cert_name}.key"
if [ ! -f "$ca_cert" ] || [ ! -f "$ca_key" ]; then
echo "Error: CA certificate or private key file not found ($ca_cert or $ca_key)"
exit 1
fi
openssl x509 -req -days 730 -in "${server_cert_name}.csr" -CA "$ca_cert" -CAkey "$ca_key" -CAcreateserial -sha256 -out "${server_cert_name}.crt" -extfile "${server_cert_name}.ext" -extensions SAN
if [ $? -ne 0 ]; then
echo "Failed to sign the server certificate."
exit 1
else
echo "Server certificate signed: ${server_cert_name}.crt"
fi
}
# Verify that the certificate and private key match
verify_cert_and_key() {
local cert_modulus=$(openssl x509 -noout -modulus -in "${server_cert_name}.crt" | openssl md5)
local key_modulus=$(openssl rsa -noout -modulus -in "${server_cert_name}.key" | openssl md5)
if [ "$cert_modulus" == "$key_modulus" ]; then
echo "The certificate and private key match successfully!"
echo "MD5(Certificate) = $cert_modulus"
echo "MD5(Private Key) = $key_modulus"
else
echo "Error: The certificate and private key do not match!"
echo "MD5(Certificate) = $cert_modulus"
echo "MD5(Private Key) = $key_modulus"
exit 1
fi
}
# Main function
main() {
read_input
create_ext_file
generate_private_key
generate_csr
sign_certificate
verify_cert_and_key
}
# Execute the main function
main
在Debian上安装这个证书
#!/bin/bash
copy_cert() {
sudo cp "$1" /usr/share/ca-certificates/
}
update_certs() {
sudo update-ca-certificates
}
check_cert() {
tail -1 /etc/ca-certificates.conf | grep -q "$1"
}
configure_trust() {
sudo dpkg-reconfigure ca-certificates
}
add_cert_manually() {
sudo bash -c "cp /etc/ca-certificates.conf /etc/ca-certificates.conf.backup && echo \"$1\" >> /etc/ca-certificates.conf"
}
main() {
local cert_path="MyCorp_CA.crt"
copy_cert "$cert_path"
update_certs
if check_cert "$cert_path"; then
echo "add successfully"
elif check_cert "!$cert_path"; then
configure_trust
else
add_cert_manually "$cert_path"
update_certs
fi
}
main
在浏览器安装,比如Firefox
[Settings] > [Privacy & Security] > [View Certificates] > [Import] >…
扫一扫
1472
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
