shell脚本：pfx，pem证书加解密

脚本局限性：只解密

pfx格式证书

加密了私钥的pem格式证书

脚本好处：可以同时解压多个证书。

脚本粗糙，但实用性尚可哈哈。

脚本内容

使用说明

]$ cat README 
======================
2021.1.15 支持pem或者pfx证书解密
======================
1、将pfx或pem证书放入pfx目录中
2、将域名和密码信息写入cert-password.txt(以空格或者tab做分隔符)
3、pfx证书执行bash cert.sh
  - pem证书执行bsh cert.sh pem

cert-password.txt

]$ cat cert-password.txt 
www.baidu.com	hfdsfds321njnK

cert.sh

]$ cat cert.sh 
#设置颜色
RED="\033[0;31m"
GREEN="\033[0;32m"
NO_COLOR="\033[0m"

#存放证书和密码的TXT文件
CERT_PASSWORD_FILE="./cert-password.txt"
#备份证书和密码
CERT_PASSWORD_BAK_FILE="./bak-cert-password.txt"
#存放pfx加密证书的目录
PFX_DIR="./pfx"
#存放解密后的证书和key
PEM_DIR="./pem"

#解密证书的函数
cert_decrypt(){
    DOMAIN=$1
    PASSWORD=$2
    PFX_FILE_PATH=${PFX_DIR}/${DOMAIN}.pfx
    CRT_FILE_PATH=${PEM_DIR}/${DOMAIN}.crt
    KEY_FILE_PATH=${PEM_DIR}/${DOMAIN}.key
    #判断pfx文件是否存在
    if [ -f  ${PFX_FILE_PATH} ];then
        #openssl pkcs12 -in ${PFX_FILE_PATH} -clcerts -nokeys  -passin pass:${PASSWORD}   -out ${CRT_FILE_PATH}
	#证书文件包含两段证书，一段是CA证书，一段是域名证书（客户端证书）
        openssl pkcs12 -in ${PFX_FILE_PATH}  -nokeys  -passin pass:${PASSWORD}   -out ${CRT_FILE_PATH}
	openssl pkcs12 -in ${PFX_FILE_PATH} -nocerts -passin pass:${PASSWORD}  -nodes  -out ${KEY_FILE_PATH}
        #如果执行失败就提示密码错误
        if [ ! "$?" -eq "0" ];then
            echo -e "${RED}${PFX_FILE_PATH}解密失败，可能密码错误......${NO_COLOR}"
        else
            echo -e "==========================
  PFX_FILE:${GREEN}${PFX_FILE_PATH}${NO_COLOR}
  CRT_FILE:${GREEN}${CRT_FILE_PATH}${NO_COLOR}
  KEY_FILE:${GREEN}${KEY_FILE_PATH}${NO_COLOR}"
        fi
	#使用sed命令可以去掉bag attributes信息，只保留证书信息
	sed -i -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' ${CRT_FILE_PATH}
	sed -i -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' ${KEY_FILE_PATH}
	#备份证书密码，防止以后用到
	#cat ${CERT_PASSWORD_FILE} >> ${CERT_PASSWORD_BAK_FILE}
	grep $DOMAIN ${CERT_PASSWORD_FILE} >> ${CERT_PASSWORD_BAK_FILE}

    else
        echo -e "${RED}${PFX_FILE_PATH}文件不存在......${NO_COLOR}"
    fi
}

#pem格式证书解压
pem_cert_decrypt(){
    DOMAIN=$1
    PASSWORD=$2
    PEM_FILE_PATH=${PFX_DIR}/${DOMAIN}.pem
    CRT_FILE_PATH=${PEM_DIR}/${DOMAIN}.crt
    KEY_FILE_PATH=${PEM_DIR}/${DOMAIN}.key
    if [ -f  ${PEM_FILE_PATH} ];then
        sed  -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' ${PEM_FILE_PATH} > ${CRT_FILE_PATH}
	openssl rsa -in ${PEM_FILE_PATH}  -passin pass:${PASSWORD}  -out ${KEY_FILE_PATH}
        #如果执行失败就提示密码错误
        if [ ! "$?" -eq "0" ];then
            echo -e "${RED}${PFX_FILE_PATH}解密失败，可能密码错误......${NO_COLOR}"
        else
            echo -e "==========================
  PFX_FILE:${GREEN}${PEM_FILE_PATH}${NO_COLOR}
  CRT_FILE:${GREEN}${CRT_FILE_PATH}${NO_COLOR}
  KEY_FILE:${GREEN}${KEY_FILE_PATH}${NO_COLOR}"
        fi
	#备份证书密码，防止以后用到
	#cat ${CERT_PASSWORD_FILE} >> ${CERT_PASSWORD_BAK_FILE}
	grep $DOMAIN ${CERT_PASSWORD_FILE} >> ${CERT_PASSWORD_BAK_FILE}

    else
        echo -e "${RED}${PEM_FILE_PATH}文件不存在......${NO_COLOR}"
    fi
}
    

main(){
    #加个flag，对pem格式证书补充说明
    FLAG=$1
    #清空pem目录
    rm -f ${PEM_DIR}/*.crt ${PEM_DIR}/*.key
    if [ ! -d ${PFX_DIR} ];then
        mkdir -p ${PFX_DIR}
    fi
    if [ ! -d ${PEM_DIR} ];then
        mkdir -p ${PEM_DIR}
    fi
    for domain in $(awk '{print $1}' ${CERT_PASSWORD_FILE});do
        password=$(grep -w "${domain}" ${CERT_PASSWORD_FILE} | awk '{print $2}')
	if   [[ -n ${FLAG} && ${FLAG} == "pem" ]];then
	    pem_cert_decrypt $domain $password
        else	    
            cert_decrypt $domain $password
	fi
    done
}
main $1

执行效果

]$ bash cert.sh 
==========================
  PFX_FILE:./pfx/www.baidu.com.pfx
  CRT_FILE:./pem/www.baidu.com.crt
  KEY_FILE:./pem/www.baidu.com.key

DevopsApple

shell脚本：pfx，pem证书加解密

脚本内容

执行效果

更新k8s集群证书脚本分析