Initial commit: Certificate management tools

- cert-manager.py: Interactive certificate lifecycle management - generate-csr.sh: Generate CSR on remote host - sign-cert.sh: Sign certificate with UCS CA - README.md: Complete documentation - .gitignore: Ignore certificate and config files Features: - Interactive prompts with default values - Config persistence between runs - Remote CSR generation with proper server extensions - Automated CA signing - Optional certificate deployment
2025-10-23 08:11:35 +02:00
commit 576e7de917
5 changed files with 535 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,26 @@
 # Certificate files
 *.req
 *.csr
 *.pem
 *.crt
 *.key
 # Python cache
 __pycache__/
 *.py[cod]
 *$py.class
 *.so
 # Config files
 .cert-manager-config.json
 # OS files
 .DS_Store
 Thumbs.db
 # Editor files
 *.swp
 *.swo
 *~
 .vscode/
 .idea/
--- a/README.md
+++ b/README.md
@@ -0,0 +1,84 @@
 # Certificate Management Tools
 Automated certificate generation and signing tools for UCS CA.
 ## Tools
 ### 1. cert-manager.py (Interactive Mode)
 The main interactive tool that handles the entire certificate lifecycle.
 **Usage:**
 ```bash
 ./cert-manager.py
 ```
 **Features:**
 - Interactive prompts with default values
 - Remembers last used values
 - Generates CSR on remote host
 - Signs certificate with UCS CA
 - Optionally deploys certificate back to target host
 ### 2. generate-csr.sh (Standalone)
 Generates a certificate signing request on a remote host.
 **Usage:**
 ```bash
 ./generate-csr.sh <hostname> <common-name> [country] [state] [locality] [org] [ou]
 ```
 **Example:**
 ```bash
 ./generate-csr.sh 192.168.1.100 server.example.com DE berlin berlin egonetix it
 ```
 ### 3. sign-cert.sh (Standalone)
 Signs a certificate request with the UCS CA.
 **Usage:**
 ```bash
 ./sign-cert.sh <req-file> <hostname> [days]
 ```
 **Example:**
 ```bash
 ./sign-cert.sh server.req server 3650
 ```
 ## Configuration
 The interactive tool stores default values in `~/.cert-manager-config.json`.
 Default values:
 - Country: DE
 - State: berlin
 - Locality: berlin
 - Organization: egonetix
 - Organizational Unit: it
 - CA Server: 10.0.0.21
 - Validity: 3650 days (10 years)
 ## Workflow
 1. Run `./cert-manager.py`
 2. Enter target host (IP or hostname where certificate will be used)
 3. Enter common name (FQDN for the certificate)
 4. Review/modify certificate subject fields
 5. Confirm and proceed
 6. The tool will:
   - Generate CSR on target host
   - Sign it with UCS CA
   - Optionally copy certificate back to target
 ## Requirements
 - SSH access to target host as root
 - SSH access to UCS CA server (10.0.0.21) as root
 - OpenSSL on target host
 - Python 3.6+ for interactive tool
 ## Notes
 - Private keys are generated and remain on the target host
 - Certificate requests (.req) and signed certificates (-cert.pem) are stored locally
 - The interactive tool remembers your last target host and common name for convenience
--- a/cert-manager.py
+++ b/cert-manager.py
@@ -0,0 +1,225 @@
 #!/usr/bin/env python3
 """
 Interactive Certificate Manager
 Generates CSR on remote host and signs it with UCS CA
 """
 import os
 import sys
 import json
 import subprocess
 from pathlib import Path
 # Configuration
 CONFIG_FILE = Path.home() / '.cert-manager-config.json'
 DEFAULT_CONFIG = {
    'country': 'DE',
    'state': 'berlin',
    'locality': 'berlin',
    'organization': 'egonetix',
    'organizational_unit': 'it',
    'ca_server': '10.0.0.21',
    'validity_days': '3650',
    'last_target_host': '',
    'last_common_name': ''
 }
 def load_config():
    """Load configuration from file or return defaults"""
    if CONFIG_FILE.exists():
        try:
            with open(CONFIG_FILE, 'r') as f:
                config = json.load(f)
                # Merge with defaults to add any new fields
                return {**DEFAULT_CONFIG, **config}
        except Exception as e:
            print(f"Warning: Could not load config: {e}")
    return DEFAULT_CONFIG.copy()
 def save_config(config):
    """Save configuration to file"""
    try:
        with open(CONFIG_FILE, 'w') as f:
            json.dump(config, f, indent=2)
    except Exception as e:
        print(f"Warning: Could not save config: {e}")
 def prompt_with_default(prompt, default):
    """Prompt user with a default value"""
    if default:
        user_input = input(f"{prompt} [{default}]: ").strip()
        return user_input if user_input else default
    else:
        return input(f"{prompt}: ").strip()
 def yes_no_prompt(prompt, default=True):
    """Ask a yes/no question"""
    default_str = "Y/n" if default else "y/N"
    while True:
        response = input(f"{prompt} [{default_str}]: ").strip().lower()
        if not response:
            return default
        if response in ['y', 'yes']:
            return True
        if response in ['n', 'no']:
            return False
        print("Please answer 'y' or 'n'")
 def main():
    print("=" * 60)
    print("Interactive Certificate Manager")
