From a4f3b80c66004b92f84ff0a5c23f4212d685466e Mon Sep 17 00:00:00 2001 From: root Date: Thu, 23 Oct 2025 09:15:36 +0200 Subject: [PATCH] feat: add IP address support in SAN field - Automatically detects target host IP address - Includes IP in Subject Alternative Names (IP:x.x.x.x) - Allows secure HTTPS access via both hostname AND IP - Tries SSH detection first, falls back to local DNS resolution - Shows detected IP in generation summary - Displays SAN entries after CSR creation for verification Benefits: - Access services via https://10.0.0.50:8006 without cert warnings - Access via https://hostname:8006 also works - Single certificate for all access methods - No browser security warnings on IP-based access --- generate-csr.sh | 44 +++++++++++++++++++++++++++++++++++++++----- 1 file changed, 39 insertions(+), 5 deletions(-) diff --git a/generate-csr.sh b/generate-csr.sh index 7523930..1482d3f 100755 --- a/generate-csr.sh +++ b/generate-csr.sh @@ -25,10 +25,23 @@ KEY_BITS="${8:-4096}" SHORT_NAME=$(echo "$COMMON_NAME" | cut -d'.' -f1) OUTPUT_FILE="${SHORT_NAME}.req" +# Detect if TARGET_HOST is an IP address +if [[ "$TARGET_HOST" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + TARGET_IP="$TARGET_HOST" +else + # Try to resolve hostname to IP + TARGET_IP=$(ssh -o ConnectTimeout=5 -o BatchMode=yes root@${TARGET_HOST} "hostname -I | awk '{print \$1}'" 2>/dev/null || echo "") + if [ -z "$TARGET_IP" ]; then + # Fallback: try local resolution + TARGET_IP=$(getent hosts "$TARGET_HOST" 2>/dev/null | awk '{print $1}' | head -1 || echo "") + fi +fi + echo "==========================================" echo "Certificate Request Generation" echo "==========================================" echo "Target host: $TARGET_HOST" +echo "Target IP: ${TARGET_IP:-not detected}" echo "Common Name: $COMMON_NAME" echo "Country: $COUNTRY" echo "State: $STATE" @@ -40,6 +53,25 @@ echo "Output file: $OUTPUT_FILE" echo "==========================================" echo "" +# Build SAN entries +SAN_DNS="DNS.1 = $COMMON_NAME +DNS.2 = $SHORT_NAME" + +DNS_COUNTER=3 + +# Add alternative names if common name contains domain +if [[ "$COMMON_NAME" == *.* ]]; then + SAN_DNS="$SAN_DNS +DNS.$DNS_COUNTER = ${SHORT_NAME}.${COMMON_NAME#*.}" + ((DNS_COUNTER++)) +fi + +# Add IP address if detected +SAN_IP="" +if [ -n "$TARGET_IP" ]; then + SAN_IP="IP.1 = $TARGET_IP" +fi + # Create OpenSSL config CONFIG_CONTENT="[req] default_bits = $KEY_BITS @@ -62,13 +94,12 @@ extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] -DNS.1 = $COMMON_NAME -DNS.2 = $SHORT_NAME" +$SAN_DNS" -# Add alternative names if common name contains domain -if [[ "$COMMON_NAME" == *.* ]]; then +# Append IP if available +if [ -n "$SAN_IP" ]; then CONFIG_CONTENT="$CONFIG_CONTENT -DNS.3 = ${SHORT_NAME}.${COMMON_NAME#*.}" +$SAN_IP" fi echo "[1/4] Creating OpenSSL configuration..." @@ -107,6 +138,9 @@ echo "" echo "CSR details:" openssl req -in "$OUTPUT_FILE" -noout -text | grep -A 10 "Subject:" echo "" +echo "Subject Alternative Names:" +openssl req -in "$OUTPUT_FILE" -noout -text | grep -A 20 "Subject Alternative Name" || echo " (none found)" +echo "" echo "Key details:" openssl req -in "$OUTPUT_FILE" -noout -text | grep "Public-Key:" echo ""