frp生成双向验证证书的脚本
放到任意服务器执行,IP.2 要改为frp服务端的IP,如果用的域名连接,要用域名
#!/bin/bash
set -e
# 目录结构
mkdir -p ssl/{ca,server,client}
echo "==== 1. 生成 CA 根证书 ===="
openssl genrsa -out ssl/ca/ca.key 4096
openssl req -x509 -new -nodes -key ssl/ca/ca.key -sha256 -days 3650 \
-subj "/C=CN/ST=State/L=City/O=MyOrg/OU=CA/CN=MyRootCA" \
-out ssl/ca/ca.crt
echo "==== 2. 生成服务端证书 ===="
openssl genrsa -out ssl/server/server.key 2048
openssl req -new -key ssl/server/server.key \
-subj "/C=CN/ST=State/L=City/O=MyOrg/OU=Server/CN=frps.local" \
-out ssl/server/server.csr
# 服务端扩展配置
cat > ssl/server/server.ext <<EOF
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = frps.local
IP.1 = 127.0.0.1
IP.2 = 29.15.143.75 #改为frp服务端的IP,如果用的域名连接,要用域名
EOF
openssl x509 -req -in ssl/server/server.csr -CA ssl/ca/ca.crt -CAkey ssl/ca/ca.key -CAcreateserial \
-out ssl/server/server.crt -days 3650 -sha256 -extfile ssl/server/server.ext
echo "==== 3. 生成客户端证书 ===="
openssl genrsa -out ssl/client/client.key 2048
openssl req -new -key ssl/client/client.key \
-subj "/C=CN/ST=State/L=City/O=MyOrg/OU=Client/CN=frpc.local" \
-out ssl/client/client.csr
# 客户端扩展配置
cat > ssl/client/client.ext <<EOF
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
EOF
openssl x509 -req -in ssl/client/client.csr -CA ssl/ca/ca.crt -CAkey ssl/ca/ca.key -CAcreateserial \
-out ssl/client/client.crt -days 3650 -sha256 -extfile ssl/client/client.ext
echo "==== 4. 验证证书链 ===="
openssl verify -CAfile ssl/ca/ca.crt ssl/server/server.crt ssl/client/client.crt
echo "✅ 证书生成完成,目录结构如下:"
tree ssl
登录后可发表评论
点击登录