🔍 Automatic System Detection - Detects target system type (Proxmox, Home Assistant, pfSense, TrueNAS, UCS)
🤖 Automated Deployment - Fully automated certificate installation for supported systems
🌐 DNS Integration - Automatically checks and creates DNS records for certificate hostnames
💾 Configuration Persistence - Remembers your settings between runs
🔐 Proper Certificate Extensions - Generates certificates with correct serverAuth extensions
🎯 Interactive & Scriptable - Works both interactively and in automation scripts

Supported Systems

System	Detection	Deployment	Status
Proxmox VE	✅ Automatic	✅ Fully Automated	Production Ready
pfSense	✅ Automatic	⚠️ Manual (Web UI)	Detected
TrueNAS	✅ Automatic	⚠️ Manual (Web UI)	Detected
UCS	✅ Automatic	⚠️ Manual	Detected
Other/Unknown	⚠️ Generic	⚠️ Manual	Basic Support

Proxmox VE - Full Automation ✅

For Proxmox systems, the tool provides complete automation:

Generates CSR on the Proxmox host
Signs with UCS CA
Automatically installs to /etc/pve/local/pveproxy-ssl.{pem,key}
Creates timestamped backups of existing certificates
Restarts pveproxy service
Fully automated, zero manual steps required

Other Systems - Manual Deployment ⚠️

For pfSense, TrueNAS, and other systems:

System type is detected automatically
CSR is generated on the target host
Certificate is signed with UCS CA
Certificate and key are copied to /tmp/
Manual installation required through web interface

Tools

1. cert-manager.py (Interactive Mode) - RECOMMENDED

The main interactive tool that handles the entire certificate lifecycle with system detection.

Usage:

./scripts/cert-manager.py

Workflow:

Detects target system type automatically
Prompts for certificate details with smart defaults
Generates CSR on remote host with proper extensions
Signs certificate with UCS CA (outputs to certs/<system-type>/ directory)
Checks DNS records and offers to create missing ones 🌐
Deploys automatically (Proxmox/Home Assistant) or copies to target (others)

Features:

Interactive prompts with default values from previous runs
Automatic system type detection
Automatic DNS record creation on UCS DNS server
Intelligent deployment based on system capabilities
Configurable key length (default: 4096 bits)
Remembers last used values for quick reuse
Organized certificate storage by system type

2. generate-csr.sh (Standalone)

Generates a certificate signing request on a remote host.

Usage:

./scripts/generate-csr.sh <hostname> <common-name> [country] [state] [locality] [org] [ou] [key-bits]

Example:

./scripts/generate-csr.sh 192.168.1.100 server.example.com DE berlin berlin egonetix it 4096

Features:

Generates CSR with proper server authentication extensions
Configurable RSA key length (2048, 4096, 8192 bits)
Automatic Subject Alternative Names (SANs)
Private key stays on target host (secure)

3. sign-cert.sh (Standalone)

Signs a certificate request with the UCS CA.

Usage:

./scripts/sign-cert.sh <req-file> <hostname> [days]

Example:

./scripts/sign-cert.sh certs/proxmox/server.csr server 3650

Output: Certificate is saved to the same directory as the CSR file.

4. detect-system.sh (Utility)

Detects the type of system on a remote host.

Usage:

./scripts/detect-system.sh <hostname>

Returns: proxmox, pfsense, truenas, ucs, or unknown

5. deploy-proxmox.sh (Proxmox Deployment)

Automated certificate deployment for Proxmox VE.

Usage:

./deploy-proxmox.sh <hostname> <cert-file> <key-file> <short-name>

What it does:

Backs up existing certificates with timestamp
Installs new certificate and key
Sets correct permissions (640)
Restarts pveproxy service
Provides access URL

Configuration

The interactive tool stores default values in ~/.cert-manager-config.json.

Default values:

Country: DE
State: berlin
Locality: berlin
Organization: egonetix
Organizational Unit: it
CA Server: 10.0.0.21
Validity: 3650 days (10 years)
Key Length: 4096 bits

Modifying defaults: Run ./cert-manager.py and answer "yes" when asked to modify default values.

