openssl 证书脚本

#!/bin/bash

# 检查是否提供了域名文件
if [ "$#" -ne 1 ]; then
    echo "Usage: $0 domains.txt"
    exit 1
fi

DOMAIN_FILE=$1

# 检查域名文件是否存在
if [ ! -f ${DOMAIN_FILE} ]; then
    echo "Domain file ${DOMAIN_FILE} does not exist."
    exit 1
fi

# 设置变量
DAYS=7300
KEY_FILE="cvessel.key"
CSR_FILE="cvessel.csr"
CERT_FILE="cvessel.crt"
CONFIG_FILE="cvessel.cnf"
SUBJECT="/C=US/ST=California/L=San Francisco/O=Example Inc."

# 生成私钥（如果私钥文件不存在）
if [ ! -f ${KEY_FILE} ]; then
    openssl genpkey -algorithm RSA -out ${KEY_FILE} -pkeyopt rsa_keygen_bits:2048
fi

# 创建 OpenSSL 配置文件
cat > ${CONFIG_FILE} <<EOL
[ req ]
default_bits       = 2048
default_keyfile    = ${KEY_FILE}
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt             = no

[ req_distinguished_name ]
C  = US
ST = California
L  = San Francisco
O  = Example Inc.
CN = $(head -n 1 ${DOMAIN_FILE})

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
EOL

# 添加域名到配置文件
i=1
while IFS= read -r domain; do
    echo "DNS.$i = *.$domain" >> ${CONFIG_FILE}
    i=$((i+1))
    echo "DNS.$i = $domain" >> ${CONFIG_FILE}
    i=$((i+1))
done < ${DOMAIN_FILE}

# 生成证书签名请求（CSR）
openssl req -new -key ${KEY_FILE} -out ${CSR_FILE} -config ${CONFIG_FILE}

# 自签名生成证书
openssl x509 -req -days ${DAYS} -in ${CSR_FILE} -signkey ${KEY_FILE} -out ${CERT_FILE} -extensions req_ext -extfile ${CONFIG_FILE}

# 清理配置文件
rm ${CONFIG_FILE}

echo "自签名的泛域名证书已生成："
echo "私钥: ${KEY_FILE}"
echo "证书签名请求: ${CSR_FILE}"
echo "证书: ${CERT_FILE}"