Add configurable key length with 4096-bit default
- Added key_bits parameter to configuration (default: 4096) - Updated generate-csr.sh to accept key length as 8th parameter - Updated cert-manager.py to prompt for key length - Key length shown in summary and output - Supports common key sizes: 2048, 4096, 8192 bits
This commit is contained in:
root
@@ -20,6 +20,7 @@ DEFAULT_CONFIG = {
|
|||||||
'organizational_unit': 'it',
|
'organizational_unit': 'it',
|
||||||
'ca_server': '10.0.0.21',
|
'ca_server': '10.0.0.21',
|
||||||
'validity_days': '3650',
|
'validity_days': '3650',
|
||||||
|
'key_bits': '4096',
|
||||||
'last_target_host': '',
|
'last_target_host': '',
|
||||||
'last_common_name': ''
|
'last_common_name': ''
|
||||||
}
|
}
|
||||||
@@ -85,6 +86,7 @@ def main():
|
|||||||
config['organizational_unit'] = prompt_with_default("Organizational Unit (OU)", config['organizational_unit'])
|
config['organizational_unit'] = prompt_with_default("Organizational Unit (OU)", config['organizational_unit'])
|
||||||
config['ca_server'] = prompt_with_default("CA Server", config['ca_server'])
|
config['ca_server'] = prompt_with_default("CA Server", config['ca_server'])
|
||||||
config['validity_days'] = prompt_with_default("Validity (days)", config['validity_days'])
|
config['validity_days'] = prompt_with_default("Validity (days)", config['validity_days'])
|
||||||
|
config['key_bits'] = prompt_with_default("Key Length (bits)", config['key_bits'])
|
||||||
print()
|
print()
|
||||||
|
|
||||||
# Get certificate details
|
# Get certificate details
|
||||||
@@ -112,6 +114,7 @@ def main():
|
|||||||
organization = prompt_with_default("Organization (O)", config['organization'])
|
organization = prompt_with_default("Organization (O)", config['organization'])
|
||||||
org_unit = prompt_with_default("Organizational Unit (OU)", config['organizational_unit'])
|
org_unit = prompt_with_default("Organizational Unit (OU)", config['organizational_unit'])
|
||||||
validity_days = prompt_with_default("Validity (days)", config['validity_days'])
|
validity_days = prompt_with_default("Validity (days)", config['validity_days'])
|
||||||
|
key_bits = prompt_with_default("Key Length (bits)", config['key_bits'])
|
||||||
|
|
||||||
print("\n" + "=" * 60)
|
print("\n" + "=" * 60)
|
||||||
print("Summary:")
|
print("Summary:")
|
||||||
@@ -123,6 +126,7 @@ def main():
|
|||||||
print(f"Locality: {locality}")
|
print(f"Locality: {locality}")
|
||||||
print(f"Organization: {organization}")
|
print(f"Organization: {organization}")
|
||||||
print(f"Org Unit: {org_unit}")
|
print(f"Org Unit: {org_unit}")
|
||||||
|
print(f"Key Length: {key_bits} bits")
|
||||||
print(f"Validity: {validity_days} days")
|
print(f"Validity: {validity_days} days")
|
||||||
print(f"CA Server: {config['ca_server']}")
|
print(f"CA Server: {config['ca_server']}")
|
||||||
print(f"Output files: {short_name}.req, {short_name}-cert.pem")
|
print(f"Output files: {short_name}.req, {short_name}-cert.pem")
|
||||||
@@ -154,7 +158,8 @@ def main():
|
|||||||
state,
|
state,
|
||||||
locality,
|
locality,
|
||||||
organization,
|
organization,
|
||||||
org_unit
|
org_unit,
|
||||||
|
key_bits
|
||||||
]
|
]
|
||||||
|
|
||||||
try:
|
try:
|
||||||
@@ -210,7 +215,7 @@ def main():
|
|||||||
print(f" - {req_file} (Certificate Request)")
|
print(f" - {req_file} (Certificate Request)")
|
||||||
print(f" - {cert_file} (Signed Certificate)")
|
print(f" - {cert_file} (Signed Certificate)")
|
||||||
print(f"\nOn target host ({target_host}):")
|
print(f"\nOn target host ({target_host}):")
|
||||||
print(f" - /tmp/{short_name}.key (Private Key)")
|
print(f" - /tmp/{short_name}.key (Private Key - {key_bits} bits)")
|
||||||
print(f" - /tmp/{short_name}.crt (Certificate)")
|
