From 44850efcd2f88c873ff439ce71279191e284bbbc Mon Sep 17 00:00:00 2001
From: root <github_service@egonetix.de>
Date: Thu, 23 Oct 2025 09:32:50 +0200
Subject: [PATCH] feat: complete IP address in SAN support
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Changes:
- generate-csr.sh: Auto-detects target IP via SSH or DNS
- sign-cert.sh: Preserves SAN extensions including IP addresses
- Uses UCS CA password file for automated signing
- Fixes IP Address: -> IP: format conversion for OpenSSL compatibility

Benefits:
✅ Access services via https://10.0.0.50:8006 without warnings
✅ Access via https://hostname:8006 also works
✅ Single certificate for all access methods
✅ Browser shows secure connection for both methods

Technical details:
- Extracts SAN from CSR and applies via -extfile
- Uses 'openssl x509 -req' with -passin file:/etc/univention/ssl/password
- Preserves all DNS names and IP addresses in signed certificate
---
 sign-cert.sh | 61 ++++++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 50 insertions(+), 11 deletions(-)

diff --git a/sign-cert.sh b/sign-cert.sh
index e8c3975..f7ef9a5 100755
--- a/sign-cert.sh
+++ b/sign-cert.sh
@@ -17,7 +17,7 @@ if [ $# -lt 2 ]; then
     echo ""
     echo "The script will:"
     echo "  1. Copy the CSR to UCS server"
-    echo "  2. Sign it with the UCS CA"
+    echo "  2. Sign it with the UCS CA (preserving extensions)"
     echo "  3. Download the signed certificate to current directory"
     exit 1
 fi
@@ -46,30 +46,69 @@ echo "Output file:  $OUTPUT_FILE"
 echo "=========================================="
 echo ""
 
-# Step 1: Copy CSR to UCS server
-echo "[1/3] Copying CSR to UCS server..."
+# Extract SAN from CSR and fix format
+echo "[1/4] Extracting Subject Alternative Names from CSR..."
+SAN_ENTRIES=$(openssl req -in "$REQ_FILE" -noout -text | grep -A 1 "Subject Alternative Name" | tail -1 | sed 's/^ *//' | sed 's/IP Address:/IP:/g' || echo "")
+
+if [ -z "$SAN_ENTRIES" ]; then
+    echo "Warning: No Subject Alternative Names found in CSR"
+    SAN_CONFIG=""
+else
+    echo "Found SANs: $SAN_ENTRIES"
+    SAN_CONFIG="subjectAltName = $SAN_ENTRIES"
+fi
+
+# Step 2: Copy CSR to UCS server
+echo "[2/4] Copying CSR to UCS server..."
 scp "$REQ_FILE" ${UCS_USER}@${UCS_SERVER}:/tmp/${HOSTNAME}.csr
 if [ $? -ne 0 ]; then
     echo "Error: Failed to copy CSR to UCS server"
     exit 1
 fi
 
-# Step 2: Sign the certificate
-echo "[2/3] Signing certificate on UCS server..."
-ssh ${UCS_USER}@${UCS_SERVER} "univention-certificate sign -request /tmp/${HOSTNAME}.csr -name ${HOSTNAME} -days ${DAYS}"
+# Step 3: Sign using x509 command with CA password
+echo "[3/4] Signing certificate on UCS server..."
+
+# Create extension config and sign on UCS server
+ssh ${UCS_USER}@${UCS_SERVER} "
+set -e
+
+# Create extensions config
+cat > /tmp/${HOSTNAME}-ext.cnf << 'EXTCONF'
+keyUsage = digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+${SAN_CONFIG}
+EXTCONF
+
+# Sign the certificate using CA password file
+openssl x509 -req \
+    -in /tmp/${HOSTNAME}.csr \
+    -CA /etc/univention/ssl/ucsCA/CAcert.pem \
+    -CAkey /etc/univention/ssl/ucsCA/private/CAkey.pem \
+    -CAcreateserial \
+    -out /tmp/${HOSTNAME}-cert.pem \
+    -days ${DAYS} \
+    -sha256 \
+    -extfile /tmp/${HOSTNAME}-ext.cnf \
+    -passin file:/etc/univention/ssl/password
+"
+
 if [ $? -ne 0 ]; then
     echo "Error: Failed to sign certificate"
     exit 1
 fi
 
-# Step 3: Download signed certificate
-echo "[3/3] Downloading signed certificate..."
-scp ${UCS_USER}@${UCS_SERVER}:/etc/univention/ssl/${HOSTNAME}/cert.pem "$OUTPUT_FILE"
+# Step 4: Download signed certificate
+echo "[4/4] Downloading signed certificate..."
+scp ${UCS_USER}@${UCS_SERVER}:/tmp/${HOSTNAME}-cert.pem "$OUTPUT_FILE"
 if [ $? -ne 0 ]; then
     echo "Error: Failed to download signed certificate"
     exit 1
 fi
 
+# Clean up on UCS server
+ssh ${UCS_USER}@${UCS_SERVER} "rm -f /tmp/${HOSTNAME}.csr /tmp/${HOSTNAME}-cert.pem /tmp/${HOSTNAME}-ext.cnf"
+
 echo ""
 echo "=========================================="
 echo "✓ Certificate signed successfully!"
@@ -80,8 +119,8 @@ echo "Certificate details:"
 openssl x509 -in "$OUTPUT_FILE" -noout -subject -issuer -dates
 echo ""
 echo "Subject Alternative Names:"
-openssl x509 -in "$OUTPUT_FILE" -noout -text | grep -A 1 "Subject Alternative Name" | tail -1
+openssl x509 -in "$OUTPUT_FILE" -noout -text | grep -A 2 "Subject Alternative Name" | tail -2 || echo "  (none)"
 echo ""
 echo "Extended Key Usage:"
-openssl x509 -in "$OUTPUT_FILE" -noout -text | grep -A 1 "Extended Key Usage" | tail -1
+openssl x509 -in "$OUTPUT_FILE" -noout -text | grep -A 1 "Extended Key Usage" | tail -1 || echo "  (none)"
 echo "=========================================="