Reorganize workspace structure with system-specific cert directories and DNS automation

scripts/sign-cert.sh

@@ -0,0 +1,128 @@
+#!/bin/bash
+# Script to sign a certificate request with UCS CA
+# Usage: ./sign-cert.sh <req-file> <hostname> [days]
+
+set -e
+
+# Configuration
+UCS_SERVER="10.0.0.21"
+UCS_USER="root"
+DEFAULT_DAYS=3650
+
+# Check arguments
+if [ $# -lt 2 ]; then
+    echo "Usage: $0 <req-file> <hostname> [days]"
+    echo ""
+    echo "Example: $0 webui.req myserver 3650"
+    echo ""
+    echo "The script will:"
+    echo "  1. Copy the CSR to UCS server"
+    echo "  2. Sign it with the UCS CA (preserving extensions)"
+    echo "  3. Download the signed certificate to current directory"
+    exit 1
+fi
+
+REQ_FILE="$1"
+HOSTNAME="$2"
+DAYS="${3:-$DEFAULT_DAYS}"
+
+# Validate req file exists
+if [ ! -f "$REQ_FILE" ]; then
+    echo "Error: Certificate request file '$REQ_FILE' not found!"
+    exit 1
+fi
+
+# Get absolute path of req file
+REQ_FILE=$(realpath "$REQ_FILE")
+# Output to same directory as input CSR
+REQ_DIR=$(dirname "$REQ_FILE")
+OUTPUT_FILE="${REQ_DIR}/${HOSTNAME}-cert.pem"
+
+echo "=========================================="
+echo "UCS Certificate Signing Script"
+echo "=========================================="
+echo "Request file: $REQ_FILE"
+echo "Hostname:     $HOSTNAME"
+echo "Valid days:   $DAYS"
+echo "Output file:  $OUTPUT_FILE"
+echo "=========================================="
+echo ""
+
+# Extract SAN from CSR and fix format
+echo "[1/4] Extracting Subject Alternative Names from CSR..."
+SAN_ENTRIES=$(openssl req -in "$REQ_FILE" -noout -text | grep -A 1 "Subject Alternative Name" | tail -1 | sed 's/^ *//' | sed 's/IP Address:/IP:/g' || echo "")
+
+if [ -z "$SAN_ENTRIES" ]; then
+    echo "Warning: No Subject Alternative Names found in CSR"
+    SAN_CONFIG=""
+else
+    echo "Found SANs: $SAN_ENTRIES"
+    SAN_CONFIG="subjectAltName = $SAN_ENTRIES"
+fi
+
+# Step 2: Copy CSR to UCS server
+echo "[2/4] Copying CSR to UCS server..."
+scp "$REQ_FILE" ${UCS_USER}@${UCS_SERVER}:/tmp/${HOSTNAME}.csr
+if [ $? -ne 0 ]; then
+    echo "Error: Failed to copy CSR to UCS server"
+    exit 1
+fi
+
+# Step 3: Sign using x509 command with CA password
+echo "[3/4] Signing certificate on UCS server..."
+
+# Create extension config and sign on UCS server
+ssh ${UCS_USER}@${UCS_SERVER} "
+set -e
+
+# Create extensions config
+cat > /tmp/${HOSTNAME}-ext.cnf << 'EXTCONF'
+keyUsage = digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+${SAN_CONFIG}
+EXTCONF
+
+# Sign the certificate using CA password file
+openssl x509 -req \
+    -in /tmp/${HOSTNAME}.csr \
+    -CA /etc/univention/ssl/ucsCA/CAcert.pem \
+    -CAkey /etc/univention/ssl/ucsCA/private/CAkey.pem \
+    -CAcreateserial \
+    -out /tmp/${HOSTNAME}-cert.pem \
+    -days ${DAYS} \
+    -sha256 \
+    -extfile /tmp/${HOSTNAME}-ext.cnf \
+    -passin file:/etc/univention/ssl/password
+"
+
+if [ $? -ne 0 ]; then
+    echo "Error: Failed to sign certificate"
+    exit 1
+fi
+
+# Step 4: Download signed certificate
+echo "[4/4] Downloading signed certificate..."
+scp ${UCS_USER}@${UCS_SERVER}:/tmp/${HOSTNAME}-cert.pem "$OUTPUT_FILE"
+if [ $? -ne 0 ]; then
+    echo "Error: Failed to download signed certificate"
+    exit 1
+fi
+
+# Clean up on UCS server
+ssh ${UCS_USER}@${UCS_SERVER} "rm -f /tmp/${HOSTNAME}.csr /tmp/${HOSTNAME}-cert.pem /tmp/${HOSTNAME}-ext.cnf"
+
+echo ""
+echo "=========================================="
+echo "✓ Certificate signed successfully!"
+echo "=========================================="
+echo "Certificate saved to: $OUTPUT_FILE"
+echo ""
+echo "Certificate details:"
+openssl x509 -in "$OUTPUT_FILE" -noout -subject -issuer -dates
+echo ""
+echo "Subject Alternative Names:"
+openssl x509 -in "$OUTPUT_FILE" -noout -text | grep -A 2 "Subject Alternative Name" | tail -2 || echo "  (none)"
+echo ""
+echo "Extended Key Usage:"
+openssl x509 -in "$OUTPUT_FILE" -noout -text | grep -A 1 "Extended Key Usage" | tail -1 || echo "  (none)"
+echo "=========================================="