root/zertifizierung
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: comprehensive update with system detection and deployment capabilities

Browse Source 
- Added detailed system detection matrix (5 system types)
- Documented Proxmox VE full automation capabilities
- Listed manual deployment requirements for other systems
- Enhanced troubleshooting section with common issues
- Added security notes and file locations
- Improved interactive workflow example
This commit is contained in:
root
2025-10-23 09:08:26 +02:00
parent 6fb1454310
commit 2a7d1c23aa
1 changed files with 243 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

275
README.md
View File

@@ -1,37 +1,87 @@
# Certificate Management Tools # Certificate Management Tools
Automated certificate generation and signing tools for UCS CA. Automated certificate generation and signing tools for UCS CA with intelligent system detection and deployment.
## Features
- 🔍 **Automatic System Detection** - Detects target system type (Proxmox, pfSense, TrueNAS, UCS)
- 🤖 **Automated Deployment** - Fully automated certificate installation for supported systems
- 💾 **Configuration Persistence** - Remembers your settings between runs
- 🔐 **Proper Certificate Extensions** - Generates certificates with correct serverAuth extensions
- 🎯 **Interactive & Scriptable** - Works both interactively and in automation scripts
## Supported Systems
| System | Detection | Deployment | Status |
|--------|-----------|------------|--------|
| **Proxmox VE** | ✅ Automatic | ✅ Fully Automated | Production Ready |
| **pfSense** | ✅ Automatic | ⚠️ Manual (Web UI) | Detected |
| **TrueNAS** | ✅ Automatic | ⚠️ Manual (Web UI) | Detected |
| **UCS** | ✅ Automatic | ⚠️ Manual | Detected |
| **Other/Unknown** | ⚠️ Generic | ⚠️ Manual | Basic Support |
### Proxmox VE - Full Automation ✅
For Proxmox systems, the tool provides complete automation:
- Generates CSR on the Proxmox host
- Signs with UCS CA
- Automatically installs to `/etc/pve/local/pveproxy-ssl.{pem,key}`
- Creates timestamped backups of existing certificates
- Restarts `pveproxy` service
- Fully automated, zero manual steps required
### Other Systems - Manual Deployment ⚠️
For pfSense, TrueNAS, and other systems:
- System type is detected automatically
- CSR is generated on the target host
- Certificate is signed with UCS CA
- Certificate and key are copied to `/tmp/`
- Manual installation required through web interface
## Tools ## Tools
### 1. cert-manager.py (Interactive Mode) ### 1. cert-manager.py (Interactive Mode) - **RECOMMENDED**
The main interactive tool that handles the entire certificate lifecycle. The main interactive tool that handles the entire certificate lifecycle with system detection.
**Usage:** **Usage:**
```bash ```bash
./cert-manager.py ./cert-manager.py
``` ```
**Workflow:**
1. Detects target system type automatically
2. Prompts for certificate details with smart defaults
3. Generates CSR on remote host with proper extensions
4. Signs certificate with UCS CA
5. Deploys automatically (Proxmox) or copies to target (others)
**Features:** **Features:**
- Interactive prompts with default values - Interactive prompts with default values from previous runs
- Remembers last used values - Automatic system type detection
- Generates CSR on remote host - Intelligent deployment based on system capabilities
- Signs certificate with UCS CA - Configurable key length (default: 4096 bits)
- Optionally deploys certificate back to target host - Remembers last used values for quick reuse
### 2. generate-csr.sh (Standalone) ### 2. generate-csr.sh (Standalone)
Generates a certificate signing request on a remote host. Generates a certificate signing request on a remote host.
**Usage:** **Usage:**
```bash ```bash
./generate-csr.sh <hostname> <common-name> [country] [state] [locality] [org] [ou] ./generate-csr.sh <hostname> <common-name> [country] [state] [locality] [org] [ou] [key-bits]
``` ```
**Example:** **Example:**
```bash ```bash
./generate-csr.sh 192.168.1.100 server.example.com DE berlin berlin egonetix it ./generate-csr.sh 192.168.1.100 server.example.com DE berlin berlin egonetix it 4096
``` ```
**Features:**
- Generates CSR with proper server authentication extensions
- Configurable RSA key length (2048, 4096, 8192 bits)
- Automatic Subject Alternative Names (SANs)
- Private key stays on target host (secure)
### 3. sign-cert.sh (Standalone) ### 3. sign-cert.sh (Standalone)
Signs a certificate request with the UCS CA. Signs a certificate request with the UCS CA.
@@ -45,30 +95,109 @@ Signs a certificate request with the UCS CA.
./sign-cert.sh server.req server 3650 ./sign-cert.sh server.req server 3650
``` ```
### 4. detect-system.sh (Utility)
Detects the type of system on a remote host.
**Usage:**
```bash
./detect-system.sh <hostname>
```
**Returns:** `proxmox`, `pfsense`, `truenas`, `ucs`, or `unknown`
### 5. deploy-proxmox.sh (Proxmox Deployment)
Automated certificate deployment for Proxmox VE.
**Usage:**
```bash
./deploy-proxmox.sh <hostname> <cert-file> <key-file> <short-name>
```
**What it does:**
- Backs up existing certificates with timestamp
- Installs new certificate and key
- Sets correct permissions (640)
- Restarts pveproxy service
- Provides access URL
## Configuration ## Configuration
The interactive tool stores default values in `~/.cert-manager-config.json`. The interactive tool stores default values in `~/.cert-manager-config.json`.
