cli: add generate cert script

haixuxu · Mar 28, 2024 · 2bcd814 · 2bcd814
1 parent 8a3e195
commit 2bcd814
Show file tree

Hide file tree

Showing 7 changed files with 126 additions and 58 deletions.
diff --git a/.gitignore b/.gitignore
@@ -21,5 +21,7 @@
 go.work
 
 etc/certs
+scripts/certs
+certs
 .DS_Store
 release
diff --git a/README.md b/README.md
@@ -3,13 +3,13 @@
 Gwk is a tool that helps you expose your local servers or services to the
 internet, even in a private network. It supports both TCP and subdomain modes.
 
-# build
+## build
 
 ```bash
 bash build.sh
 ```
 
-# usage
+## usage
 
 serverHost default is `gank.75cos.com`
 
@@ -18,7 +18,7 @@ serverHost default is `gank.75cos.com`
 gwk
 ```
 
-# client more  example
+## client more  example
 
 ```bash
 # example 2
@@ -29,10 +29,28 @@ gwk  --subdomain testabc001 --port 8000
 gwk  -c client.json
 ```
 
-# client
+## develop 
+
+
+1. generate root CA
+
+```bash
+bash ./scripts/gen_rootca.sh
+```
+
+2. generate domain cert
 
 ```bash
-go run ./bin/gwk/main.go  -c client.json
+bash ./scripts/gen_certbyca.sh
+```
+
+3. move `certs` to `etc` directory
+
+
+## client
+
+```bash
+go run ./bin/gwk/main.go  -c etc/client.json
 ```
 
 client.json
@@ -66,22 +84,24 @@ client.json
 }
 ```
 
-# setup a gwk server
+## setup a gwk server
 
 ```bash
-go run ./bin/gwkd/main.go  -c server.json
+go run ./bin/gwkd/main.go  -c etc/server.json
 ```
 
 server.json
 
 ```json
 {
-  "serverHost": "gwk007.com",
+  "serverHost": "gank007.com",
   "serverPort": 4443,
-  "httpAddr": 80,
-  "httpsAddr": 443,
-  "tlsCA": "./rootCA/rootCA.crt",
-  "tlsCrt": "./cert/my.crt",
-  "tlsKey": "./cert/my.key.pem"
+  "httpAddr": 8080,
+  "httpsAddr": 8043,
+  "tlsCA":"./scripts/certs/rootCA.crt",
+  "tlsCrt":"./scripts/certs/gank007.com/my.crt",
+  "tlsKey":"./scripts/certs/gank007.com/my.key.pem"
 }
+
 ```
+
diff --git a/build.sh b/build.sh
diff --git a/etc/client.json b/etc/client.json
@@ -1,5 +1,5 @@
 {
-  "serverHost":"gank.75cos.com",
+  "serverHost":"gank007.com",
   "serverPort":4443,
   "tunnels":{
     "tcp001":{

diff --git a/etc/server.json b/etc/server.json
@@ -3,7 +3,7 @@
   "serverPort": 4443,
   "httpAddr": 8080,
   "httpsAddr": 8043,
-  "tlsCA":"./etc/certs/rootCA.crt",
-  "tlsCrt":"./etc/certs/gank007.com/my.crt",
-  "tlsKey":"./etc/certs/gank007.com/my.key.pem"
+  "tlsCA":"./scripts/certs/rootCA.crt",
+  "tlsCrt":"./scripts/certs/gank007.com/my.crt",
+  "tlsKey":"./scripts/certs/gank007.com/my.key.pem"
 }
diff --git a/scripts/gen_certbyca.sh b/scripts/gen_certbyca.sh
@@ -0,0 +1,57 @@
+#!/bin/bash
+
+# 定义变量
+country="CN"
+organization="gwk007"
+common_name="gank007.com"
+dns_names=("*.gank007.com" "gank007.com")
+
+cwd=`pwd`
+
+outdir="${cwd}/certs/gank007.com"
+
+rootcakey="./certs/rootCA.key.pem"
+rootcacrt="./certs/rootCA.crt"
+
+mkdir -p $outdir
+
+subcert_key="${outdir}/my.key.pem"
+subcert_csr="${outdir}/my.csr"
+subcert_crt="${outdir}/my.crt"
+
+# 生成子证书的私钥
+openssl genpkey -algorithm RSA -out $subcert_key
+
+# 生成证书签名请求
+openssl req -new \
+    -key $subcert_key \
+    -out $subcert_csr \
+    -subj "/C=$country/O=$organization/CN=$common_name"
+
+# 创建扩展配置文件
+echo -e "authorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nkeyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment\nsubjectAltName = @alt_names\n\n[alt_names]" > sub.ext
+
+# 添加DNS条目到扩展配置文件
+index=1
+for dns in "${dns_names[@]}"; do
+  echo "DNS.$index = $dns" >> sub.ext
+  index=$((index + 1))
+done
+
+# 使用根证书签发子证书
+openssl x509 -req \
+    -in $subcert_csr \
+    -CA $rootcacrt \
+    -CAkey $rootcakey \
+    -CAcreateserial -out $subcert_crt \
+    -extfile sub.ext
+
+
+rm -f sub.ext
+# 输出成功信息
+echo "子证书生成成功！"
+
+echo "子证书的私钥: $subcert_key"
+echo "子证书的CSR: $subcert_csr"
+echo "子证书的证书: $subcert_crt"
+
diff --git a/scripts/gen_rootca.sh b/scripts/gen_rootca.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# 定义变量
+country="CN"
+organization="xuxihai"
+common_name="gwkbyxuxihai"
+
+cwd=`pwd`
+
+outdir="${cwd}/certs"
+rootcakey=$outdir/rootCA.key.pem
+rootcacrt=$outdir/rootCA.crt
+
+mkdir -p $outdir
+
+# 生成根证书的私钥
+openssl genpkey -algorithm RSA -out $rootcakey
+
+# 生成自签名的根证书
+openssl req -new -x509 \
+    -key $rootcakey \
+    -out $rootcacrt \
+    -subj "/C=$country/O=$organization/CN=$common_name"
+
+rm -f "${outdir}/rootCA.srl"
+# 输出成功信息
+echo "根证书生成成功!"
+echo "根证书的私钥: $rootcakey"
+echo "自签名根证书: $rootcacrt"
+