#! /bin/env python# -*- encoding:gbk -*-"""用于生成WebService使用的CA及并且签署证书"""import sys,shutil,os,subprocess,getpassconfigure={"debug":False}def quiet_run(cmd,argstr=None):nf=file(os.devnull,"rw")if configure["debug"]:p=subprocess.Popen(cmd,stdin=subprocess.PIPE)else:p=subprocess.Popen(cmd,stdin=subprocess.PIPE,stdout=nf,stderr=nf) if argstr is not None:p.stdin.write(argstr)p.stdin.write("\n")p.stdin.flush()p.wait()def get_indentity():"""取得用户身份信息"""print "请输入你的身份信息，这些信息将被附加到证书上，以便于客户确认您的身份"print "只输入英文"identity={}identity["C"]="CN"identity["ST"]=raw_input("请输入您的省份：")identity["L"]=raw_input("请输入您的城市：")identity["O"]=raw_input("请输入您的单位名称：")identity["OU"]=raw_input("请输入您的部门名称：")identity["CN"]=raw_input("请输入您的名字：")identity["EMAILADDRESS"]=raw_input("请输入您的电子邮箱地址:")#连接成OpenSSL要求的X500格式字符串subj="".join(["/"+"=".join((key,identity[key])) for key in identity if len(identity[key])>0])print "您的身份认证信息是%s"%subjprintreturn subjdef create_ca():#取得用户身份subj=get_indentity()#要求输入密码和证书文件名password=""cafile=""while password.strip()=="":password=raw_input("请输入保护CA证书的密码(明文显示)：") print "请记录好该密码，如果丢失该密码，将可能面临安全性破坏和重新部署客户端的风险"while cafile.strip()=="":cafile=raw_input("请输入CA证书的文件名：")try:quiet_run("openssl genrsa -out __zt_cakey.pem 1024")quiet_run("openssl req -new -out __zt_careq.csr -key __zt_cakey.pem -subj %s"%subj)quiet_run("openssl x509 -req -in __zt_careq.csr -out __zt_cacert.pem -signkey __zt_cakey.pem -days %s"%configure["days"])quiet_run("openssl pkcs12 -export -clcerts -in __zt_cacert.pem -inkey __zt_cakey.pem -out %s -passout stdin"%(cafile,),password)finally:try:os.unlink("__zt_cakey.pem")os.unlink("__zt_careq.csr")os.unlink("__zt_cacert.pem")except:passdef create_store():print "将为服务器/客户端生成并使用CA证书签署的证书文件"cafile=""while cafile.strip()=="":cafile=raw_input("请输入CA证书的文件名：")capassword=""while capassword.strip()=="":capassword=getpass.getpass("请输入CA证书的密码(不回显)：") storefile=""while storefile.strip()=="":storefile=raw_input("请输入新证书的文件名：")storepassword=""while storepassword.strip()=="":storepassword=raw_input("请输入保护新证书的密码(明文显示)：") storetype=""cacertfile=""while storetype=="":print "Java支持两种格式的证书存储格式，一种是Java环境私有的JKS 格式，另一种是RFC标准的PKCS#12格式。

如果在SUN Java环境下，优先使用JKS格式，而其它环境则优先使用PKCS#12格式"answer=raw_input("请选择，1-JKS格式,2-PKCS#12: ")if answer=="1":storetype="JKS"if answer=="2":storetype="PKCS12"print "因为PKCS#12格式的存储格式不能同时包含CA的证书，生成客户端密钥之后将同时为您导出CA证书。

