root/zertifizierung
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Reorganize workspace structure with system-specific cert directories and DNS automation

Browse Source
This commit is contained in:
root
2025-12-17 09:39:46 +01:00
parent 296948f07e
commit 99fcd122ea
14 changed files with 329 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

77
docs/DNS_INTEGRATION.md Normal file
View File

@@ -0,0 +1,77 @@
# DNS Integration Feature
## Overview
The certificate manager now automatically checks if hostnames in certificates are resolvable in DNS and can create missing DNS records on the UCS DNS server.
## How It Works
### 1. Certificate Analysis
After signing a certificate, the tool extracts all DNS names from:
- Common Name (CN) in the certificate Subject
- Subject Alternative Names (SANs)
### 2. DNS Resolution Check
For each hostname found, the tool checks if it resolves using standard DNS lookup.
### 3. Missing Record Detection
If a hostname doesn't resolve, it's flagged as missing.
### 4. Automatic DNS Record Creation
The tool offers to create missing DNS records on the UCS DNS server using:
```bash
univention-directory-manager dns/host_record create
```
## Example Output
```
============================================================
Step 4: Checking DNS Records
============================================================
Checking 4 hostname(s) from certificate...
✓ vscode.egonetix.lan - resolves
✓ vscode - resolves
✓ srvdocker02.egonetix.lan - resolves
✗ newhost.egonetix.lan - NOT found in DNS
⚠ Found 1 hostname(s) not in DNS:
- newhost.egonetix.lan
Do you want to create missing DNS records on UCS? [Y/n]: y
Creating DNS records on 10.0.0.21...
✓ Created DNS record: newhost.egonetix.lan → 10.0.0.48
✓ Successfully created 1 DNS record(s)
Note: DNS changes may take a few seconds to propagate.
```
## Benefits
**Prevents Configuration Errors** - Ensures all certificate hostnames are resolvable
**Saves Time** - No need to manually create DNS records
**Automatic Workflow** - Integrated into the certificate generation process
**Safe** - Always asks for confirmation before creating records
**Idempotent** - Detects existing records and skips them
## Requirements
- SSH access to UCS DNS server (default: 10.0.0.21)
- Root access or UDM permissions on UCS server
- Target system must have an IP address for the A record
## Configuration
The DNS server is automatically set to the same server as the CA (configured in cert-manager.py):
```python
config['ca_server'] = '10.0.0.21' # Default UCS server
```
## Limitations
- Only creates A records (IPv4)
- Requires the hostname to be part of an existing DNS zone on UCS
- Short hostnames (without domain) are skipped
- AAAA records (IPv6) not yet supported

135
docs/EXAMPLES.md Normal file
View File

@@ -0,0 +1,135 @@
# Usage Examples
## Example 1: Creating a certificate for a new server (Interactive)
```bash
./cert-manager.py
```
**Session output:**
```
============================================================
Interactive Certificate Manager
============================================================
--- Certificate Details ---
Target Host (IP or hostname): 192.168.1.50
Common Name (FQDN): webserver.egonetix.lan
--- Certificate Subject (press Enter to use defaults) ---
Country (C) [DE]:
State/Province (ST) [berlin]:
Locality (L) [berlin]:
Organization (O) [egonetix]:
Organizational Unit (OU) [it]:
Validity (days) [3650]:
============================================================
Summary:
============================================================
Target Host: 192.168.1.50
Common Name: webserver.egonetix.lan
Country: DE
State: berlin
Locality: berlin
Organization: egonetix
Org Unit: it
Validity: 3650 days
CA Server: 10.0.0.21
Output files: webserver.req, webserver-cert.pem
============================================================
Proceed with certificate generation? [Y/n]: y
============================================================
Step 1: Generating CSR on target host
============================================================
[Generates CSR on 192.168.1.50...]
============================================================
Step 2: Signing certificate with CA
============================================================
[Signs certificate with UCS CA...]
============================================================
Step 3: Deploying certificate to target host
============================================================
Do you want to copy the certificate back to the target host? [Y/n]: y
✓ Certificate copied to target host at /tmp/webserver.crt
Private key is at /tmp/webserver.key
============================================================
✓ Certificate Management Complete!
============================================================
Files created:
- webserver.req (Certificate Request)
- webserver-cert.pem (Signed Certificate)
On target host (192.168.1.50):
- /tmp/webserver.key (Private Key)
- /tmp/webserver.crt (Certificate)
```
## Example 2: Using standalone scripts
### Generate CSR only:
```bash
./generate-csr.sh 10.0.0.1 gwnue01.egonetix.lan
```
### Sign existing CSR:
```bash
./sign-cert.sh gwnue01.req gwnue01 3650
```
## Example 3: Changing default values
First run with modified defaults:
```bash
./cert-manager.py
```
Answer "y" to "Do you want to modify default values?"
Set your new defaults (e.g., different organization, longer validity period).
These defaults are saved in `~/.cert-manager-config.json` and will be used for all future runs.
## Example 4: Batch processing
For multiple certificates, create a wrapper script:
```bash
#!/bin/bash
# batch-certs.sh
hosts=(
"10.0.0.1:gwnue01.egonetix.lan"
"10.0.0.10:nas.egonetix.lan"
"10.0.0.20:monitoring.egonetix.lan"
)
for entry in "${hosts[@]}"; do
host="${entry%%:*}"
fqdn="${entry##*:}"
echo "Processing $fqdn on $host..."
./generate-csr.sh "$host" "$fqdn" DE berlin berlin egonetix it
shortname=$(echo "$fqdn" | cut -d'.' -f1)
./sign-cert.sh "${shortname}.req" "$shortname" 3650
echo "Done with $fqdn"
echo ""
done
```
## Tips
1. **First run:** Use the interactive tool to set up your defaults
2. **Repeated certificates:** The tool remembers your last target/common name
3. **Different organizations:** Modify defaults when needed for specific use cases
4. **Automation:** Use the standalone scripts for scripting/automation
5. **Verification:** Always check the certificate details after generation

