root/zertifizierung
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
23afabb28e6166d0ba0afd83305e38cf7b5bc06a
zertifizierung/sign-cert.sh
root 44850efcd2 feat: complete IP address in SAN support 
Changes:
- generate-csr.sh: Auto-detects target IP via SSH or DNS
- sign-cert.sh: Preserves SAN extensions including IP addresses
- Uses UCS CA password file for automated signing
- Fixes IP Address: -> IP: format conversion for OpenSSL compatibility

Benefits:
 Access services via https://10.0.0.50:8006 without warnings
 Access via https://hostname:8006 also works
 Single certificate for all access methods
 Browser shows secure connection for both methods

Technical details:
- Extracts SAN from CSR and applies via -extfile
- Uses 'openssl x509 -req' with -passin file:/etc/univention/ssl/password
- Preserves all DNS names and IP addresses in signed certificate
2025-10-23 09:32:50 +02:00

127 lines
3.6 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Script to sign a certificate request with UCS CA
# Usage: ./sign-cert.sh <req-file> <hostname> [days]
set -e
# Configuration
UCS_SERVER="10.0.0.21"
UCS_USER="root"
DEFAULT_DAYS=3650
# Check arguments
if [ $# -lt 2 ]; then
echo "Usage: $0 <req-file> <hostname> [days]"
echo ""
echo "Example: $0 webui.req myserver 3650"
echo ""
echo "The script will:"
echo " 1. Copy the CSR to UCS server"
echo " 2. Sign it with the UCS CA (preserving extensions)"
echo " 3. Download the signed certificate to current directory"
exit 1
fi
REQ_FILE="$1"
HOSTNAME="$2"
DAYS="${3:-$DEFAULT_DAYS}"
# Validate req file exists
if [ ! -f "$REQ_FILE" ]; then
echo "Error: Certificate request file '$REQ_FILE' not found!"
exit 1
fi
# Get absolute path of req file
REQ_FILE=$(realpath "$REQ_FILE")
OUTPUT_FILE="${HOSTNAME}-cert.pem"
echo "=========================================="
echo "UCS Certificate Signing Script"
echo "=========================================="
echo "Request file: $REQ_FILE"
echo "Hostname: $HOSTNAME"
echo "Valid days: $DAYS"
echo "Output file: $OUTPUT_FILE"
echo "=========================================="
echo ""
# Extract SAN from CSR and fix format
echo "[1/4] Extracting Subject Alternative Names from CSR..."
SAN_ENTRIES=$(openssl req -in "$REQ_FILE" -noout -text | grep -A 1 "Subject Alternative Name" | tail -1 | sed 's/^ *//' | sed 's/IP Address:/IP:/g' || echo "")
if [ -z "$SAN_ENTRIES" ]; then
echo "Warning: No Subject Alternative Names found in CSR"
SAN_CONFIG=""
else
echo "Found SANs: $SAN_ENTRIES"
SAN_CONFIG="subjectAltName = $SAN_ENTRIES"
fi
# Step 2: Copy CSR to UCS server
echo "[2/4] Copying CSR to UCS server..."
scp "$REQ_FILE" ${UCS_USER}@${UCS_SERVER}:/tmp/${HOSTNAME}.csr
if [ $? -ne 0 ]; then
echo "Error: Failed to copy CSR to UCS server"
exit 1
fi
# Step 3: Sign using x509 command with CA password
echo "[3/4] Signing certificate on UCS server..."
# Create extension config and sign on UCS server
ssh ${UCS_USER}@${UCS_SERVER} "
set -e
# Create extensions config
cat > /tmp/${HOSTNAME}-ext.cnf << 'EXTCONF'
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
${SAN_CONFIG}
EXTCONF
# Sign the certificate using CA password file
openssl x509 -req \
-in /tmp/${HOSTNAME}.csr \
-CA /etc/univention/ssl/ucsCA/CAcert.pem \
-CAkey /etc/univention/ssl/ucsCA/private/CAkey.pem \
-CAcreateserial \
-out /tmp/${HOSTNAME}-cert.pem \
-days ${DAYS} \
-sha256 \
-extfile /tmp/${HOSTNAME}-ext.cnf \
-passin file:/etc/univention/ssl/password
"
if [ $? -ne 0 ]; then
echo "Error: Failed to sign certificate"
exit 1
fi
# Step 4: Download signed certificate
echo "[4/4] Downloading signed certificate..."
scp ${UCS_USER}@${UCS_SERVER}:/tmp/${HOSTNAME}-cert.pem "$OUTPUT_FILE"
if [ $? -ne 0 ]; then
echo "Error: Failed to download signed certificate"
exit 1
fi
# Clean up on UCS server
ssh ${UCS_USER}@${UCS_SERVER} "rm -f /tmp/${HOSTNAME}.csr /tmp/${HOSTNAME}-cert.pem /tmp/${HOSTNAME}-ext.cnf"
echo ""
echo "=========================================="
echo "✓ Certificate signed successfully!"
echo "=========================================="
echo "Certificate saved to: $OUTPUT_FILE"
echo ""
echo "Certificate details:"
openssl x509 -in "$OUTPUT_FILE" -noout -subject -issuer -dates
echo ""
echo "Subject Alternative Names:"
openssl x509 -in "$OUTPUT_FILE" -noout -text | grep -A 2 "Subject Alternative Name" | tail -2 || echo " (none)"
echo ""
echo "Extended Key Usage:"
openssl x509 -in "$OUTPUT_FILE" -noout -text | grep -A 1 "Extended Key Usage" | tail -1 || echo " (none)"
echo "=========================================="
Reference in New Issue View Git Blame Copy Permalink