From 5837c35b7c73f4f2c9856c1e11de81d63b77e2ae Mon Sep 17 00:00:00 2001
From: root <github_service@egonetix.de>
Date: Thu, 23 Oct 2025 08:22:45 +0200
Subject: [PATCH] Add configurable key length with 4096-bit default

- Added key_bits parameter to configuration (default: 4096)
- Updated generate-csr.sh to accept key length as 8th parameter
- Updated cert-manager.py to prompt for key length
- Key length shown in summary and output
- Supports common key sizes: 2048, 4096, 8192 bits
---
 cert-manager.py |  9 +++++++--
 generate-csr.sh | 17 +++++++++++------
 2 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/cert-manager.py b/cert-manager.py
index befe276..739ac26 100755
--- a/cert-manager.py
+++ b/cert-manager.py
@@ -20,6 +20,7 @@ DEFAULT_CONFIG = {
     'organizational_unit': 'it',
     'ca_server': '10.0.0.21',
     'validity_days': '3650',
+    'key_bits': '4096',
     'last_target_host': '',
     'last_common_name': ''
 }
@@ -85,6 +86,7 @@ def main():
             config['organizational_unit'] = prompt_with_default("Organizational Unit (OU)", config['organizational_unit'])
             config['ca_server'] = prompt_with_default("CA Server", config['ca_server'])
             config['validity_days'] = prompt_with_default("Validity (days)", config['validity_days'])
+            config['key_bits'] = prompt_with_default("Key Length (bits)", config['key_bits'])
             print()
     
     # Get certificate details
@@ -112,6 +114,7 @@ def main():
     organization = prompt_with_default("Organization (O)", config['organization'])
     org_unit = prompt_with_default("Organizational Unit (OU)", config['organizational_unit'])
     validity_days = prompt_with_default("Validity (days)", config['validity_days'])
+    key_bits = prompt_with_default("Key Length (bits)", config['key_bits'])
     
     print("\n" + "=" * 60)
     print("Summary:")
@@ -123,6 +126,7 @@ def main():
     print(f"Locality:        {locality}")
     print(f"Organization:    {organization}")
     print(f"Org Unit:        {org_unit}")
+    print(f"Key Length:      {key_bits} bits")
     print(f"Validity:        {validity_days} days")
     print(f"CA Server:       {config['ca_server']}")
     print(f"Output files:    {short_name}.req, {short_name}-cert.pem")
@@ -154,7 +158,8 @@ def main():
         state,
         locality,
         organization,
-        org_unit
+        org_unit,
+        key_bits
     ]
     
     try:
@@ -210,7 +215,7 @@ def main():
     print(f"  - {req_file} (Certificate Request)")
     print(f"  - {cert_file} (Signed Certificate)")
     print(f"\nOn target host ({target_host}):")
-    print(f"  - /tmp/{short_name}.key (Private Key)")
+    print(f"  - /tmp/{short_name}.key (Private Key - {key_bits} bits)")
     print(f"  - /tmp/{short_name}.crt (Certificate)")
     print("\n")
 
diff --git a/generate-csr.sh b/generate-csr.sh
index f99f750..7523930 100755
--- a/generate-csr.sh
+++ b/generate-csr.sh
@@ -1,14 +1,14 @@
 #!/bin/bash
 # Script to generate a certificate request on a remote host
-# Usage: ./generate-csr.sh <hostname> <common-name> [country] [state] [locality] [org] [ou]
+# Usage: ./generate-csr.sh <hostname> <common-name> [country] [state] [locality] [org] [ou] [key-bits]
 
 set -e
 
 # Check arguments
 if [ $# -lt 2 ]; then
-    echo "Usage: $0 <hostname> <common-name> [country] [state] [locality] [org] [ou]"
+    echo "Usage: $0 <hostname> <common-name> [country] [state] [locality] [org] [ou] [key-bits]"
     echo ""
-    echo "Example: $0 192.168.1.100 myserver.domain.com DE berlin berlin egonetix it"
+    echo "Example: $0 192.168.1.100 myserver.domain.com DE berlin berlin egonetix it 4096"
     exit 1
 fi
 
@@ -19,6 +19,7 @@ STATE="${4:-berlin}"
 LOCALITY="${5:-berlin}"
 ORG="${6:-egonetix}"
 OU="${7:-it}"
+KEY_BITS="${8:-4096}"
 
 # Extract short hostname from common name
 SHORT_NAME=$(echo "$COMMON_NAME" | cut -d'.' -f1)
@@ -34,13 +35,14 @@ echo "State:         $STATE"
 echo "Locality:      $LOCALITY"
 echo "Organization:  $ORG"
 echo "Org Unit:      $OU"
+echo "Key Length:    $KEY_BITS bits"
 echo "Output file:   $OUTPUT_FILE"
 echo "=========================================="
 echo ""
 
 # Create OpenSSL config
 CONFIG_CONTENT="[req]
-default_bits = 4096
+default_bits = $KEY_BITS
 prompt = no
 default_md = sha256
 distinguished_name = dn
@@ -79,8 +81,8 @@ if [ $? -ne 0 ]; then
     exit 1
 fi
 
-echo "[3/4] Generating CSR on target host..."
-ssh root@${TARGET_HOST} "openssl req -new -newkey rsa:4096 -nodes -keyout /tmp/${SHORT_NAME}.key -out /tmp/${SHORT_NAME}.csr -config /tmp/csr_config.conf"
+echo "[3/4] Generating $KEY_BITS-bit RSA key and CSR on target host..."
+ssh root@${TARGET_HOST} "openssl req -new -newkey rsa:$KEY_BITS -nodes -keyout /tmp/${SHORT_NAME}.key -out /tmp/${SHORT_NAME}.csr -config /tmp/csr_config.conf"
 if [ $? -ne 0 ]; then
     echo "Error: Failed to generate CSR on target host"
     exit 1
@@ -105,6 +107,9 @@ echo ""
 echo "CSR details:"
 openssl req -in "$OUTPUT_FILE" -noout -text | grep -A 10 "Subject:"
 echo ""
+echo "Key details:"
+openssl req -in "$OUTPUT_FILE" -noout -text | grep "Public-Key:"
+echo ""
 echo "IMPORTANT: Private key is stored on target host at:"
 echo "  /tmp/${SHORT_NAME}.key"
 echo ""