Default values: **Default values:**
- Country: DE - Country: `DE`
- State: berlin - State: `berlin`
- Locality: berlin - Locality: `berlin`
- Organization: egonetix - Organization: `egonetix`
- Organizational Unit: it - Organizational Unit: `it`
- CA Server: 10.0.0.21 - CA Server: `10.0.0.21`
- Validity: 3650 days (10 years) - Validity: `3650` days (10 years)
- Key Length: `4096` bits
## Workflow **Modifying defaults:**
Run `./cert-manager.py` and answer "yes" when asked to modify default values.
1. Run `./cert-manager.py` ## Interactive Workflow Example
2. Enter target host (IP or hostname where certificate will be used)
3. Enter common name (FQDN for the certificate) ```bash
4. Review/modify certificate subject fields $ ./cert-manager.py
5. Confirm and proceed
6. The tool will: ============================================================
- Generate CSR on target host Interactive Certificate Manager
- Sign it with UCS CA ============================================================
- Optionally copy certificate back to target
--- Certificate Details ---
Target Host (IP or hostname) [srv-wmw-host01]: 10.0.0.50
Detecting system type on 10.0.0.50...
✓ Detected: Proxmox VE
Common Name (FQDN) [srv-wmw-host01.egonetix.lan]: pve-host02.egonetix.lan
--- Certificate Subject (press Enter to use defaults) ---
Country (C) [DE]:
State/Province (ST) [berlin]:
Locality (L) [berlin]:
Organization (O) [egonetix]:
Organizational Unit (OU) [it]:
Validity (days) [3650]:
Key Length (bits) [4096]:
============================================================
Summary:
============================================================
System Type: Proxmox VE
Target Host: 10.0.0.50
Common Name: pve-host02.egonetix.lan
Country: DE
State: berlin
Locality: berlin
Organization: egonetix
Org Unit: it
Key Length: 4096 bits
Validity: 3650 days
CA Server: 10.0.0.21
Output files: pve-host02.req, pve-host02-cert.pem
============================================================
Proceed with certificate generation? [Y/n]:
[Generates CSR, signs, deploys automatically for Proxmox]
✓ Access Proxmox at: https://10.0.0.50:8006
```
## Certificate Details
**Generated certificates include:**
- RSA keys (configurable: 2048, 4096, or 8192 bits)
- SHA-256 signature algorithm
- Subject Alternative Names (SANs) for all hostname variants
- Proper key usage extensions:
- `digitalSignature`
- `keyEncipherment`
- Extended key usage:
- `serverAuth` (TLS Web Server Authentication)
## Requirements ## Requirements
@@ -76,9 +205,91 @@ Default values:
- SSH access to UCS CA server (10.0.0.21) as root - SSH access to UCS CA server (10.0.0.21) as root
- OpenSSL on target host - OpenSSL on target host
- Python 3.6+ for interactive tool - Python 3.6+ for interactive tool
- Bash for shell scripts
## Notes ## Security Notes
- Private keys are generated and remain on the target host 1. **Private keys remain on target hosts** - Never transmitted or stored locally
- Certificate requests (.req) and signed certificates (-cert.pem) are stored locally 2. **Certificate backups** - Proxmox deployment creates timestamped backups
- The interactive tool remembers your last target host and common name for convenience 3. **Proper permissions** - Certificates are installed with correct file permissions
4. **CA access** - Only the signing operation requires CA access
5. **SSH security** - Uses BatchMode and secure connection options
## Troubleshooting
### System not detected correctly
```bash
# Manually check what system it is
./detect-system.sh <hostname>
# Verify SSH access
ssh root@<hostname> "uname -a"
```
### Certificate not trusted in browser
```bash
# Verify system CA is installed
ls -la /usr/local/share/ca-certificates/ucs-root-ca.crt
# Update system CA certificates
sudo update-ca-certificates
# For browsers using NSS (Firefox, Brave, Chrome):
certutil -d sql:$HOME/.pki/nssdb -L | grep -i ucs
```
### Proxmox deployment failed
```bash
# Check Proxmox certificate directory
ssh root@<proxmox-host> "ls -la /etc/pve/local/pveproxy-ssl.*"
# View pveproxy logs
ssh root@<proxmox-host> "journalctl -u pveproxy -n 50"
# Manually restart pveproxy
ssh root@<proxmox-host> "systemctl restart pveproxy"
```
### Certificate expired
Certificates are valid for 10 years by default. To renew:
```bash
# Simply run the tool again with the same hostname
./cert-manager.py
# It will generate a new certificate with a fresh validity period
```
## File Locations
**On local machine:**
- Certificate requests: `./<hostname>.req`
- Signed certificates: `./<hostname>-cert.pem`
- Configuration: `~/.cert-manager-config.json`
**On target host:**
- Private keys: `/tmp/<hostname>.key`
- Certificates: `/tmp/<hostname>.crt`
**On Proxmox hosts:**
- Certificate: `/etc/pve/local/pveproxy-ssl.pem`
- Private key: `/etc/pve/local/pveproxy-ssl.key`
- Backups: `/etc/pve/local/pveproxy-ssl.{pem,key}.bak.YYYYMMDD-HHMMSS`
## Adding Support for New Systems
To add automated deployment for a new system type:
1. Update `detect-system.sh` with detection logic
2. Create `deploy-<system>.sh` script
3. Add system to `SYSTEM_TYPES` in `cert-manager.py`
4. Test thoroughly
5. Update this README
## Additional Resources
- UCS Manual: https://docs.software-univention.de/
- Certificate Management: https://docs.software-univention.de/manual.html#domain:certificates
- OpenSSL Documentation: https://www.openssl.org/docs/
## License
Internal tool for egonetix infrastructure management.