another fix for gencerts.sh

gencerts.sh

@@ -8,11 +8,12 @@ if [ -z "$DOMAIN" ]; then
     exit 1
 fi
 
+# Define CERTS_DIR without trailing slash
 CERTS_DIR="/opt/files/certs"
 mkdir -p "$CERTS_DIR"
 
 # Create OpenSSL configuration files
-cat > "$CERTS_DIR/openssl_root_ca.cnf" <<EOF
+cat > "${CERTS_DIR}/openssl_root_ca.cnf" <<EOF
 [ req ]
 default_bits        = 4096
 distinguished_name  = req_distinguished_name
@@ -30,12 +31,13 @@ basicConstraints = critical, CA:true
 keyUsage = critical, digitalSignature, keyCertSign, cRLSign
 EOF
 
-cat > "$CERTS_DIR/openssl_intermediate_ca.cnf" <<EOF
+cat > "${CERTS_DIR}/openssl_intermediate_ca.cnf" <<EOF
 [ req ]
 default_bits        = 4096
 distinguished_name  = req_distinguished_name
 prompt              = no
 string_mask         = utf8only
+x509_extensions     = v3_ca
 
 [ req_distinguished_name ]
 CN = $DOMAIN Intermediate CA
@@ -47,7 +49,7 @@ basicConstraints = critical, CA:true, pathlen:0
 keyUsage = critical, digitalSignature, keyCertSign, cRLSign
 EOF
 
-cat > "$CERTS_DIR/openssl_wildcard.cnf" <<EOF
+cat > "${CERTS_DIR}/openssl_wildcard.cnf" <<EOF
 [ req ]
 default_bits        = 4096
 distinguished_name  = req_distinguished_name
@@ -60,7 +62,7 @@ CN = *.$DOMAIN
 
 [ v3_req ]
 subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid,issuer
+authorityKeyIdentifier = keyid:always,issuer
 basicConstraints = CA:FALSE
 keyUsage = critical, digitalSignature, keyEncipherment
 extendedKeyUsage = serverAuth
@@ -74,37 +76,37 @@ EOF
 # Function to generate root CA
 generate_root_ca() {
     echo "Generating Root CA..."
-    openssl genrsa -out "$CERTS_DIR/rootCA.key" 4096
-    openssl req -x509 -new -nodes -key "$CERTS_DIR/rootCA.key" \
-        -sha256 -days 3650 -out "$CERTS_DIR/rootCA.crt" \
-        -config "$CERTS_DIR/openssl_root_ca.cnf" -extensions v3_ca
+    openssl genrsa -out "${CERTS_DIR}/rootCA.key" 4096
+    openssl req -x509 -new -nodes -key "${CERTS_DIR}/rootCA.key" \
+        -sha256 -days 3650 -out "${CERTS_DIR}/rootCA.crt" \
+        -config "${CERTS_DIR}/openssl_root_ca.cnf" -extensions v3_ca
 }
 
 # Function to generate intermediate CA
 generate_intermediate_ca() {
     echo "Generating Intermediate CA..."
-    openssl genrsa -out "$CERTS_DIR/intermediateCA.key" 4096
-    openssl req -new -key "$CERTS_DIR/intermediateCA.key" \
-        -out "$CERTS_DIR/intermediateCA.csr" \
-        -config "$CERTS_DIR/openssl_intermediate_ca.cnf"
-    openssl x509 -req -in "$CERTS_DIR/intermediateCA.csr" \
-        -CA "$CERTS_DIR/rootCA.crt" -CAkey "$CERTS_DIR/rootCA.key" \
-        -CAcreateserial -out "$CERTS_DIR/intermediateCA.crt" \
-        -days 3650 -sha256 -extfile "$CERTS_DIR/openssl_intermediate_ca.cnf" \
+    openssl genrsa -out "${CERTS_DIR}/intermediateCA.key" 4096
+    openssl req -new -key "${CERTS_DIR}/intermediateCA.key" \
+        -out "${CERTS_DIR}/intermediateCA.csr" \
+        -config "${CERTS_DIR}/openssl_intermediate_ca.cnf"
+    openssl x509 -req -in "${CERTS_DIR}/intermediateCA.csr" \
+        -CA "${CERTS_DIR}/rootCA.crt" -CAkey "${CERTS_DIR}/rootCA.key" \
+        -CAcreateserial -out "${CERTS_DIR}/intermediateCA.crt" \
+        -days 3650 -sha256 -extfile "${CERTS_DIR}/openssl_intermediate_ca.cnf" \
         -extensions v3_ca
 }
 
