#!/usr/bin/env bash
# If you are getting the error “Error Loading extension section v3_ca” using macOS on step 2,
# add the following to your /etc/ssl/openssl.cnf
# [ v3_ca ]
# basicConstraints = critical,CA:TRUE
# subjectKeyIdentifier = hash
# authorityKeyIdentifier = keyid:always,issuer:always
# 生成CA的私钥和证书
echo Generate the ca certificate
openssl genrsa -out ../certs/ca.key 4096
openssl req -x509 -sha256 -new -nodes -key ../certs/ca.key -days 3650 -subj "/C=IN/ST=UK/L=Dehradun/O=VMware/CN=Hemant Root CA" -extensions v3_ca -out ../certs/ca.crt
#C: 国家代码(Country Code),IN 表示印度(India)。
#ST: 州或省份(State or Province),UK 可能是错误的,因为国家代码是 #IN,这里应该是一个印度的省份或州名,可能是一个笔误。
#L: 地点或城市(Locality),Dehradun 是印度北阿坎德邦的首府。
#O: 组织(Organization),VMware 表示该证书可能与 VMware 公司有关。
#CN: 通用名称(Common Name),通常用于表示证书持有者的名字或主要身份,这里为 Hemant Root CA,表明这可能是一个名为 Hemant 的根证书颁发机构。
# 生成服务端的私钥和证书
echo generating server certificate
openssl genrsa -out ../certs/server.key 2048
openssl req -new -subj "/C=IN/ST=UK/L=Dehradun/O=VMware/CN=localhost" -key ../certs/server.key -out server_signing_req.csr
openssl x509 -req -days 365 -in server_signing_req.csr -CA ../certs/ca.crt -CAkey ../certs/ca.key -CAcreateserial -out ../certs/server.crt
del server_signing_req.csr
# 生成客户端的私钥和证书
echo generating client certificate
openssl genrsa -out ../certs/client.key 2048
openssl req -new -subj "/C=IN/ST=UK/L=Dehradun/O=VMware/CN=localhost" -key ../certs/client.key -out client_signing_req.csr
openssl x509 -req -days 365 -in client_signing_req.csr -CA ../certs/ca.crt -CAkey ../certs/ca.key -CAcreateserial -out ../certs/client.crt
rm client_signing_req.csr
# 验证证书
openssl verify -CAfile ../certs/ca.crt ../certs/server.crt
openssl verify -CAfile ../certs/ca.crt ../certs/client.crt
:: 生成CA的私钥和证书
echo Generate the ca certificate
openssl genrsa -out ../certs/ca.key 4096
openssl req -x509 -sha256 -new -nodes -key ../certs/ca.key -days 3650 -subj "/C=CN/O=VMware/CN=Root CA" -extensions v3_ca -out ../certs/ca.crt
:: 生成服务端的私钥和证书
echo generating server certificate
openssl genrsa -out ../certs/server.key 2048
openssl req -new -subj "/C=CN/O=VMware/CN=host.docker.internal" -key ../certs/server.key -out server_signing_req.csr
openssl x509 -req -days 365 -in server_signing_req.csr -CA ../certs/ca.crt -CAkey ../certs/ca.key -CAcreateserial -out ../certs/server.crt
del server_signing_req.csr
:: 生成客户端的私钥和证书
echo generating client certificate
openssl genrsa -out ../certs/client.key 2048
openssl req -new -subj "/C=CN/O=VMware/CN=host.docker.internal" -key ../certs/client.key -out client_signing_req.csr
openssl x509 -req -days 365 -in client_signing_req.csr -CA ../certs/ca.crt -CAkey ../certs/ca.key -CAcreateserial -out ../certs/client.crt
del client_signing_req.csr
:: 验证证书
openssl verify -CAfile ../certs/ca.crt ../certs/server.crt
openssl verify -CAfile ../certs/ca.crt ../certs/client.crt