print(f" - /tmp/{short_name}.crt (Certificate)")
|
||||||
print("\n")
|
print("\n")
|
||||||
|
|
||||||
|
|||||||
@@ -1,14 +1,14 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
# Script to generate a certificate request on a remote host
|
# Script to generate a certificate request on a remote host
|
||||||
# Usage: ./generate-csr.sh <hostname> <common-name> [country] [state] [locality] [org] [ou]
|
# Usage: ./generate-csr.sh <hostname> <common-name> [country] [state] [locality] [org] [ou] [key-bits]
|
||||||
|
|
||||||
set -e
|
set -e
|
||||||
|
|
||||||
# Check arguments
|
# Check arguments
|
||||||
if [ $# -lt 2 ]; then
|
if [ $# -lt 2 ]; then
|
||||||
echo "Usage: $0 <hostname> <common-name> [country] [state] [locality] [org] [ou]"
|
echo "Usage: $0 <hostname> <common-name> [country] [state] [locality] [org] [ou] [key-bits]"
|
||||||
echo ""
|
echo ""
|
||||||
echo "Example: $0 192.168.1.100 myserver.domain.com DE berlin berlin egonetix it"
|
echo "Example: $0 192.168.1.100 myserver.domain.com DE berlin berlin egonetix it 4096"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@@ -19,6 +19,7 @@ STATE="${4:-berlin}"
|
|||||||
LOCALITY="${5:-berlin}"
|
LOCALITY="${5:-berlin}"
|
||||||
ORG="${6:-egonetix}"
|
ORG="${6:-egonetix}"
|
||||||
OU="${7:-it}"
|
OU="${7:-it}"
|
||||||
|
KEY_BITS="${8:-4096}"
|
||||||
|
|
||||||
# Extract short hostname from common name
|
# Extract short hostname from common name
|
||||||
SHORT_NAME=$(echo "$COMMON_NAME" | cut -d'.' -f1)
|
SHORT_NAME=$(echo "$COMMON_NAME" | cut -d'.' -f1)
|
||||||
@@ -34,13 +35,14 @@ echo "State: $STATE"
|
|||||||
echo "Locality: $LOCALITY"
|
echo "Locality: $LOCALITY"
|
||||||
echo "Organization: $ORG"
|
echo "Organization: $ORG"
|
||||||
echo "Org Unit: $OU"
|
echo "Org Unit: $OU"
|
||||||
|
echo "Key Length: $KEY_BITS bits"
|
||||||
echo "Output file: $OUTPUT_FILE"
|
echo "Output file: $OUTPUT_FILE"
|
||||||
echo "=========================================="
|
echo "=========================================="
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
# Create OpenSSL config
|
# Create OpenSSL config
|
||||||
CONFIG_CONTENT="[req]
|
CONFIG_CONTENT="[req]
|
||||||
default_bits = 4096
|
default_bits = $KEY_BITS
|
||||||
prompt = no
|
prompt = no
|
||||||
default_md = sha256
|
default_md = sha256
|
||||||
distinguished_name = dn
|
distinguished_name = dn
|
||||||
@@ -79,8 +81,8 @@ if [ $? -ne 0 ]; then
|
|||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "[3/4] Generating CSR on target host..."
|
echo "[3/4] Generating $KEY_BITS-bit RSA key and CSR on target host..."
|
||||||
ssh root@${TARGET_HOST} "openssl req -new -newkey rsa:4096 -nodes -keyout /tmp/${SHORT_NAME}.key -out /tmp/${SHORT_NAME}.csr -config /tmp/csr_config.conf"
|
ssh root@${TARGET_HOST} "openssl req -new -newkey rsa:$KEY_BITS -nodes -keyout /tmp/${SHORT_NAME}.key -out /tmp/${SHORT_NAME}.csr -config /tmp/csr_config.conf"
|
||||||
if [ $? -ne 0 ]; then
|
if [ $? -ne 0 ]; then
|
||||||
echo "Error: Failed to generate CSR on target host"
|
echo "Error: Failed to generate CSR on target host"
|
||||||
exit 1
|
exit 1
|
||||||
@@ -105,6 +107,9 @@ echo ""
|
|||||||
echo "CSR details:"
|
echo "CSR details:"
|
||||||
openssl req -in "$OUTPUT_FILE" -noout -text | grep -A 10 "Subject:"
|
openssl req -in "$OUTPUT_FILE" -noout -text | grep -A 10 "Subject:"
|
||||||
echo ""
|
echo ""
|
||||||
|
echo "Key details:"
|
||||||
|
openssl req -in "$OUTPUT_FILE" -noout -text | grep "Public-Key:"
|
||||||
|
echo ""
|
||||||
echo "IMPORTANT: Private key is stored on target host at:"
|
echo "IMPORTANT: Private key is stored on target host at:"
|
||||||
echo " /tmp/${SHORT_NAME}.key"
|
echo " /tmp/${SHORT_NAME}.key"
|
||||||
echo ""
|
echo ""
|
||||||
|
|||||||
Reference in New Issue
Block a user