 # Function to generate wildcard certificate
 generate_wildcard_cert() {
     echo "Generating Wildcard Certificate..."
-    openssl genrsa -out "$CERTS_DIR/wildcard.key" 4096
-    openssl req -new -key "$CERTS_DIR/wildcard.key" \
-        -out "$CERTS_DIR/wildcard.csr" \
-        -config "$CERTS_DIR/openssl_wildcard.cnf"
-    openssl x509 -req -in "$CERTS_DIR/wildcard.csr" \
-        -CA "$CERTS_DIR/intermediateCA.crt" -CAkey "$CERTS_DIR/intermediateCA.key" \
-        -CAcreateserial -out "$CERTS_DIR/wildcard.crt" \
-        -days 3650 -sha256 -extfile "$CERTS_DIR/openssl_wildcard.cnf" \
+    openssl genrsa -out "${CERTS_DIR}/wildcard.key" 4096
+    openssl req -new -key "${CERTS_DIR}/wildcard.key" \
+        -out "${CERTS_DIR}/wildcard.csr" \
+        -config "${CERTS_DIR}/openssl_wildcard.cnf"
+    openssl x509 -req -in "${CERTS_DIR}/wildcard.csr" \
+        -CA "${CERTS_DIR}/intermediateCA.crt" -CAkey "${CERTS_DIR}/intermediateCA.key" \
+        -CAcreateserial -out "${CERTS_DIR}/wildcard.crt" \
+        -days 3650 -sha256 -extfile "${CERTS_DIR}/openssl_wildcard.cnf" \
         -extensions v3_req
 }
 
@@ -112,23 +114,23 @@ generate_wildcard_cert() {
 export_certs() {
     echo "Exporting certificates for cross-platform compatibility..."
     # Export root CA to .pfx (Windows)
-    openssl pkcs12 -export -out "$CERTS_DIR/rootCA.pfx" \
-        -inkey "$CERTS_DIR/rootCA.key" -in "$CERTS_DIR/rootCA.crt" -passout pass:
+    openssl pkcs12 -export -out "${CERTS_DIR}/rootCA.pfx" \
+        -inkey "${CERTS_DIR}/rootCA.key" -in "${CERTS_DIR}/rootCA.crt" -passout pass:
     # Export intermediate CA to .pfx (Windows)
-    openssl pkcs12 -export -out "$CERTS_DIR/intermediateCA.pfx" \
-        -inkey "$CERTS_DIR/intermediateCA.key" -in "$CERTS_DIR/intermediateCA.crt" -passout pass:
+    openssl pkcs12 -export -out "${CERTS_DIR}/intermediateCA.pfx" \
+        -inkey "${CERTS_DIR}/intermediateCA.key" -in "${CERTS_DIR}/intermediateCA.crt" -passout pass:
     # Export wildcard cert to .pfx (Windows)
-    openssl pkcs12 -export -out "$CERTS_DIR/wildcard.pfx" \
-        -inkey "$CERTS_DIR/wildcard.key" -in "$CERTS_DIR/wildcard.crt" -passout pass:
+    openssl pkcs12 -export -out "${CERTS_DIR}/wildcard.pfx" \
+        -inkey "${CERTS_DIR}/wildcard.key" -in "${CERTS_DIR}/wildcard.crt" -passout pass:
     # Export root CA to .p12 (Cross-platform)
-    openssl pkcs12 -export -out "$CERTS_DIR/rootCA.p12" \
-        -inkey "$CERTS_DIR/rootCA.key" -in "$CERTS_DIR/rootCA.crt" -passout pass:
+    openssl pkcs12 -export -out "${CERTS_DIR}/rootCA.p12" \
+        -inkey "${CERTS_DIR}/rootCA.key" -in "${CERTS_DIR}/rootCA.crt" -passout pass:
     # Export intermediate CA to .p12 (Cross-platform)
-    openssl pkcs12 -export -out "$CERTS_DIR/intermediateCA.p12" \
-        -inkey "$CERTS_DIR/intermediateCA.key" -in "$CERTS_DIR/intermediateCA.crt" -passout pass:
+    openssl pkcs12 -export -out "${CERTS_DIR}/intermediateCA.p12" \
+        -inkey "${CERTS_DIR}/intermediateCA.key" -in "${CERTS_DIR}/intermediateCA.crt" -passout pass:
     # Export wildcard cert to .p12 (Cross-platform)
-    openssl pkcs12 -export -out "$CERTS_DIR/wildcard.p12" \
-        -inkey "$CERTS_DIR/wildcard.key" -in "$CERTS_DIR/wildcard.crt" -passout pass:
+    openssl pkcs12 -export -out "${CERTS_DIR}/wildcard.p12" \
+        -inkey "${CERTS_DIR}/wildcard.key" -in "${CERTS_DIR}/wildcard.crt" -passout pass:
 }
 
 # Main script execution
@@ -137,7 +139,7 @@ generate_intermediate_ca
 generate_wildcard_cert
 export_certs
 
-echo "Certificates generated and saved in $CERTS_DIR:"
+echo "Certificates generated and saved in ${CERTS_DIR}:"
 echo "- Root CA: rootCA.crt, rootCA.key, rootCA.pfx, rootCA.p12"
 echo "- Intermediate CA: intermediateCA.crt, intermediateCA.key, intermediateCA.pfx, intermediateCA.p12"
 echo "- Wildcard: wildcard.crt, wildcard.key, wildcard.pfx, wildcard.p12"