Reorganize workspace structure with system-specific cert directories and DNS automation

2025-12-17 09:39:46 +01:00
parent 296948f07e
commit 99fcd122ea
14 changed files with 329 additions and 20 deletions
--- a/scripts/generate-csr-local.sh
+++ b/scripts/generate-csr-local.sh
@@ -0,0 +1,164 @@
+#!/bin/bash
+# Script to generate a certificate request locally (for systems without SCP/SFTP)
+# Usage: ./generate-csr-local.sh <common-name> [country] [state] [locality] [org] [ou] [key-bits] [additional-dns] [ip-address]
+
+set -e
+
+# Check arguments
+if [ $# -lt 1 ]; then
+    echo "Usage: $0 <common-name> [country] [state] [locality] [org] [ou] [key-bits] [additional-dns] [ip-address]"
+    echo ""
+    echo "Example: $0 srv-wmw-ha01.egonetix.lan DE berlin berlin egonetix it 4096 '' 172.20.70.10"
+    exit 1
+fi
+
+COMMON_NAME="$1"
+COUNTRY="${2:-DE}"
+STATE="${3:-berlin}"
+LOCALITY="${4:-berlin}"
+ORG="${5:-egonetix}"
+OU="${6:-it}"
+KEY_BITS="${7:-4096}"
+ADDITIONAL_DNS="${8:-}"
+IP_ADDRESS="${9:-}"
+
+# Extract short hostname from common name
+SHORT_NAME=$(echo "$COMMON_NAME" | cut -d'.' -f1)
+OUTPUT_REQ="${SHORT_NAME}.req"
+OUTPUT_KEY="${SHORT_NAME}.key"
+OUTPUT_CSR="${SHORT_NAME}.csr"
+
+echo "=========================================="
+echo "Local Certificate Request Generation"
+echo "=========================================="
+echo "Common Name:   $COMMON_NAME"
+echo "Country:       $COUNTRY"
+echo "State:         $STATE"
+echo "Locality:      $LOCALITY"
+echo "Organization:  $ORG"
+echo "Org Unit:      $OU"
+echo "Key Length:    $KEY_BITS bits"
+if [ -n "$ADDITIONAL_DNS" ]; then
+    echo "Additional DNS: $ADDITIONAL_DNS"
+fi
+if [ -n "$IP_ADDRESS" ]; then
+    echo "IP Address:    $IP_ADDRESS"
+fi
+echo "Output files:  $OUTPUT_REQ, $OUTPUT_KEY"
+echo "=========================================="
+echo ""
+
+# Build SAN entries
+SAN_DNS="DNS.1 = $COMMON_NAME
+DNS.2 = $SHORT_NAME"
+
+DNS_COUNTER=3
+
+# Add alternative names if common name contains domain
+if [[ "$COMMON_NAME" == *.* ]]; then
+    SAN_DNS="$SAN_DNS
+DNS.$DNS_COUNTER = ${SHORT_NAME}.${COMMON_NAME#*.}"
+    ((DNS_COUNTER++))
+fi
+
+# Add additional DNS names if provided
+if [ -n "$ADDITIONAL_DNS" ]; then
+    IFS=',' read -ra EXTRA_DNS <<< "$ADDITIONAL_DNS"
+    for dns in "${EXTRA_DNS[@]}"; do
+        # Trim whitespace
+        dns=$(echo "$dns" | xargs)
+        if [ -n "$dns" ]; then
+            SAN_DNS="$SAN_DNS
+DNS.$DNS_COUNTER = $dns"
+            ((DNS_COUNTER++))
+        fi
+    done
+fi
+
+# Add IP addresses if provided (comma-separated)
+SAN_IP=""
+if [ -n "$IP_ADDRESS" ]; then
+    IP_COUNTER=1
+    IFS=',' read -ra IP_ADDRS <<< "$IP_ADDRESS"
+    for ip in "${IP_ADDRS[@]}"; do
+        # Trim whitespace
+        ip=$(echo "$ip" | xargs)
+        if [ -n "$ip" ]; then
+            if [ -z "$SAN_IP" ]; then
+                SAN_IP="IP.$IP_COUNTER = $ip"
+            else
+                SAN_IP="$SAN_IP
+IP.$IP_COUNTER = $ip"
+            fi
+            ((IP_COUNTER++))
+        fi
+    done
+fi
+
+# Create OpenSSL config
+CONFIG_CONTENT="[req]
+default_bits = $KEY_BITS
+prompt = no
+default_md = sha256
+distinguished_name = dn
+req_extensions = v3_req
+
+[dn]
+C=$COUNTRY
+ST=$STATE
+L=$LOCALITY
+O=$ORG
+OU=$OU
+CN=$COMMON_NAME
+
+[v3_req]
+keyUsage = digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+
+[alt_names]
+$SAN_DNS"
+
+# Append IP if available
+if [ -n "$SAN_IP" ]; then
+    CONFIG_CONTENT="$CONFIG_CONTENT
+$SAN_IP"
+fi
+
+CONFIG_FILE="/tmp/csr_config_${SHORT_NAME}.conf"
+echo "[1/2] Creating OpenSSL configuration..."
+echo "$CONFIG_CONTENT" > "$CONFIG_FILE"
+
+echo "[2/2] Generating $KEY_BITS-bit RSA key and CSR locally..."
+openssl req -new -newkey rsa:$KEY_BITS -nodes -keyout "$OUTPUT_KEY" -out "$OUTPUT_CSR" -config "$CONFIG_FILE"
+
+# Also create the .req file for consistency with other scripts
+cp "$OUTPUT_CSR" "$OUTPUT_REQ"
+
+# Clean up config file
+rm -f "$CONFIG_FILE"
+
+# Set proper permissions on private key
+chmod 600 "$OUTPUT_KEY"
+
+echo ""
+echo "=========================================="
+echo "✓ Certificate files generated locally!"
+echo "=========================================="
+echo "Certificate request: $OUTPUT_REQ"
+echo "Private key:         $OUTPUT_KEY"
+echo ""
+echo "CSR details:"
+openssl req -in "$OUTPUT_REQ" -noout -text | grep -A 10 "Subject:"
+echo ""
+echo "Subject Alternative Names:"
+openssl req -in "$OUTPUT_REQ" -noout -text | grep -A 20 "Subject Alternative Name" || echo "  (none found)"
+echo ""
+echo "Key details:"
+openssl req -in "$OUTPUT_REQ" -noout -text | grep "Public-Key:"
+echo ""
+echo "⚠️  IMPORTANT: Keep $OUTPUT_KEY secure!"
+echo ""
+echo "Next step: Sign this CSR with:"
+echo "  ./sign-cert.sh $OUTPUT_REQ $SHORT_NAME"
+echo "=========================================="