    print("=" * 60)
    print()
    # Load config
    config = load_config()
    # Ask if user wants to modify defaults
    if CONFIG_FILE.exists():
        if yes_no_prompt("Do you want to modify default values?", False):
            print("\n--- Default Values Configuration ---")
            config['country'] = prompt_with_default("Country (C)", config['country'])
            config['state'] = prompt_with_default("State/Province (ST)", config['state'])
            config['locality'] = prompt_with_default("Locality (L)", config['locality'])
            config['organization'] = prompt_with_default("Organization (O)", config['organization'])
            config['organizational_unit'] = prompt_with_default("Organizational Unit (OU)", config['organizational_unit'])
            config['ca_server'] = prompt_with_default("CA Server", config['ca_server'])
            config['validity_days'] = prompt_with_default("Validity (days)", config['validity_days'])
            print()
    # Get certificate details
    print("--- Certificate Details ---")
    target_host = prompt_with_default("Target Host (IP or hostname)", config['last_target_host'])
    if not target_host:
        print("Error: Target host is required!")
        sys.exit(1)
    common_name = prompt_with_default("Common Name (FQDN)", config['last_common_name'])
    if not common_name:
        print("Error: Common name is required!")
        sys.exit(1)
    # Extract short name for filenames
    short_name = common_name.split('.')[0]
    # Ask for custom values for this certificate
    print("\n--- Certificate Subject (press Enter to use defaults) ---")
    country = prompt_with_default("Country (C)", config['country'])
    state = prompt_with_default("State/Province (ST)", config['state'])
    locality = prompt_with_default("Locality (L)", config['locality'])
    organization = prompt_with_default("Organization (O)", config['organization'])
    org_unit = prompt_with_default("Organizational Unit (OU)", config['organizational_unit'])
    validity_days = prompt_with_default("Validity (days)", config['validity_days'])
    print("\n" + "=" * 60)
    print("Summary:")
    print("=" * 60)
    print(f"Target Host:     {target_host}")
    print(f"Common Name:     {common_name}")
    print(f"Country:         {country}")
    print(f"State:           {state}")
    print(f"Locality:        {locality}")
    print(f"Organization:    {organization}")
    print(f"Org Unit:        {org_unit}")
    print(f"Validity:        {validity_days} days")
    print(f"CA Server:       {config['ca_server']}")
    print(f"Output files:    {short_name}.req, {short_name}-cert.pem")
    print("=" * 60)
    print()
    if not yes_no_prompt("Proceed with certificate generation?", True):
        print("Cancelled.")
        sys.exit(0)
    # Save config for next run
    config['last_target_host'] = target_host
    config['last_common_name'] = common_name
    save_config(config)
    # Get script directory
    script_dir = Path(__file__).parent.absolute()
    print("\n" + "=" * 60)
    print("Step 1: Generating CSR on target host")
    print("=" * 60)
    # Run generate-csr.sh
    generate_cmd = [
        str(script_dir / 'generate-csr.sh'),
        target_host,
        common_name,
        country,
        state,
        locality,
        organization,
        org_unit
    ]
    try:
        result = subprocess.run(generate_cmd, check=True)
    except subprocess.CalledProcessError as e:
        print(f"\nError: CSR generation failed with exit code {e.returncode}")
        sys.exit(1)
    except FileNotFoundError:
        print(f"\nError: generate-csr.sh not found in {script_dir}")
        sys.exit(1)
    print("\n" + "=" * 60)
    print("Step 2: Signing certificate with CA")
    print("=" * 60)
    # Run sign-cert.sh
    req_file = f"{short_name}.req"
    sign_cmd = [
        str(script_dir / 'sign-cert.sh'),
        req_file,
        short_name,
        validity_days
    ]
    try:
        result = subprocess.run(sign_cmd, check=True)
    except subprocess.CalledProcessError as e:
        print(f"\nError: Certificate signing failed with exit code {e.returncode}")
        sys.exit(1)
    except FileNotFoundError:
        print(f"\nError: sign-cert.sh not found in {script_dir}")
        sys.exit(1)
    print("\n" + "=" * 60)
    print("Step 3: Deploying certificate to target host")
    print("=" * 60)
    cert_file = f"{short_name}-cert.pem"
    if yes_no_prompt("Do you want to copy the certificate back to the target host?", True):
        try:
            # Copy certificate to target
            subprocess.run(['scp', cert_file, f'root@{target_host}:/tmp/{short_name}.crt'], check=True)
            print(f"\n✓ Certificate copied to target host at /tmp/{short_name}.crt")
            print(f"  Private key is at /tmp/{short_name}.key")
        except subprocess.CalledProcessError:
            print("\nWarning: Failed to copy certificate to target host")
    print("\n" + "=" * 60)
    print("✓ Certificate Management Complete!")