Interactive Workflow Example

$ ./cert-manager.py

============================================================
Interactive Certificate Manager
============================================================

--- Certificate Details ---
Target Host (IP or hostname) [srv-wmw-host01]: 10.0.0.50

Detecting system type on 10.0.0.50...
✓ Detected: Proxmox VE

Common Name (FQDN) [srv-wmw-host01.egonetix.lan]: pve-host02.egonetix.lan

--- Certificate Subject (press Enter to use defaults) ---
Country (C) [DE]: 
State/Province (ST) [berlin]: 
Locality (L) [berlin]: 
Organization (O) [egonetix]: 
Organizational Unit (OU) [it]: 
Validity (days) [3650]: 
Key Length (bits) [4096]: 

============================================================
Summary:
============================================================
System Type:     Proxmox VE
Target Host:     10.0.0.50
Common Name:     pve-host02.egonetix.lan
Country:         DE
State:           berlin
Locality:        berlin
Organization:    egonetix
Org Unit:        it
Key Length:      4096 bits
Validity:        3650 days
CA Server:       10.0.0.21
Output files:    pve-host02.req, pve-host02-cert.pem
============================================================

Proceed with certificate generation? [Y/n]: 

[Generates CSR, signs, deploys automatically for Proxmox]

✓ Access Proxmox at: https://10.0.0.50:8006

Certificate Details

Generated certificates include:

RSA keys (configurable: 2048, 4096, or 8192 bits)
SHA-256 signature algorithm
Subject Alternative Names (SANs) for all hostname variants
Proper key usage extensions:
- digitalSignature
- keyEncipherment
Extended key usage:
- serverAuth (TLS Web Server Authentication)

Requirements

SSH access to target host as root
SSH access to UCS CA server (10.0.0.21) as root
OpenSSL on target host
Python 3.6+ for interactive tool
Bash for shell scripts

Security Notes

Private keys remain on target hosts - Never transmitted or stored locally
Certificate backups - Proxmox deployment creates timestamped backups
Proper permissions - Certificates are installed with correct file permissions
CA access - Only the signing operation requires CA access
SSH security - Uses BatchMode and secure connection options

Troubleshooting

System not detected correctly

# Manually check what system it is
./detect-system.sh <hostname>

# Verify SSH access
ssh root@<hostname> "uname -a"

Certificate not trusted in browser

# Verify system CA is installed
ls -la /usr/local/share/ca-certificates/ucs-root-ca.crt

# Update system CA certificates
sudo update-ca-certificates

# For browsers using NSS (Firefox, Brave, Chrome):
certutil -d sql:$HOME/.pki/nssdb -L | grep -i ucs

Proxmox deployment failed

# Check Proxmox certificate directory
ssh root@<proxmox-host> "ls -la /etc/pve/local/pveproxy-ssl.*"

# View pveproxy logs
ssh root@<proxmox-host> "journalctl -u pveproxy -n 50"

# Manually restart pveproxy
ssh root@<proxmox-host> "systemctl restart pveproxy"

Certificate expired

Certificates are valid for 10 years by default. To renew:

# Simply run the tool again with the same hostname
./cert-manager.py
# It will generate a new certificate with a fresh validity period

File Locations

On local machine:

Certificate requests: ./<hostname>.req
Signed certificates: ./<hostname>-cert.pem
Configuration: ~/.cert-manager-config.json

On target host:

Private keys: /tmp/<hostname>.key
Certificates: /tmp/<hostname>.crt

On Proxmox hosts:

Certificate: /etc/pve/local/pveproxy-ssl.pem
Private key: /etc/pve/local/pveproxy-ssl.key
Backups: /etc/pve/local/pveproxy-ssl.{pem,key}.bak.YYYYMMDD-HHMMSS

Adding Support for New Systems

To add automated deployment for a new system type:

Update detect-system.sh with detection logic
Create deploy-<system>.sh script
Add system to SYSTEM_TYPES in cert-manager.py
Test thoroughly
Update this README

Additional Resources

UCS Manual: https://docs.software-univention.de/
Certificate Management: https://docs.software-univention.de/manual.html#domain:certificates
OpenSSL Documentation: https://www.openssl.org/docs/

License

Internal tool for egonetix infrastructure management.