301
docs/README.md Normal file
View File

@@ -0,0 +1,301 @@
# Certificate Management Tools
Automated certificate generation and signing tools for UCS CA with intelligent system detection and deployment.
## Features
- 🔍 **Automatic System Detection** - Detects target system type (Proxmox, Home Assistant, pfSense, TrueNAS, UCS)
- 🤖 **Automated Deployment** - Fully automated certificate installation for supported systems
- 🌐 **DNS Integration** - Automatically checks and creates DNS records for certificate hostnames
- 💾 **Configuration Persistence** - Remembers your settings between runs
- 🔐 **Proper Certificate Extensions** - Generates certificates with correct serverAuth extensions
- 🎯 **Interactive & Scriptable** - Works both interactively and in automation scripts
## Supported Systems
| System | Detection | Deployment | Status |
|--------|-----------|------------|--------|
| **Proxmox VE** | ✅ Automatic | ✅ Fully Automated | Production Ready |
| **pfSense** | ✅ Automatic | ⚠️ Manual (Web UI) | Detected |
| **TrueNAS** | ✅ Automatic | ⚠️ Manual (Web UI) | Detected |
| **UCS** | ✅ Automatic | ⚠️ Manual | Detected |
| **Other/Unknown** | ⚠️ Generic | ⚠️ Manual | Basic Support |
### Proxmox VE - Full Automation ✅
For Proxmox systems, the tool provides complete automation:
- Generates CSR on the Proxmox host
- Signs with UCS CA
- Automatically installs to `/etc/pve/local/pveproxy-ssl.{pem,key}`
- Creates timestamped backups of existing certificates
- Restarts `pveproxy` service
- Fully automated, zero manual steps required
### Other Systems - Manual Deployment ⚠️
For pfSense, TrueNAS, and other systems:
- System type is detected automatically
- CSR is generated on the target host
- Certificate is signed with UCS CA
- Certificate and key are copied to `/tmp/`
- Manual installation required through web interface
## Tools
### 1. cert-manager.py (Interactive Mode) - **RECOMMENDED**
The main interactive tool that handles the entire certificate lifecycle with system detection.
**Usage:**
```bash
./scripts/cert-manager.py
```
**Workflow:**
1. Detects target system type automatically
2. Prompts for certificate details with smart defaults
3. Generates CSR on remote host with proper extensions
4. Signs certificate with UCS CA (outputs to `certs/<system-type>/` directory)
5. **Checks DNS records and offers to create missing ones** 🌐
6. Deploys automatically (Proxmox/Home Assistant) or copies to target (others)
**Features:**
- Interactive prompts with default values from previous runs
- Automatic system type detection
- **Automatic DNS record creation on UCS DNS server**
- Intelligent deployment based on system capabilities
- Configurable key length (default: 4096 bits)
- Remembers last used values for quick reuse
- Organized certificate storage by system type
### 2. generate-csr.sh (Standalone)
Generates a certificate signing request on a remote host.
**Usage:**
```bash
./scripts/generate-csr.sh <hostname> <common-name> [country] [state] [locality] [org] [ou] [key-bits]
```
**Example:**
```bash
./scripts/generate-csr.sh 192.168.1.100 server.example.com DE berlin berlin egonetix it 4096
```
**Features:**
- Generates CSR with proper server authentication extensions
- Configurable RSA key length (2048, 4096, 8192 bits)
- Automatic Subject Alternative Names (SANs)
- Private key stays on target host (secure)
### 3. sign-cert.sh (Standalone)
Signs a certificate request with the UCS CA.
**Usage:**
```bash
./scripts/sign-cert.sh <req-file> <hostname> [days]
```
**Example:**
```bash
./scripts/sign-cert.sh certs/proxmox/server.csr server 3650
```
**Output:** Certificate is saved to the same directory as the CSR file.
### 4. detect-system.sh (Utility)
Detects the type of system on a remote host.
**Usage:**
```bash
./scripts/detect-system.sh <hostname>
```
**Returns:** `proxmox`, `pfsense`, `truenas`, `ucs`, or `unknown`
### 5. deploy-proxmox.sh (Proxmox Deployment)
Automated certificate deployment for Proxmox VE.
**Usage:**
```bash
./deploy-proxmox.sh <hostname> <cert-file> <key-file> <short-name>
```
**What it does:**
- Backs up existing certificates with timestamp
- Installs new certificate and key
- Sets correct permissions (640)
- Restarts pveproxy service
- Provides access URL
## Configuration
The interactive tool stores default values in `~/.cert-manager-config.json`.
**Default values:**
- Country: `DE`
- State: `berlin`
- Locality: `berlin`
- Organization: `egonetix`
- Organizational Unit: `it`
