zertifizierung/generate-csr-local.sh

#!/bin/bash
# Script to generate a certificate request locally (for systems without SCP/SFTP)
# Usage: ./generate-csr-local.sh <common-name> [country] [state] [locality] [org] [ou] [key-bits] [additional-dns] [ip-address]

set -e

# Check arguments
if [ $# -lt 1 ]; then
    echo "Usage: $0 <common-name> [country] [state] [locality] [org] [ou] [key-bits] [additional-dns] [ip-address]"
    echo ""
    echo "Example: $0 srv-wmw-ha01.egonetix.lan DE berlin berlin egonetix it 4096 '' 172.20.70.10"
    exit 1
fi

COMMON_NAME="$1"
COUNTRY="${2:-DE}"
STATE="${3:-berlin}"
LOCALITY="${4:-berlin}"
ORG="${5:-egonetix}"
OU="${6:-it}"
KEY_BITS="${7:-4096}"
ADDITIONAL_DNS="${8:-}"
IP_ADDRESS="${9:-}"

# Extract short hostname from common name
SHORT_NAME=$(echo "$COMMON_NAME" | cut -d'.' -f1)
OUTPUT_REQ="${SHORT_NAME}.req"
OUTPUT_KEY="${SHORT_NAME}.key"
OUTPUT_CSR="${SHORT_NAME}.csr"

echo "=========================================="
echo "Local Certificate Request Generation"
echo "=========================================="
echo "Common Name:   $COMMON_NAME"
echo "Country:       $COUNTRY"
echo "State:         $STATE"
echo "Locality:      $LOCALITY"
echo "Organization:  $ORG"
echo "Org Unit:      $OU"
echo "Key Length:    $KEY_BITS bits"
if [ -n "$ADDITIONAL_DNS" ]; then
    echo "Additional DNS: $ADDITIONAL_DNS"
fi
if [ -n "$IP_ADDRESS" ]; then
    echo "IP Address:    $IP_ADDRESS"
fi
echo "Output files:  $OUTPUT_REQ, $OUTPUT_KEY"
echo "=========================================="
echo ""

# Build SAN entries
SAN_DNS="DNS.1 = $COMMON_NAME
DNS.2 = $SHORT_NAME"

DNS_COUNTER=3

# Add alternative names if common name contains domain
if [[ "$COMMON_NAME" == *.* ]]; then
    SAN_DNS="$SAN_DNS
DNS.$DNS_COUNTER = ${SHORT_NAME}.${COMMON_NAME#*.}"
    ((DNS_COUNTER++))
fi

# Add additional DNS names if provided
if [ -n "$ADDITIONAL_DNS" ]; then
    IFS=',' read -ra EXTRA_DNS <<< "$ADDITIONAL_DNS"
    for dns in "${EXTRA_DNS[@]}"; do
        # Trim whitespace
        dns=$(echo "$dns" | xargs)
        if [ -n "$dns" ]; then
            SAN_DNS="$SAN_DNS
DNS.$DNS_COUNTER = $dns"
            ((DNS_COUNTER++))
        fi
    done
fi

# Add IP addresses if provided (comma-separated)
SAN_IP=""
if [ -n "$IP_ADDRESS" ]; then
    IP_COUNTER=1
    IFS=',' read -ra IP_ADDRS <<< "$IP_ADDRESS"
    for ip in "${IP_ADDRS[@]}"; do
        # Trim whitespace
        ip=$(echo "$ip" | xargs)
        if [ -n "$ip" ]; then
            if [ -z "$SAN_IP" ]; then
                SAN_IP="IP.$IP_COUNTER = $ip"
            else
                SAN_IP="$SAN_IP
IP.$IP_COUNTER = $ip"
            fi
            ((IP_COUNTER++))
        fi
    done
fi

# Create OpenSSL config
CONFIG_CONTENT="[req]
default_bits = $KEY_BITS
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = v3_req

[dn]
C=$COUNTRY
ST=$STATE
L=$LOCALITY
O=$ORG
OU=$OU
CN=$COMMON_NAME

[v3_req]
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
$SAN_DNS"

# Append IP if available
if [ -n "$SAN_IP" ]; then
    CONFIG_CONTENT="$CONFIG_CONTENT
$SAN_IP"
fi

CONFIG_FILE="/tmp/csr_config_${SHORT_NAME}.conf"
echo "[1/2] Creating OpenSSL configuration..."
echo "$CONFIG_CONTENT" > "$CONFIG_FILE"

echo "[2/2] Generating $KEY_BITS-bit RSA key and CSR locally..."
openssl req -new -newkey rsa:$KEY_BITS -nodes -keyout "$OUTPUT_KEY" -out "$OUTPUT_CSR" -config "$CONFIG_FILE"

# Also create the .req file for consistency with other scripts
cp "$OUTPUT_CSR" "$OUTPUT_REQ"

# Clean up config file
rm -f "$CONFIG_FILE"

# Set proper permissions on private key
chmod 600 "$OUTPUT_KEY"

echo ""
echo "=========================================="
echo "✓ Certificate files generated locally!"
echo "=========================================="
echo "Certificate request: $OUTPUT_REQ"
echo "Private key:         $OUTPUT_KEY"
echo ""
echo "CSR details:"
openssl req -in "$OUTPUT_REQ" -noout -text | grep -A 10 "Subject:"
echo ""
echo "Subject Alternative Names:"
openssl req -in "$OUTPUT_REQ" -noout -text | grep -A 20 "Subject Alternative Name" || echo "  (none found)"
echo ""
echo "Key details:"
openssl req -in "$OUTPUT_REQ" -noout -text | grep "Public-Key:"
echo ""
echo "⚠️  IMPORTANT: Keep $OUTPUT_KEY secure!"
echo ""
echo "Next step: Sign this CSR with:"
echo "  ./sign-cert.sh $OUTPUT_REQ $SHORT_NAME"
echo "=========================================="