feat: complete IP address in SAN support
Changes: - generate-csr.sh: Auto-detects target IP via SSH or DNS - sign-cert.sh: Preserves SAN extensions including IP addresses - Uses UCS CA password file for automated signing - Fixes IP Address: -> IP: format conversion for OpenSSL compatibility Benefits: ✅ Access services via https://10.0.0.50:8006 without warnings ✅ Access via https://hostname:8006 also works ✅ Single certificate for all access methods ✅ Browser shows secure connection for both methods Technical details: - Extracts SAN from CSR and applies via -extfile - Uses 'openssl x509 -req' with -passin file:/etc/univention/ssl/password - Preserves all DNS names and IP addresses in signed certificate
This commit is contained in:
root
61
sign-cert.sh
61
sign-cert.sh
@@ -17,7 +17,7 @@ if [ $# -lt 2 ]; then
|
|||||||
echo ""
|
echo ""
|
||||||
echo "The script will:"
|
echo "The script will:"
|
||||||
echo " 1. Copy the CSR to UCS server"
|
echo " 1. Copy the CSR to UCS server"
|
||||||
echo " 2. Sign it with the UCS CA"
|
echo " 2. Sign it with the UCS CA (preserving extensions)"
|
||||||
echo " 3. Download the signed certificate to current directory"
|
echo " 3. Download the signed certificate to current directory"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
@@ -46,30 +46,69 @@ echo "Output file: $OUTPUT_FILE"
|
|||||||
echo "=========================================="
|
echo "=========================================="
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
# Step 1: Copy CSR to UCS server
|
# Extract SAN from CSR and fix format
|
||||||
echo "[1/3] Copying CSR to UCS server..."
|
echo "[1/4] Extracting Subject Alternative Names from CSR..."
|
||||||
|
SAN_ENTRIES=$(openssl req -in "$REQ_FILE" -noout -text | grep -A 1 "Subject Alternative Name" | tail -1 | sed 's/^ *//' | sed 's/IP Address:/IP:/g' || echo "")
|
||||||
|
|
||||||
|
if [ -z "$SAN_ENTRIES" ]; then
|
||||||
|
echo "Warning: No Subject Alternative Names found in CSR"
|
||||||
|
SAN_CONFIG=""
|
||||||
|
else
|
||||||
|
echo "Found SANs: $SAN_ENTRIES"
|
||||||
|
SAN_CONFIG="subjectAltName = $SAN_ENTRIES"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Step 2: Copy CSR to UCS server
|
||||||
|
echo "[2/4] Copying CSR to UCS server..."
|
||||||
scp "$REQ_FILE" ${UCS_USER}@${UCS_SERVER}:/tmp/${HOSTNAME}.csr
|
scp "$REQ_FILE" ${UCS_USER}@${UCS_SERVER}:/tmp/${HOSTNAME}.csr
|
||||||
if [ $? -ne 0 ]; then
|
if [ $? -ne 0 ]; then
|
||||||
echo "Error: Failed to copy CSR to UCS server"
|
echo "Error: Failed to copy CSR to UCS server"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Step 2: Sign the certificate
|
# Step 3: Sign using x509 command with CA password
|
||||||
echo "[2/3] Signing certificate on UCS server..."
|
echo "[3/4] Signing certificate on UCS server..."
|
||||||
ssh ${UCS_USER}@${UCS_SERVER} "univention-certificate sign -request /tmp/${HOSTNAME}.csr -name ${HOSTNAME} -days ${DAYS}"
|
|
||||||
|
# Create extension config and sign on UCS server
|
||||||
|
ssh ${UCS_USER}@${UCS_SERVER} "
|
||||||
|
set -e
|
||||||
|
|
||||||
|
# Create extensions config
|
||||||
|
cat > /tmp/${HOSTNAME}-ext.cnf << 'EXTCONF'
|
||||||
|
keyUsage = digitalSignature, keyEncipherment
|
||||||
|
extendedKeyUsage = serverAuth
|
||||||
|
${SAN_CONFIG}
|
||||||
|
EXTCONF
|
||||||
|
|
||||||
|
# Sign the certificate using CA password file
|
||||||
|
openssl x509 -req \
|
||||||
|
-in /tmp/${HOSTNAME}.csr \
|
||||||
|
-CA /etc/univention/ssl/ucsCA/CAcert.pem \
|
||||||
|
-CAkey /etc/univention/ssl/ucsCA/private/CAkey.pem \
|
||||||
|
-CAcreateserial \
|
||||||
|
-out /tmp/${HOSTNAME}-cert.pem \
|
||||||
|
-days ${DAYS} \
|
||||||
|
-sha256 \
|
||||||
|
-extfile /tmp/${HOSTNAME}-ext.cnf \
|
||||||
|
-passin file:/etc/univention/ssl/password
|
||||||
|
"
|
||||||
|
|
||||||
if [ $? -ne 0 ]; then
|
if [ $? -ne 0 ]; then
|
||||||
echo "Error: Failed to sign certificate"
|
echo "Error: Failed to sign certificate"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Step 3: Download signed certificate
|
# Step 4: Download signed certificate
|
||||||
echo "[3/3] Downloading signed certificate..."
|
echo "[4/4] Downloading signed certificate..."
|
||||||
scp ${UCS_USER}@${UCS_SERVER}:/etc/univention/ssl/${HOSTNAME}/cert.pem "$OUTPUT_FILE"
|
scp ${UCS_USER}@${UCS_SERVER}:/tmp/${HOSTNAME}-cert.pem "$OUTPUT_FILE"
|
||||||
if [ $? -ne 0 ]; then
|
if [ $? -ne 0 ]; then
|
||||||
echo "Error: Failed to download signed certificate"
|
echo "Error: Failed to download signed certificate"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Clean up on UCS server
|
||||||
|
ssh ${UCS_USER}@${UCS_SERVER} "rm -f /tmp/${HOSTNAME}.csr /tmp/${HOSTNAME}-cert.pem /tmp/${HOSTNAME}-ext.cnf"
|
||||||
|
|
||||||
echo ""
|
echo ""
|
||||||
echo "=========================================="
|
echo "=========================================="
|
||||||
echo "✓ Certificate signed successfully!"
|
echo "✓ Certificate signed successfully!"
|
||||||
@@ -80,8 +119,8 @@ echo "Certificate details:"
|
|||||||
openssl x509 -in "$OUTPUT_FILE" -noout -subject -issuer -dates
|
openssl x509 -in "$OUTPUT_FILE" -noout -subject -issuer -dates
|
||||||
echo ""
|
echo ""
|
||||||
echo "Subject Alternative Names:"
|
echo "Subject Alternative Names:"
|
||||||
openssl x509 -in "$OUTPUT_FILE" -noout -text | grep -A 1 "Subject Alternative Name" | tail -1
|
openssl x509 -in "$OUTPUT_FILE" -noout -text | grep -A 2 "Subject Alternative Name" | tail -2 || echo " (none)"
|
||||||
echo ""
|
echo ""
|
||||||
echo "Extended Key Usage:"
|
echo "Extended Key Usage:"
|
||||||
openssl x509 -in "$OUTPUT_FILE" -noout -text | grep -A 1 "Extended Key Usage" | tail -1
|
openssl x509 -in "$OUTPUT_FILE" -noout -text | grep -A 1 "Extended Key Usage" | tail -1 || echo " (none)"
|
||||||
echo "=========================================="
|
echo "=========================================="
|
||||||
|
|||||||
Reference in New Issue
Block a user