    print("=" * 60)
    print(f"\nFiles created:")
    print(f"  - {req_file} (Certificate Request)")
    print(f"  - {cert_file} (Signed Certificate)")
    print(f"\nOn target host ({target_host}):")
    print(f"  - /tmp/{short_name}.key (Private Key)")
    print(f"  - /tmp/{short_name}.crt (Certificate)")
    print("\n")
 if __name__ == '__main__':
    try:
        main()
    except KeyboardInterrupt:
        print("\n\nCancelled by user.")
        sys.exit(1)
    except Exception as e:
        print(f"\nError: {e}")
        sys.exit(1)
--- a/generate-csr.sh
+++ b/generate-csr.sh
@@ -0,0 +1,113 @@
 #!/bin/bash
 # Script to generate a certificate request on a remote host
 # Usage: ./generate-csr.sh <hostname> <common-name> [country] [state] [locality] [org] [ou]
 set -e
 # Check arguments
 if [ $# -lt 2 ]; then
    echo "Usage: $0 <hostname> <common-name> [country] [state] [locality] [org] [ou]"
    echo ""
    echo "Example: $0 192.168.1.100 myserver.domain.com DE berlin berlin egonetix it"
    exit 1
 fi
 TARGET_HOST="$1"
 COMMON_NAME="$2"
 COUNTRY="${3:-DE}"
 STATE="${4:-berlin}"
 LOCALITY="${5:-berlin}"
 ORG="${6:-egonetix}"
 OU="${7:-it}"
 # Extract short hostname from common name
 SHORT_NAME=$(echo "$COMMON_NAME" | cut -d'.' -f1)
 OUTPUT_FILE="${SHORT_NAME}.req"
 echo "=========================================="
 echo "Certificate Request Generation"
 echo "=========================================="
 echo "Target host:   $TARGET_HOST"
 echo "Common Name:   $COMMON_NAME"
 echo "Country:       $COUNTRY"
 echo "State:         $STATE"
 echo "Locality:      $LOCALITY"
 echo "Organization:  $ORG"
 echo "Org Unit:      $OU"
 echo "Output file:   $OUTPUT_FILE"
 echo "=========================================="
 echo ""
 # Create OpenSSL config
 CONFIG_CONTENT="[req]
 default_bits = 4096
 prompt = no
 default_md = sha256
 distinguished_name = dn
 req_extensions = v3_req
 [dn]
 C=$COUNTRY
 ST=$STATE
 L=$LOCALITY
 O=$ORG
 OU=$OU
 CN=$COMMON_NAME
 [v3_req]
 keyUsage = digitalSignature, keyEncipherment
 extendedKeyUsage = serverAuth
 subjectAltName = @alt_names
 [alt_names]
 DNS.1 = $COMMON_NAME
 DNS.2 = $SHORT_NAME"
 # Add alternative names if common name contains domain
 if [[ "$COMMON_NAME" == *.* ]]; then
    CONFIG_CONTENT="$CONFIG_CONTENT
 DNS.3 = ${SHORT_NAME}.${COMMON_NAME#*.}"
 fi
 echo "[1/4] Creating OpenSSL configuration..."
 echo "$CONFIG_CONTENT" > /tmp/csr_config.conf
 echo "[2/4] Copying config to target host..."
 scp /tmp/csr_config.conf root@${TARGET_HOST}:/tmp/csr_config.conf
 if [ $? -ne 0 ]; then
    echo "Error: Failed to copy config to target host"
    exit 1
 fi
 echo "[3/4] Generating CSR on target host..."