- CA Server: `10.0.0.21`
- Validity: `3650` days (10 years)
- Key Length: `4096` bits
**Modifying defaults:**
Run `./cert-manager.py` and answer "yes" when asked to modify default values.
## Interactive Workflow Example
```bash
$ ./cert-manager.py
============================================================
Interactive Certificate Manager
============================================================
--- Certificate Details ---
Target Host (IP or hostname) [srv-wmw-host01]: 10.0.0.50
Detecting system type on 10.0.0.50...
✓ Detected: Proxmox VE
Common Name (FQDN) [srv-wmw-host01.egonetix.lan]: pve-host02.egonetix.lan
--- Certificate Subject (press Enter to use defaults) ---
Country (C) [DE]:
State/Province (ST) [berlin]:
Locality (L) [berlin]:
Organization (O) [egonetix]:
Organizational Unit (OU) [it]:
Validity (days) [3650]:
Key Length (bits) [4096]:
============================================================
Summary:
============================================================
System Type: Proxmox VE
Target Host: 10.0.0.50
Common Name: pve-host02.egonetix.lan
Country: DE
State: berlin
Locality: berlin
Organization: egonetix
Org Unit: it
Key Length: 4096 bits
Validity: 3650 days
CA Server: 10.0.0.21
Output files: pve-host02.req, pve-host02-cert.pem
============================================================
Proceed with certificate generation? [Y/n]:
[Generates CSR, signs, deploys automatically for Proxmox]
✓ Access Proxmox at: https://10.0.0.50:8006
```
## Certificate Details
**Generated certificates include:**
- RSA keys (configurable: 2048, 4096, or 8192 bits)
- SHA-256 signature algorithm
- Subject Alternative Names (SANs) for all hostname variants
- Proper key usage extensions:
- `digitalSignature`
- `keyEncipherment`
- Extended key usage:
- `serverAuth` (TLS Web Server Authentication)
## Requirements
- SSH access to target host as root
- SSH access to UCS CA server (10.0.0.21) as root
- OpenSSL on target host
- Python 3.6+ for interactive tool
- Bash for shell scripts
## Security Notes
1. **Private keys remain on target hosts** - Never transmitted or stored locally
2. **Certificate backups** - Proxmox deployment creates timestamped backups
3. **Proper permissions** - Certificates are installed with correct file permissions
4. **CA access** - Only the signing operation requires CA access
5. **SSH security** - Uses BatchMode and secure connection options
## Troubleshooting
### System not detected correctly
```bash
# Manually check what system it is
./detect-system.sh <hostname>
# Verify SSH access
ssh root@<hostname> "uname -a"
```
### Certificate not trusted in browser
```bash
# Verify system CA is installed
ls -la /usr/local/share/ca-certificates/ucs-root-ca.crt
# Update system CA certificates
sudo update-ca-certificates
# For browsers using NSS (Firefox, Brave, Chrome):
certutil -d sql:$HOME/.pki/nssdb -L | grep -i ucs
```
### Proxmox deployment failed
```bash
# Check Proxmox certificate directory
ssh root@<proxmox-host> "ls -la /etc/pve/local/pveproxy-ssl.*"
# View pveproxy logs
ssh root@<proxmox-host> "journalctl -u pveproxy -n 50"
# Manually restart pveproxy
ssh root@<proxmox-host> "systemctl restart pveproxy"
```
### Certificate expired
Certificates are valid for 10 years by default. To renew:
```bash
# Simply run the tool again with the same hostname
./cert-manager.py
# It will generate a new certificate with a fresh validity period
```
## File Locations
**On local machine:**
- Certificate requests: `./<hostname>.req`
- Signed certificates: `./<hostname>-cert.pem`
- Configuration: `~/.cert-manager-config.json`
**On target host:**
- Private keys: `/tmp/<hostname>.key`
- Certificates: `/tmp/<hostname>.crt`
**On Proxmox hosts:**
- Certificate: `/etc/pve/local/pveproxy-ssl.pem`
- Private key: `/etc/pve/local/pveproxy-ssl.key`
- Backups: `/etc/pve/local/pveproxy-ssl.{pem,key}.bak.YYYYMMDD-HHMMSS`
## Adding Support for New Systems
To add automated deployment for a new system type:
1. Update `detect-system.sh` with detection logic
2. Create `deploy-<system>.sh` script
3. Add system to `SYSTEM_TYPES` in `cert-manager.py`
4. Test thoroughly
5. Update this README
## Additional Resources
- UCS Manual: https://docs.software-univention.de/
- Certificate Management: https://docs.software-univention.de/manual.html#domain:certificates
- OpenSSL Documentation: https://www.openssl.org/docs/
## License
Internal tool for egonetix infrastructure management.