"while cacertfile=="":cacertfile=raw_input("请输入导出CA证书的文件名：")subj=get_indentity()try:#生成未加密的CA公钥quiet_run("openssl pkcs12 -in %(cafile)s -clcerts -nodes -nokeys -out __zt_cacert.pem.1 -passin stdin"%{"cafile":cafile},capassword)#去掉公钥文件的前四行，否则不兼容Java JSSEfp=file("__zt_cacert.pem.1")for i in range(4):fp.readline()buf=fp.read()fp.close()fp=file("__zt_cacert.pem","w")fp.write(buf)fp.close()#生成未加密的CA密钥quiet_run("openssl pkcs12 -in %(cafile)s -clcerts -nodes -out __zt_cafile.pem -passin stdin"%{"cafile":cafile},capassword)quiet_run("openssl rsa -in __zt_cafile.pem -out __zt_cakey.pem")#生成新证书if storetype=="JKS":subj=subj.replace("/",",")[1:]quiet_run("keytool -genkey -alias mykey -keyalg rsa -keysize 1024 -validity %(days)s -keypass %(storepassword)s -storepass %(storepassword)s -keystore %(storefile)s -storetype %(storetype)s -dname %(dname)s"%\{"days":configure["days"],"storepassword":storepassword,"storefile":storefile,"storetype":storety pe,"dname":subj})quiet_run("keytool -certreq -alias mykey -sigalg MD5withRSA -file __zt_myreq.csr -keystore %(storefile)s -storepass %(storepassword)s"%\{"storepassword":storepassword,"storefile":storefile})quiet_run("openssl x509 -req -in __zt_myreq.csr -out __zt_mycert.pem -CA __zt_cacert.pem -CAkey __zt_cakey.pem -days %(days)s -CAcreateserial -sha1 -trustout -CA __zt_cacert.pem -CAkey __zt_cakey.pem -days %(days)s -CAserial ca-cert.srl-sha1 -trustout"%\{"days":configure["days"]})quiet_run("keytool -import -alias __zt_caroot -noprompt -keystore %(storefile)s -storepass %(storepassword)s -file __zt_cacert.pem"%\{"storepassword":storepassword,"storefile":storefile})quiet_run("keytool -import -alias mykey -trustcacerts -noprompt -keystore %(storefile)s -storepass %(storepassword)s -file __zt_mycert.pem"%\{"storepassword":storepassword,"storefile":storefile})#quiet_run("keytool -delete -alias __zt_caroot -keystore %(storefile)s -storepass %(storepassword)s"%\#{"storepassword":storepassword,"storefile":storefile})elif storetype=="PKCS12":quiet_run("openssl genrsa -out __zt_mykey.pem 1024")quiet_run("openssl req -new -out __zt_myreq.csr -key __zt_mykey.pem -subj %s"%subj)quiet_run("openssl x509 -req -in __zt_myreq.csr -out __zt_mycert.pem -CAkey __zt_cakey.pem -CA __zt_cacert.pem -days %(days)s -CAcreateserial -CAserial ca-cert.srl -sha1 -trustout"%\{"days":configure["days"]})quiet_run("openssl pkcs12 -export -clcerts -in __zt_mycert.pem -inkey __zt_mykey.pem -out %(storefile)s -passout stdin"%\{"storefile":storefile},storepassword)os.rename("__zt_cacert.pem",cacertfile)except:try:os.unlink(storefile)except:passfinally:try:os.unlink("__zt_cacert.pem.1")os.unlink("__zt_cacert.pem")os.unlink("__zt_cafile.pem")os.unlink("__zt_cakey.pem")if storetype=="JKS":os.unlink("__zt_myreq.csr")os.unlink("__zt_mycert.pem")else:os.unlink("__zt_mykey.pem")os.unlink("__zt_myreq.csr")os.unlink("__zt_mycert.pem")except:passdef usage():print """使用方法错误%(cmdname)s newca:创建一个CA证书%(cmdname)s newstore:创建一个证书"""%{"cmdname":sys.argv[0]}sys.exit(1)def main(argv):configure["days"]=365*3if len(argv)<2:usage()if argv[1]=="newca":create_ca()elif argv[1]=="newstore":create_store()if __name__=="__main__":main(sys.argv)。