Add configurable key length with 4096-bit default
- Added key_bits parameter to configuration (default: 4096) - Updated generate-csr.sh to accept key length as 8th parameter - Updated cert-manager.py to prompt for key length - Key length shown in summary and output - Supports common key sizes: 2048, 4096, 8192 bits
This commit is contained in:
root
@@ -20,6 +20,7 @@ DEFAULT_CONFIG = {
|
||||
'organizational_unit': 'it',
|
||||
'ca_server': '10.0.0.21',
|
||||
'validity_days': '3650',
|
||||
'key_bits': '4096',
|
||||
'last_target_host': '',
|
||||
'last_common_name': ''
|
||||
}
|
||||
@@ -85,6 +86,7 @@ def main():
|
||||
config['organizational_unit'] = prompt_with_default("Organizational Unit (OU)", config['organizational_unit'])
|
||||
config['ca_server'] = prompt_with_default("CA Server", config['ca_server'])
|
||||
config['validity_days'] = prompt_with_default("Validity (days)", config['validity_days'])
|
||||
config['key_bits'] = prompt_with_default("Key Length (bits)", config['key_bits'])
|
||||
print()
|
||||
|
||||
# Get certificate details
|
||||
@@ -112,6 +114,7 @@ def main():
|
||||
organization = prompt_with_default("Organization (O)", config['organization'])
|
||||
org_unit = prompt_with_default("Organizational Unit (OU)", config['organizational_unit'])
|
||||
validity_days = prompt_with_default("Validity (days)", config['validity_days'])
|
||||
key_bits = prompt_with_default("Key Length (bits)", config['key_bits'])
|
||||
|
||||
print("\n" + "=" * 60)
|
||||
print("Summary:")
|
||||
@@ -123,6 +126,7 @@ def main():
|
||||
print(f"Locality: {locality}")
|
||||
print(f"Organization: {organization}")
|
||||
print(f"Org Unit: {org_unit}")
|
||||
print(f"Key Length: {key_bits} bits")
|
||||
print(f"Validity: {validity_days} days")
|
||||
print(f"CA Server: {config['ca_server']}")
|
||||
print(f"Output files: {short_name}.req, {short_name}-cert.pem")
|
||||
@@ -154,7 +158,8 @@ def main():
|
||||
state,
|
||||
locality,
|
||||
organization,
|
||||
org_unit
|
||||
org_unit,
|
||||
key_bits
|
||||
]
|
||||
|
||||
try:
|
||||
@@ -210,7 +215,7 @@ def main():
|
||||
print(f" - {req_file} (Certificate Request)")
|
||||
print(f" - {cert_file} (Signed Certificate)")
|
||||
print(f"\nOn target host ({target_host}):")
|
||||
print(f" - /tmp/{short_name}.key (Private Key)")
|
||||
print(f" - /tmp/{short_name}.key (Private Key - {key_bits} bits)")
|
||||
print(f" - /tmp/{short_name}.crt (Certificate)")
|
||||
print("\n")
|
||||
|
||||
|
||||
@@ -1,14 +1,14 @@
|
||||
#!/bin/bash
|
||||
# Script to generate a certificate request on a remote host
|
||||
# Usage: ./generate-csr.sh <hostname> <common-name> [country] [state] [locality] [org] [ou]
|
||||
# Usage: ./generate-csr.sh <hostname> <common-name> [country] [state] [locality] [org] [ou] [key-bits]
|
||||
|
||||
set -e
|
||||
|
||||
# Check arguments
|
||||
if [ $# -lt 2 ]; then
|
||||
echo "Usage: $0 <hostname> <common-name> [country] [state] [locality] [org] [ou]"
|
||||
echo "Usage: $0 <hostname> <common-name> [country] [state] [locality] [org] [ou] [key-bits]"
|
||||
echo ""
|
||||
echo "Example: $0 192.168.1.100 myserver.domain.com DE berlin berlin egonetix it"
|
||||
echo "Example: $0 192.168.1.100 myserver.domain.com DE berlin berlin egonetix it 4096"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
@@ -19,6 +19,7 @@ STATE="${4:-berlin}"
|
||||
LOCALITY="${5:-berlin}"
|
||||
ORG="${6:-egonetix}"
|
||||
OU="${7:-it}"
|
||||
KEY_BITS="${8:-4096}"
|
||||
|
||||
# Extract short hostname from common name
|
||||
SHORT_NAME=$(echo "$COMMON_NAME" | cut -d'.' -f1)
|
||||
@@ -34,13 +35,14 @@ echo "State: $STATE"
|
||||
echo "Locality: $LOCALITY"
|
||||
echo "Organization: $ORG"
|
||||
echo "Org Unit: $OU"
|
||||
echo "Key Length: $KEY_BITS bits"
|
||||
echo "Output file: $OUTPUT_FILE"
|
||||
echo "=========================================="
|
||||
echo ""
|
||||
|
||||
# Create OpenSSL config
|
||||
CONFIG_CONTENT="[req]
|
||||
default_bits = 4096
|
||||
default_bits = $KEY_BITS
|
||||
prompt = no
|
||||
default_md = sha256
|
||||
distinguished_name = dn
|
||||
@@ -79,8 +81,8 @@ if [ $? -ne 0 ]; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "[3/4] Generating CSR on target host..."
|
||||
ssh root@${TARGET_HOST} "openssl req -new -newkey rsa:4096 -nodes -keyout /tmp/${SHORT_NAME}.key -out /tmp/${SHORT_NAME}.csr -config /tmp/csr_config.conf"
|
||||
echo "[3/4] Generating $KEY_BITS-bit RSA key and CSR on target host..."
|
||||
ssh root@${TARGET_HOST} "openssl req -new -newkey rsa:$KEY_BITS -nodes -keyout /tmp/${SHORT_NAME}.key -out /tmp/${SHORT_NAME}.csr -config /tmp/csr_config.conf"
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Error: Failed to generate CSR on target host"
|
||||
exit 1
|
||||
@@ -105,6 +107,9 @@ echo ""
|
||||
echo "CSR details:"
|
||||
openssl req -in "$OUTPUT_FILE" -noout -text | grep -A 10 "Subject:"
|
||||
echo ""
|
||||
echo "Key details:"
|
||||
openssl req -in "$OUTPUT_FILE" -noout -text | grep "Public-Key:"
|
||||
echo ""
|
||||
echo "IMPORTANT: Private key is stored on target host at:"
|
||||
echo " /tmp/${SHORT_NAME}.key"
|
||||
echo ""
|
||||
|
||||
Reference in New Issue
Block a user