#!/bin/bash # Script to generate a certificate request locally (for systems without SCP/SFTP) # Usage: ./generate-csr-local.sh [country] [state] [locality] [org] [ou] [key-bits] [additional-dns] [ip-address] set -e # Check arguments if [ $# -lt 1 ]; then echo "Usage: $0 [country] [state] [locality] [org] [ou] [key-bits] [additional-dns] [ip-address]" echo "" echo "Example: $0 srv-wmw-ha01.egonetix.lan DE berlin berlin egonetix it 4096 '' 172.20.70.10" exit 1 fi COMMON_NAME="$1" COUNTRY="${2:-DE}" STATE="${3:-berlin}" LOCALITY="${4:-berlin}" ORG="${5:-egonetix}" OU="${6:-it}" KEY_BITS="${7:-4096}" ADDITIONAL_DNS="${8:-}" IP_ADDRESS="${9:-}" # Extract short hostname from common name SHORT_NAME=$(echo "$COMMON_NAME" | cut -d'.' -f1) OUTPUT_REQ="${SHORT_NAME}.req" OUTPUT_KEY="${SHORT_NAME}.key" OUTPUT_CSR="${SHORT_NAME}.csr" echo "==========================================" echo "Local Certificate Request Generation" echo "==========================================" echo "Common Name: $COMMON_NAME" echo "Country: $COUNTRY" echo "State: $STATE" echo "Locality: $LOCALITY" echo "Organization: $ORG" echo "Org Unit: $OU" echo "Key Length: $KEY_BITS bits" if [ -n "$ADDITIONAL_DNS" ]; then echo "Additional DNS: $ADDITIONAL_DNS" fi if [ -n "$IP_ADDRESS" ]; then echo "IP Address: $IP_ADDRESS" fi echo "Output files: $OUTPUT_REQ, $OUTPUT_KEY" echo "==========================================" echo "" # Build SAN entries SAN_DNS="DNS.1 = $COMMON_NAME DNS.2 = $SHORT_NAME" DNS_COUNTER=3 # Add alternative names if common name contains domain if [[ "$COMMON_NAME" == *.* ]]; then SAN_DNS="$SAN_DNS DNS.$DNS_COUNTER = ${SHORT_NAME}.${COMMON_NAME#*.}" ((DNS_COUNTER++)) fi # Add additional DNS names if provided if [ -n "$ADDITIONAL_DNS" ]; then IFS=',' read -ra EXTRA_DNS <<< "$ADDITIONAL_DNS" for dns in "${EXTRA_DNS[@]}"; do # Trim whitespace dns=$(echo "$dns" | xargs) if [ -n "$dns" ]; then SAN_DNS="$SAN_DNS DNS.$DNS_COUNTER = $dns" ((DNS_COUNTER++)) fi done fi # Add IP addresses if provided (comma-separated) SAN_IP="" if [ -n "$IP_ADDRESS" ]; then IP_COUNTER=1 IFS=',' read -ra IP_ADDRS <<< "$IP_ADDRESS" for ip in "${IP_ADDRS[@]}"; do # Trim whitespace ip=$(echo "$ip" | xargs) if [ -n "$ip" ]; then if [ -z "$SAN_IP" ]; then SAN_IP="IP.$IP_COUNTER = $ip" else SAN_IP="$SAN_IP IP.$IP_COUNTER = $ip" fi ((IP_COUNTER++)) fi done fi # Create OpenSSL config CONFIG_CONTENT="[req] default_bits = $KEY_BITS prompt = no default_md = sha256 distinguished_name = dn req_extensions = v3_req [dn] C=$COUNTRY ST=$STATE L=$LOCALITY O=$ORG OU=$OU CN=$COMMON_NAME [v3_req] keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] $SAN_DNS" # Append IP if available if [ -n "$SAN_IP" ]; then CONFIG_CONTENT="$CONFIG_CONTENT $SAN_IP" fi CONFIG_FILE="/tmp/csr_config_${SHORT_NAME}.conf" echo "[1/2] Creating OpenSSL configuration..." echo "$CONFIG_CONTENT" > "$CONFIG_FILE" echo "[2/2] Generating $KEY_BITS-bit RSA key and CSR locally..." openssl req -new -newkey rsa:$KEY_BITS -nodes -keyout "$OUTPUT_KEY" -out "$OUTPUT_CSR" -config "$CONFIG_FILE" # Also create the .req file for consistency with other scripts cp "$OUTPUT_CSR" "$OUTPUT_REQ" # Clean up config file rm -f "$CONFIG_FILE" # Set proper permissions on private key chmod 600 "$OUTPUT_KEY" echo "" echo "==========================================" echo "✓ Certificate files generated locally!" echo "==========================================" echo "Certificate request: $OUTPUT_REQ" echo "Private key: $OUTPUT_KEY" echo "" echo "CSR details:" openssl req -in "$OUTPUT_REQ" -noout -text | grep -A 10 "Subject:" echo "" echo "Subject Alternative Names:" openssl req -in "$OUTPUT_REQ" -noout -text | grep -A 20 "Subject Alternative Name" || echo " (none found)" echo "" echo "Key details:" openssl req -in "$OUTPUT_REQ" -noout -text | grep "Public-Key:" echo "" echo "⚠️ IMPORTANT: Keep $OUTPUT_KEY secure!" echo "" echo "Next step: Sign this CSR with:" echo " ./sign-cert.sh $OUTPUT_REQ $SHORT_NAME" echo "=========================================="