- Checks for certutil command before use
- Automatically installs libnss3-tools package if needed
- Works with sudo for non-root users
- Prevents 'command not found' errors
New script: install-ca-cert.sh
- Downloads UCS CA certificate from server
- Installs to system CA certificates (/usr/local/share/ca-certificates/)
- Installs to NSS database (Chrome, Chromium, Brave)
- Installs to all Firefox profiles
- Verifies installation
- Works for current user
Usage:
./install-ca-cert.sh [ca-server-ip]
Default CA server: 10.0.0.21
Benefits:
✅ One-command setup for new users/systems
✅ Automatic browser detection
✅ Works with all major browsers
✅ Verification of successful installation
Changes:
- generate-csr.sh: New 9th parameter for comma-separated additional DNS names
- cert-manager.py: Interactive prompt for additional DNS names
- Automatically appends extra names to SAN list
Example usage:
- Interactive: Enter 'firewall.domain.com,vpn.domain.com' at prompt
- Manual: ./generate-csr.sh host fqdn DE berlin berlin org it 4096 'extra1.com,extra2.com'
Benefits:
✅ Single certificate for multiple DNS names
✅ Support for aliases and CNAMEs
✅ Flexible certificate deployment
Changes:
- generate-csr.sh: Auto-detects target IP via SSH or DNS
- sign-cert.sh: Preserves SAN extensions including IP addresses
- Uses UCS CA password file for automated signing
- Fixes IP Address: -> IP: format conversion for OpenSSL compatibility
Benefits:
✅ Access services via https://10.0.0.50:8006 without warnings
✅ Access via https://hostname:8006 also works
✅ Single certificate for all access methods
✅ Browser shows secure connection for both methods
Technical details:
- Extracts SAN from CSR and applies via -extfile
- Uses 'openssl x509 -req' with -passin file:/etc/univention/ssl/password
- Preserves all DNS names and IP addresses in signed certificate
- Automatically detects target host IP address
- Includes IP in Subject Alternative Names (IP:x.x.x.x)
- Allows secure HTTPS access via both hostname AND IP
- Tries SSH detection first, falls back to local DNS resolution
- Shows detected IP in generation summary
- Displays SAN entries after CSR creation for verification
Benefits:
- Access services via https://10.0.0.50:8006 without cert warnings
- Access via https://hostname:8006 also works
- Single certificate for all access methods
- No browser security warnings on IP-based access
- Added detailed system detection matrix (5 system types)
- Documented Proxmox VE full automation capabilities
- Listed manual deployment requirements for other systems
- Enhanced troubleshooting section with common issues
- Added security notes and file locations
- Improved interactive workflow example
New features:
- detect-system.sh: Automatically detects target system type
- Proxmox VE
- pfSense
- TrueNAS
- UCS
- Unknown/generic
- deploy-proxmox.sh: Automated Proxmox certificate deployment
- Backs up existing certificates
- Installs certificate to /etc/pve/local/pveproxy-ssl.*
- Restarts pveproxy service
- Fully automated deployment
- cert-manager.py enhancements:
- Detects system type before proceeding
- Uses system-specific deployment scripts when available
- Shows detected system type in summary
- Intelligent deployment based on system capabilities
- Manual deployment instructions for unsupported systems
