双向TLS证书

#!/bin/bash
COUNTRY=CN
PROVINCE=jiangsu
CITY=Suzhou
ORGANIZATION=Test
GROUP=Devops
HOST=test.com
SUBJ="/C=$COUNTRY/ST=$PROVINCE/L=$CITY/O=$ORGANIZATION/OU=$GROUP/CN=$HOST"

#============================================#
#                   签发根证书               #
#============================================#
openssl genrsa -out my_root_ca.key 2048
faketime '1970-01-01 00:00:00' /bin/bash -c "openssl req -x509 -new -nodes -key my_root_ca.key -sha256 -days 365000 -out my_root_ca.pem -subj $SUBJ"

#============================================#
#          用根证书签发server端证书          #
#============================================#
openssl genrsa -out emqx.key 2048
cat <<EOF >openssl.cnf
[req]
default_bits  = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = CN
stateOrProvinceName = jinagsu
localityName = suz
organizationName = devops
commonName = dreame.com
[req_ext]
subjectAltName = @alt_names
[v3_req]
subjectAltName = @alt_names
[alt_names]
IP.1 = 127.0.0.1
DNS.1 = dreame.com
DNS.2 = $HOST
DNS.3 = *.com

EOF
openssl req -new -key ./emqx.key -config openssl.cnf -out emqx.csr
faketime '1970-01-01 00:00:00' /bin/bash -c 'openssl x509 -req -in ./emqx.csr -CA my_root_ca.pem -CAkey my_root_ca.key -CAcreateserial -out emqx.pem -days 365000 -sha256 -extensions v3_req -extfile openssl.cnf'

#============================================#
#          用根证书签发client端证书          #
#============================================#

openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr -subj "/C=CN/ST=Zhejiang/L=Hangzhou/O=EMQX/CN=client"
faketime '1970-01-01 00:00:00' /bin/bash -c 'openssl x509 -req -days 365000 -in client.csr -CA my_root_ca.pem -CAkey my_root_ca.key -CAcreateserial -out client.pem'