57
docs/STRUCTURE.md Normal file
View File

@@ -0,0 +1,57 @@
# Folder Structure
This directory is organized for efficient certificate management:
## 📁 Structure Overview
```
zertifizierung/
├── ca/ # Certificate Authority files
│ └── ucs-ca-cert.* # UCS CA certificates (crt, der, pem)
├── certs/ # Generated certificates organized by system
│ ├── fritzbox/ # Fritz!Box router certificates
│ ├── vscode/ # VS Code server certificates
│ ├── proxmox/ # Proxmox host certificates
│ ├── homeassistant/ # Home Assistant certificates
│ ├── gateway/ # Network gateway certificates
│ └── ilo/ # iLO interface certificates
├── scripts/ # Certificate management tools
│ ├── cert-manager.py # Main interactive tool
│ ├── sign-cert.sh # Sign certificates with UCS CA
│ ├── generate-csr*.sh # CSR generation scripts
│ ├── deploy-*.sh # Automated deployment scripts
│ ├── install-ca-cert.sh # CA certificate installation
│ └── detect-system.sh # System type detection
└── docs/ # Documentation
├── README.md # Main documentation
├── EXAMPLES.md # Usage examples
├── DNS_INTEGRATION.md # DNS automation feature
└── STRUCTURE.md # This file
```
## 🎯 Usage
All scripts should be run from the workspace root or scripts directory:
```bash
# Run interactive certificate manager
./scripts/cert-manager.py
# Sign a certificate
./scripts/sign-cert.sh certs/fritzbox/fritzbox.csr fritzbox 3650
# Deploy to Proxmox
./scripts/deploy-proxmox.sh certs/proxmox/srv-wmw-host01
```
## 📝 Certificate Files
Each certificate directory (e.g., `certs/fritzbox/`) typically contains:
- `*.key` - Private key
- `*.csr` - Certificate signing request
- `*.pem` - Signed certificate
- `*-cert.pem` - Certificate only
- `*-fullchain.pem` - Certificate + CA chain