这是几个用来签发证书的脚本,请注意这需要你安装了gnutls才可以,主要当时是为了ocserv而写,纯偷懒。基本上,你只要用 ./cert-client.sh you-user-name 这种格式,就可以自动生成 you-user-name-key.pem/ your-user-name-cert.pem /your-user-name.p12
cn = test
o = "Tyrael Ltd."
email = test@abc.org
dns_name = "anyconnect.abc.org"
country = CN
state = "Shanghai"
serial = 3
expiration_days = 3650
signing_key
encryption_key #only if the generated key is an RSA one
tls_www_client
ipsec_ike_key
time_stamping_key
cn = "anyconnect.abc.org"
o = "Tyrael Ltd."
email = server@abc.org
dns_name = "anyconnect.abc.org"
country = CN
state = "Shanghai"
serial = 2
expiration_days = 3650
signing_key
encryption_key #only if the generated key is an RSA one
tls_www_server
ipsec_ike_key
time_stamping_key
cn = "abc.org VPN CA"
state = "Shanghai"
country = CN
organization = "Tyrael Ltd."
serial = 1
expiration_days = 3650
email = "ca@abc.org"
dns_name = "anyconnect.abc.org"
ca
signing_key
encryption_key
ipsec_ike_key
cert_signing_key
crl_signing_key
#! /bin/sh
#! /usr/bin/expect -f
certtool --generate-privkey --outfile $1-key.pem
sed -i "1ccn = "${1}"" client.tmpl
sed -i "3cemail = ${1}@abc.org" client.tmpl
certtool --generate-certificate --load-privkey $1-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template client.tmpl --outfile $1-cert.pem
openssl pkcs12 -export -inkey $1-key.pem -in $1-cert.pem -name "$1 VPN Client Cert" -certfile ca-cert.pem -out $1.cert.p12
exit 0