-
-
Save danny-source/78efb5951a82f18de4aef2c735cd3a13 to your computer and use it in GitHub Desktop.
Self sign root CA and certs with x509v3 subjectAltName record
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| set -e | |
| SUBJ="/C=TW/ST=Taiwan/L=TPE/O=Goooooooooogle/OU=Goooooooooogle DevOops Team/emailAddress=reboot@goooooooooogle.com" | |
| ROOT_CA_NAME=GoooooooooogleRootCA | |
| ROOT_CA_DAYS=$((365*4)) | |
| ROOT_CA_BITS=8192 | |
| CERT_NAME=devoops-pve01 | |
| CERT_DAYS=365 | |
| CERT_BITS=8192 | |
| CERT_IP=10.0.10.1 | |
| CERT_DOMAIN=pve01.devoops.goooooooooogle.com | |
| CERT_SUBJ="$SUBJ"#"/CN=$CERT_DOMAIN" | |
| PVE_NODE=devoopsPVE01 | |
| function openssl_config() | |
| { | |
| cat /etc/ssl/openssl.cnf | |
| printf "\n[req]\nreq_extensions = v3_req\n[ v3_req ]\nsubjectAltName = IP:$CERT_IP,DNS:$CERT_DOMAIN\n" | |
| } | |
| if [ ! -f "$ROOT_CA_NAME".key -a ! -f "$ROOT_CA_NAME".crt ] | |
| then | |
| echo "[+] Generate Root CA key and cert" | |
| openssl genrsa -des3 -out "$ROOT_CA_NAME".key $ROOT_CA_BITS | |
| openssl req -x509 -new -nodes -key "$ROOT_CA_NAME".key -subj "$SUBJ" -sha256 -days $ROOT_CA_DAYS -out "$ROOT_CA_NAME".crt | |
| else | |
| echo "[*] Root CA key or Root CA cert existed" | |
| fi | |
| echo "[*] Root CA cert info" | |
| openssl x509 -in "$ROOT_CA_NAME".crt -text -noout | |
| if [ ! -f "$CERT_NAME".key ] | |
| then | |
| echo "[+] Generate private key" | |
| openssl genrsa -out "$CERT_NAME".key $CERT_BITS | |
| else | |
| echo "[*] Private key existed" | |
| fi | |
| echo "[+] Generate CSR (cert signing request)" | |
| openssl req -new -sha256 -key "$CERT_NAME".key -subj "$CERT_SUBJ" -config <(openssl_config) -out "$CERT_NAME".csr | |
| echo "[*] CSR info" | |
| openssl req -text -noout -in "$CERT_NAME".csr | |
| echo "[*] Sign cert with root CA private key" | |
| openssl x509 -req -in "$CERT_NAME".csr -CA "$ROOT_CA_NAME".crt -CAkey "$ROOT_CA_NAME".key -CAcreateserial -out "$CERT_NAME".crt -days $CERT_DAYS -sha256 -extensions v3_req -extfile <(openssl_config) | |
| echo "[*] Cert info" | |
| openssl x509 -in "$CERT_NAME".crt -text -noout | |
| if [ -d "/etc/pve/nodes/$PVE_NODE" ] | |
| then | |
| echo "[*] Proxmox VE detected" | |
| echo -n "[?] Deploy to Proxmox VE now? (y/N) " | |
| read yn_deploy | |
| if [ "$yn_deploy" = "Y" -o "$yn_deploy" = "y" ] | |
| then | |
| # full cert chain | |
| cat "$CERT_NAME".crt "$ROOT_CA_NAME".crt > fullchain.crt | |
| # deploy certs to Proxmox VE | |
| cp /root/certs/"$CERT_NAME".key /etc/pve/nodes/$PVE_NODE/pveproxy-ssl.key | |
| cp /root/certs/fullchain.crt /etc/pve/nodes/$PVE_NODE/pveproxy-ssl.pem | |
| echo "[+] Certs deployed, now restart pveproxy" | |
| systemctl restart pveproxy | |
| fi | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment