Skip to content

Instantly share code, notes, and snippets.

@danny-source

danny-source/make_certs.sh

Forked from Inndy/make_certs.sh
Created May 10, 2019 13:20
Show Gist options
  • Save danny-source/78efb5951a82f18de4aef2c735cd3a13 to your computer and use it in GitHub Desktop.
Save danny-source/78efb5951a82f18de4aef2c735cd3a13 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @Inndy Inndy created this gist May 9, 2019.
    74 changes: 74 additions & 0 deletions make_certs.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,74 @@
    #!/usr/bin/env bash

    set -e

    SUBJ="/C=TW/ST=Taiwan/L=TPE/O=Goooooooooogle/OU=Goooooooooogle DevOops Team/[email protected]"

    ROOT_CA_NAME=GoooooooooogleRootCA
    ROOT_CA_DAYS=$((365*4))
    ROOT_CA_BITS=8192

    CERT_NAME=devoops-pve01
    CERT_DAYS=365
    CERT_BITS=8192
    CERT_IP=10.0.10.1
    CERT_DOMAIN=pve01.devoops.goooooooooogle.com
    CERT_SUBJ="$SUBJ"#"/CN=$CERT_DOMAIN"

    PVE_NODE=devoopsPVE01

    function openssl_config()
    {
    cat /etc/ssl/openssl.cnf
    printf "\n[req]\nreq_extensions = v3_req\n[ v3_req ]\nsubjectAltName = IP:$CERT_IP,DNS:$CERT_DOMAIN\n"
    }

    if [ ! -f "$ROOT_CA_NAME".key -a ! -f "$ROOT_CA_NAME".crt ]
    then
    echo "[+] Generate Root CA key and cert"
    openssl genrsa -des3 -out "$ROOT_CA_NAME".key $ROOT_CA_BITS
    openssl req -x509 -new -nodes -key "$ROOT_CA_NAME".key -subj "$SUBJ" -sha256 -days $ROOT_CA_DAYS -out "$ROOT_CA_NAME".crt
    else
    echo "[*] Root CA key or Root CA cert existed"
    fi

    echo "[*] Root CA cert info"
    openssl x509 -in "$ROOT_CA_NAME".crt -text -noout

    if [ ! -f "$CERT_NAME".key ]
    then
    echo "[+] Generate private key"
    openssl genrsa -out "$CERT_NAME".key $CERT_BITS
    else
    echo "[*] Private key existed"
    fi

    echo "[+] Generate CSR (cert signing request)"
    openssl req -new -sha256 -key "$CERT_NAME".key -subj "$CERT_SUBJ" -config <(openssl_config) -out "$CERT_NAME".csr

    echo "[*] CSR info"
    openssl req -text -noout -in "$CERT_NAME".csr

    echo "[*] Sign cert with root CA private key"
    openssl x509 -req -in "$CERT_NAME".csr -CA "$ROOT_CA_NAME".crt -CAkey "$ROOT_CA_NAME".key -CAcreateserial -out "$CERT_NAME".crt -days $CERT_DAYS -sha256 -extensions v3_req -extfile <(openssl_config)

    echo "[*] Cert info"
    openssl x509 -in "$CERT_NAME".crt -text -noout

    if [ -d "/etc/pve/nodes/$PVE_NODE" ]
    then
    echo "[*] Proxmox VE detected"
    echo -n "[?] Deploy to Proxmox VE now? (y/N) "
    read yn_deploy

    if [ "$yn_deploy" = "Y" -o "$yn_deploy" = "y" ]
    then
    # full cert chain
    cat "$CERT_NAME".crt "$ROOT_CA_NAME".crt > fullchain.crt
    # deploy certs to Proxmox VE
    cp /root/certs/"$CERT_NAME".key /etc/pve/nodes/$PVE_NODE/pveproxy-ssl.key
    cp /root/certs/fullchain.crt /etc/pve/nodes/$PVE_NODE/pveproxy-ssl.pem
    echo "[+] Certs deployed, now restart pveproxy"
    systemctl restart pveproxy
    fi
    fi