root/zertifizierung
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add IP address support in SAN field

Browse Source 
- Automatically detects target host IP address
- Includes IP in Subject Alternative Names (IP:x.x.x.x)
- Allows secure HTTPS access via both hostname AND IP
- Tries SSH detection first, falls back to local DNS resolution
- Shows detected IP in generation summary
- Displays SAN entries after CSR creation for verification

Benefits:
- Access services via https://10.0.0.50:8006 without cert warnings
- Access via https://hostname:8006 also works
- Single certificate for all access methods
- No browser security warnings on IP-based access
This commit is contained in:
root
2025-10-23 09:15:36 +02:00
parent 2a7d1c23aa
commit a4f3b80c66
1 changed files with 39 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
generate-csr.sh
View File

@@ -25,10 +25,23 @@ KEY_BITS="${8:-4096}"
SHORT_NAME=$(echo "$COMMON_NAME" | cut -d'.' -f1) SHORT_NAME=$(echo "$COMMON_NAME" | cut -d'.' -f1)
OUTPUT_FILE="${SHORT_NAME}.req" OUTPUT_FILE="${SHORT_NAME}.req"
# Detect if TARGET_HOST is an IP address
if [[ "$TARGET_HOST" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
TARGET_IP="$TARGET_HOST"
else
# Try to resolve hostname to IP
TARGET_IP=$(ssh -o ConnectTimeout=5 -o BatchMode=yes root@${TARGET_HOST} "hostname -I | awk '{print \$1}'" 2>/dev/null || echo "")
if [ -z "$TARGET_IP" ]; then
# Fallback: try local resolution
TARGET_IP=$(getent hosts "$TARGET_HOST" 2>/dev/null | awk '{print $1}' | head -1 || echo "")
fi
fi
echo "==========================================" echo "=========================================="
echo "Certificate Request Generation" echo "Certificate Request Generation"
echo "==========================================" echo "=========================================="
echo "Target host: $TARGET_HOST" echo "Target host: $TARGET_HOST"
echo "Target IP: ${TARGET_IP:-not detected}"
echo "Common Name: $COMMON_NAME" echo "Common Name: $COMMON_NAME"
echo "Country: $COUNTRY" echo "Country: $COUNTRY"
echo "State: $STATE" echo "State: $STATE"
@@ -40,6 +53,25 @@ echo "Output file: $OUTPUT_FILE"
echo "==========================================" echo "=========================================="
echo "" echo ""
# Build SAN entries
SAN_DNS="DNS.1 = $COMMON_NAME
DNS.2 = $SHORT_NAME"
DNS_COUNTER=3
# Add alternative names if common name contains domain
if [[ "$COMMON_NAME" == *.* ]]; then
SAN_DNS="$SAN_DNS
DNS.$DNS_COUNTER = ${SHORT_NAME}.${COMMON_NAME#*.}"
((DNS_COUNTER++))
fi
# Add IP address if detected
SAN_IP=""
if [ -n "$TARGET_IP" ]; then
SAN_IP="IP.1 = $TARGET_IP"
fi
# Create OpenSSL config # Create OpenSSL config
CONFIG_CONTENT="[req] CONFIG_CONTENT="[req]
default_bits = $KEY_BITS default_bits = $KEY_BITS
@@ -62,13 +94,12 @@ extendedKeyUsage = serverAuth
subjectAltName = @alt_names subjectAltName = @alt_names
[alt_names] [alt_names]
DNS.1 = $COMMON_NAME $SAN_DNS"
DNS.2 = $SHORT_NAME"
# Add alternative names if common name contains domain # Append IP if available
if [[ "$COMMON_NAME" == *.* ]]; then if [ -n "$SAN_IP" ]; then
CONFIG_CONTENT="$CONFIG_CONTENT CONFIG_CONTENT="$CONFIG_CONTENT
DNS.3 = ${SHORT_NAME}.${COMMON_NAME#*.}" $SAN_IP"
fi fi
echo "[1/4] Creating OpenSSL configuration..." echo "[1/4] Creating OpenSSL configuration..."
@@ -107,6 +138,9 @@ echo ""
echo "CSR details:" echo "CSR details:"
openssl req -in "$OUTPUT_FILE" -noout -text | grep -A 10 "Subject:" openssl req -in "$OUTPUT_FILE" -noout -text | grep -A 10 "Subject:"
echo "" echo ""
echo "Subject Alternative Names:"
openssl req -in "$OUTPUT_FILE" -noout -text | grep -A 20 "Subject Alternative Name" || echo " (none found)"
echo ""
echo "Key details:" echo "Key details:"
openssl req -in "$OUTPUT_FILE" -noout -text | grep "Public-Key:" openssl req -in "$OUTPUT_FILE" -noout -text | grep "Public-Key:"
echo "" echo ""