#!/bin/bash
#
# =============author W30============
# ====compile at 2018.03.09 18:03====

# 判断执行用户
[ "`whoami`" != "root" ] && echo "Only root can execute this script." && exit 0

# 证书信息,使用者可以随便修改成自己想要的信息
: ${Company:=sanshi}
: ${EMAIL:=sanshi@sanshi.com}
: ${Common_name:=sanshi}
: ${Province_name:=ZJ}
: ${City_name:=HZ}
: ${Unit_name:=tech}
store_ssl="/opt/$Common_name/ssl"

# 安装依赖
rpm -q epel-release || yum install -y epel-release
rpm -q openssl tcl expect | grep -oP '(?<=package )\S+' | xargs -r yum install -y
[ $? -ne 0 ] && echo "depends do not be installed correct!" && exit 1

# openssl配置
cadir="`cat /etc/pki/tls/openssl.cnf | grep "^dir.*kept$" | awk '{print $3}'`"
if [ $cadir != "/etc/pki/CA" ]; then
	sed -i "s/^dir.*kept/dir	= \/etc\/pki\/CA/" /etc/pki/tls/openssl.cnf
	[ $? -ne 0 ] && echo "Check the openssl.cnf to change cadir!!!!" && exit 1
fi
sleep 1
pushd /etc/pki/CA
for cafile in crl newcerts certs; do
	[ -d $cafile ] || mkdir $cafile
done
[ -f index.txt ] && rm -f index.txt
[ -f serial ] && rm -f serial
touch index.txt serial
echo 01 > serial
# 生成私钥
(umask 077;openssl genrsa -out  private/cakey.pem 2048)
sleep 1

# 基于私钥生成自签证书
expect << EOF
spawn openssl req -new -x509 -key private/cakey.pem -days 3650 -out cacert.pem
expect {
-re "Country Name.*:" {send "CN\r"; exp_continue}
-re "State or Province Name.*:" {send "${Province_name}\r"; exp_continue}
-re "Locality Name.*:" {send "${City_name}\r"; exp_continue}
-re "Organization Name.*:" {send "${Company}\r"; exp_continue}
-re "Organizational Unit Name.*:" {send "${Unit_name}\r"; exp_continue}
-re "Common Name.*:" {send "${Common_name}\r"; exp_continue}
-re "Email Address.*:" {send "${EMAIL}\r"; exp_continue}
}
EOF
sleep 1
popd

# 生成一个代签证书
#############################################################
[ -d $store_ssl ] || mkdir -p $store_ssl
pushd $store_ssl
(umask 077;openssl genrsa -out server_ssl.key 4096)
expect << EOF
spawn openssl req -new -key server_ssl.key -out server_ssl.csr
expect {
-re "Country Name.*:" {send "CN\r"; exp_continue}
-re "State or Province Name.*:" {send "${Province_name}\r"; exp_continue}
-re "Locality Name.*:" {send "${City_name}\r"; exp_continue}
-re "Organization Name.*:" {send "${Company}\r"; exp_continue}
-re "Organizational Unit Name.*:" {send "${Unit_name}\r"; exp_continue}
-re "Common Name.*:" {send "${Common_name}\r"; exp_continue}
-re "Email Address.*:" {send "${EMAIL}\r"; exp_continue}
-re "A challenge password.*:" {send "\r"; exp_continue}
-re "An optional company name.*:" {send "\r"; exp_continue}
}
EOF
sleep 1

# 为代签证书签名

#方法一：
#expect << EOF
#spawn openssl ca -in server_ssl.csr -out server_ssl.crt
#expect {
#-re "Sign the.*:" {send "y\r"; exp_continue}
#-re "*commit? [y/n]" {send "y\r"; exp_continue}
#}
#EOF

#方法二：
yes y | openssl ca -in server_ssl.csr -out server_ssl.crt
[ $? -ne 0 ] && echo -e "\033[31m签名失败，请检查\033[0m" && exit 1
echo -e "===========The ssl certs are in \033[35m${store_ssl}\033[0m============"
popd