#!/bin/sh
#
# SSL The root directory of the output of the certificate.
sslOutputRoot="/etc/apache_ssl"
if [ $# -eq 1 ]; then
sslOutputRoot=$1
fi
if [ ! -d ${sslOutputRoot} ]; then
mkdir -p ${sslOutputRoot}
fi
cd ${sslOutputRoot}
echo "Start create CA root certificate..."
#
# Create a CA root certificate, which will be used later to sign the certificate used for the server. If it is through commercial CA
# Verisign or Thawte sign a certificate, you don't need to create the root certificate yourself, but you should
# Post the content of the server csr file generated later into a web form to pay the signing fee and
# Wait for the signing certificate. For more information about commercial CAs, please see:
# Verisign - /server/
# Thawte Consulting - /certs/server/
# CertiSign Certificadora Digital Ltda. -
# IKS GmbH - /produkte/ca /
# Uptime Commerce Ltd. -
# BelSign NV/SA -
# Generate the CA root certificate private key
openssl genrsa -des3 -out 1024
# Generate CA root certificate
# Fill in each field as prompted, but note that Common Name is preferably a valid root domain name (such as ),
# And it cannot be exactly the same as the Common Name filled in the request file for later server certificate signing, otherwise it will
# Causes to occur when the certificate is generated
# error 18 at 0 depth lookup:self signed certificate error
openssl req -new -x509 -days 365 -key -out
echo "CA root certificate is created."
echo "Start generate server certificate signing file and private key..."
#
# Generate server private key
openssl genrsa -des3 -out 1024
# Generate server certificate signing request file, Common Name It is best to fill in the full domain name using the certificate
# (for example: )
openssl req -new -key -out
ls -altrh ${sslOutputRoot}/server.*
echo "The server certificate signing file and private key have been generated."
echo "Start signing server certificates with CA root certificate signing files..."
#
# Sign the server certificate and generate files
# See/docs/securing/
# START
#
# Sign a SSL Certificate Request (CSR)
# Copyright (c) 1998-1999 Ralf S. Engelschall, All Rights Reserved.
#
CSR=
case $CSR in
*.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
* ) CERT="$" ;;
esac
# make sure environment exists
if [ ! -d ]; then
mkdir
fi
if [ ! -f ]; then
echo '01' >
fi
if [ ! -f ]; then
cp /dev/null
fi
# create an own SSLeay config
# If you need to modify the validity period of the certificate, please modify the default_days parameter below.
# Currently set to 10 years.
cat > <<EOT
[ ca ]
default_ca = CA_own
[ CA_own ]
dir = .
certs = ./certs
new_certs_dir = ./
database = ./
serial = ./
RANDFILE = ./
certificate = ./
private_key = ./
default_days = 3650
default_crl_days = 30
default_md = md5
preserve = no
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
EOT
# sign the certificate
echo "CA signing: $CSR -> $CERT:"
openssl ca -config -out $CERT -infiles $CSR
echo "CA verifying: $CERT <-> CA cert"
openssl verify -CAfile ./certs/ $CERT
# cleanup after SSLeay
rm -f
rm -f
rm -f
# END
echo "Use CA root certificate to sign the server certificate to sign the file."
# After using ssl, each time you start apache, you require the password to be entered.
# You can remove password input through the following method (please comment the following lines of code if you do not want to remove):
echo "Remove the limitation that the key password must be entered manually when apache starts:"
cp -f
openssl rsa -in -out
echo "Removal is complete."
# Modify permissions to ensure the security of the key
chmod 400
echo "Now u can configure apache ssl with following:"
echo -e "\tSSLCertificateFile ${sslOutputRoot}/"
echo -e "\tSSLCertificateKeyFile ${sslOutputRoot}/"
# die gracefully
exit 0