 ssh root@${TARGET_HOST} "openssl req -new -newkey rsa:4096 -nodes -keyout /tmp/${SHORT_NAME}.key -out /tmp/${SHORT_NAME}.csr -config /tmp/csr_config.conf"
 if [ $? -ne 0 ]; then
    echo "Error: Failed to generate CSR on target host"
    exit 1
 fi
 echo "[4/4] Downloading CSR..."
 scp root@${TARGET_HOST}:/tmp/${SHORT_NAME}.csr "$OUTPUT_FILE"
 if [ $? -ne 0 ]; then
    echo "Error: Failed to download CSR"
    exit 1
 fi
 # Clean up local temp file
 rm -f /tmp/csr_config.conf
 echo ""
 echo "=========================================="
 echo "✓ CSR generated successfully!"
 echo "=========================================="
 echo "Certificate request saved to: $OUTPUT_FILE"
 echo ""
 echo "CSR details:"
 openssl req -in "$OUTPUT_FILE" -noout -text | grep -A 10 "Subject:"
 echo ""
 echo "IMPORTANT: Private key is stored on target host at:"
 echo "  /tmp/${SHORT_NAME}.key"
 echo ""
 echo "Next step: Sign this CSR with:"
 echo "  ./sign-cert.sh $OUTPUT_FILE $SHORT_NAME"
 echo "=========================================="
--- a/sign-cert.sh
+++ b/sign-cert.sh
@@ -0,0 +1,87 @@
 #!/bin/bash
 # Script to sign a certificate request with UCS CA
 # Usage: ./sign-cert.sh <req-file> <hostname> [days]
 set -e
 # Configuration
 UCS_SERVER="10.0.0.21"
 UCS_USER="root"
 DEFAULT_DAYS=3650
 # Check arguments
 if [ $# -lt 2 ]; then
    echo "Usage: $0 <req-file> <hostname> [days]"
    echo ""
    echo "Example: $0 webui.req myserver 3650"
    echo ""
    echo "The script will:"
    echo "  1. Copy the CSR to UCS server"
    echo "  2. Sign it with the UCS CA"
    echo "  3. Download the signed certificate to current directory"
    exit 1
 fi
 REQ_FILE="$1"
 HOSTNAME="$2"
 DAYS="${3:-$DEFAULT_DAYS}"
 # Validate req file exists
 if [ ! -f "$REQ_FILE" ]; then
    echo "Error: Certificate request file '$REQ_FILE' not found!"
    exit 1
 fi
 # Get absolute path of req file
 REQ_FILE=$(realpath "$REQ_FILE")
 OUTPUT_FILE="${HOSTNAME}-cert.pem"
 echo "=========================================="
 echo "UCS Certificate Signing Script"
 echo "=========================================="
 echo "Request file: $REQ_FILE"
 echo "Hostname:     $HOSTNAME"
 echo "Valid days:   $DAYS"
 echo "Output file:  $OUTPUT_FILE"
 echo "=========================================="
 echo ""
 # Step 1: Copy CSR to UCS server
 echo "[1/3] Copying CSR to UCS server..."
 scp "$REQ_FILE" ${UCS_USER}@${UCS_SERVER}:/tmp/${HOSTNAME}.csr
 if [ $? -ne 0 ]; then
    echo "Error: Failed to copy CSR to UCS server"
    exit 1
 fi
 # Step 2: Sign the certificate
 echo "[2/3] Signing certificate on UCS server..."
 ssh ${UCS_USER}@${UCS_SERVER} "univention-certificate sign -request /tmp/${HOSTNAME}.csr -name ${HOSTNAME} -days ${DAYS}"
 if [ $? -ne 0 ]; then
    echo "Error: Failed to sign certificate"
    exit 1
 fi
 # Step 3: Download signed certificate
 echo "[3/3] Downloading signed certificate..."
 scp ${UCS_USER}@${UCS_SERVER}:/etc/univention/ssl/${HOSTNAME}/cert.pem "$OUTPUT_FILE"
 if [ $? -ne 0 ]; then
    echo "Error: Failed to download signed certificate"
    exit 1
 fi
 echo ""
 echo "=========================================="
 echo "✓ Certificate signed successfully!"
 echo "=========================================="
 echo "Certificate saved to: $OUTPUT_FILE"
 echo ""
 echo "Certificate details:"
 openssl x509 -in "$OUTPUT_FILE" -noout -subject -issuer -dates
 echo ""
 echo "Subject Alternative Names:"
 openssl x509 -in "$OUTPUT_FILE" -noout -text | grep -A 1 "Subject Alternative Name" | tail -1
 echo ""
 echo "Extended Key Usage:"
 openssl x509 -in "$OUTPUT_FILE" -noout -text | grep -A 1 "Extended Key Usage" | tail -1
 echo "=========================================="