updated some post-install task writing, re-worked gencerts.sh entirely to use openSSL configuration files and V3 extensions for the certs.
This commit is contained in:
114
gencerts.sh
114
gencerts.sh
@@ -1,64 +1,134 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Script to generate self-signed certificates for Nginx Proxy Manager
|
||||
# Script to generate modern self-signed certificates for Nginx Proxy Manager with OpenSSL v3 extensions
|
||||
|
||||
# Prompt for domain
|
||||
read -p "Enter the domain for the certificates (e.g., example.com): " DOMAIN
|
||||
|
||||
if [ -z "$DOMAIN" ]; then
|
||||
echo "Error: Domain not provided."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
CERTS_DIR="/opt/files/certs/"
|
||||
|
||||
# Create certs directory if it doesn't exist
|
||||
mkdir -p "$CERTS_DIR"
|
||||
|
||||
# Create OpenSSL configuration files
|
||||
cat > "$CERTS_DIR/openssl_root_ca.cnf" <<EOF
|
||||
[ req ]
|
||||
default_bits = 4096
|
||||
distinguished_name = req_distinguished_name
|
||||
prompt = no
|
||||
string_mask = utf8only
|
||||
x509_extensions = v3_ca
|
||||
|
||||
[ req_distinguished_name ]
|
||||
CN = $DOMAIN Root CA
|
||||
|
||||
[ v3_ca ]
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid:always,issuer
|
||||
basicConstraints = critical, CA:true
|
||||
keyUsage = critical, digitalSignature, keyCertSign, cRLSign
|
||||
EOF
|
||||
|
||||
cat > "$CERTS_DIR/openssl_intermediate_ca.cnf" <<EOF
|
||||
[ req ]
|
||||
default_bits = 4096
|
||||
distinguished_name = req_distinguished_name
|
||||
prompt = no
|
||||
string_mask = utf8only
|
||||
|
||||
[ req_distinguished_name ]
|
||||
CN = $DOMAIN Intermediate CA
|
||||
|
||||
[ v3_ca ]
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid:always,issuer
|
||||
basicConstraints = critical, CA:true, pathlen:0
|
||||
keyUsage = critical, digitalSignature, keyCertSign, cRLSign
|
||||
EOF
|
||||
|
||||
cat > "$CERTS_DIR/openssl_wildcard.cnf" <<EOF
|
||||
[ req ]
|
||||
default_bits = 4096
|
||||
distinguished_name = req_distinguished_name
|
||||
prompt = no
|
||||
string_mask = utf8only
|
||||
req_extensions = v3_req
|
||||
|
||||
[ req_distinguished_name ]
|
||||
CN = *.$DOMAIN
|
||||
|
||||
[ v3_req ]
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid,issuer
|
||||
basicConstraints = CA:FALSE
|
||||
keyUsage = critical, digitalSignature, keyEncipherment
|
||||
extendedKeyUsage = serverAuth
|
||||
subjectAltName = @alt_names
|
||||
|
||||
[ alt_names ]
|
||||
DNS.1 = $DOMAIN
|
||||
DNS.2 = *.$DOMAIN
|
||||
EOF
|
||||
|
||||
# Function to generate root CA
|
||||
generate_root_ca() {
|
||||
echo "Generating Root CA..."
|
||||
openssl genrsa -out "$CERTS_DIR/rootCA.key" 4096
|
||||
openssl req -x509 -new -nodes -key "$CERTS_DIR/rootCA.key" -sha256 -days 3650 -out "$CERTS_DIR/rootCA.crt" -subj "/CN=$DOMAIN Root CA"
|
||||
openssl req -x509 -new -nodes -key "$CERTS_DIR/rootCA.key" \
|
||||
-sha256 -days 3650 -out "$CERTS_DIR/rootCA.crt" \
|
||||
-config "$CERTS_DIR/openssl_root_ca.cnf" -extensions v3_ca
|
||||
}
|
||||
|
||||
# Function to generate intermediate CA
|
||||
generate_intermediate_ca() {
|
||||
echo "Generating Intermediate CA..."
|
||||
openssl genrsa -out "$CERTS_DIR/intermediateCA.key" 4096
|
||||
openssl req -new -key "$CERTS_DIR/intermediateCA.key" -out "$CERTS_DIR/intermediateCA.csr" -subj "/CN=$DOMAIN Intermediate CA"
|
||||
openssl x509 -req -in "$CERTS_DIR/intermediateCA.csr" -CA "$CERTS_DIR/rootCA.crt" -CAkey "$CERTS_DIR/rootCA.key" -CAcreateserial -out "$CERTS_DIR/intermediateCA.crt" -days 3650 -sha256
|
||||
openssl req -new -key "$CERTS_DIR/intermediateCA.key" \
|
||||
-out "$CERTS_DIR/intermediateCA.csr" \
|
||||
-config "$CERTS_DIR/openssl_intermediate_ca.cnf"
|
||||
openssl x509 -req -in "$CERTS_DIR/intermediateCA.csr" \
|
||||
-CA "$CERTS_DIR/rootCA.crt" -CAkey "$CERTS_DIR/rootCA.key" \
|
||||
-CAcreateserial -out "$CERTS_DIR/intermediateCA.crt" \
|
||||
-days 3650 -sha256 -extfile "$CERTS_DIR/openssl_intermediate_ca.cnf" \
|
||||
-extensions v3_ca
|
||||
}
|
||||
|
||||
# Function to generate wildcard certificate
|
||||
generate_wildcard_cert() {
|
||||
echo "Generating Wildcard Certificate..."
|
||||
openssl genrsa -out "$CERTS_DIR/wildcard.key" 4096
|
||||
openssl req -new -key "$CERTS_DIR/wildcard.key" -out "$CERTS_DIR/wildcard.csr" -subj "/CN=*.$DOMAIN" -addext "subjectAltName = DNS:$DOMAIN,DNS:*.$DOMAIN"
|
||||
openssl x509 -req -in "$CERTS_DIR/wildcard.csr" -CA "$CERTS_DIR/intermediateCA.crt" -CAkey "$CERTS_DIR/intermediateCA.key" -CAcreateserial -out "$CERTS_DIR/wildcard.crt" -days 3650 -sha256
|
||||
openssl req -new -key "$CERTS_DIR/wildcard.key" \
|
||||
-out "$CERTS_DIR/wildcard.csr" \
|
||||
-config "$CERTS_DIR/openssl_wildcard.cnf"
|
||||
openssl x509 -req -in "$CERTS_DIR/wildcard.csr" \
|
||||
-CA "$CERTS_DIR/intermediateCA.crt" -CAkey "$CERTS_DIR/intermediateCA.key" \
|
||||
-CAcreateserial -out "$CERTS_DIR/wildcard.crt" \
|
||||
-days 3650 -sha256 -extfile "$CERTS_DIR/openssl_wildcard.cnf" \
|
||||
-extensions v3_req
|
||||
}
|
||||
|
||||
# Function to export certificates for cross-platform compatibility
|
||||
export_certs() {
|
||||
echo "Exporting certificates for cross-platform compatibility..."
|
||||
|
||||
# Export root CA to .pfx (Windows)
|
||||
openssl pkcs12 -export -out "$CERTS_DIR/rootCA.pfx" -inkey "$CERTS_DIR/rootCA.key" -in "$CERTS_DIR/rootCA.crt" -passout pass:
|
||||
|
||||
openssl pkcs12 -export -out "$CERTS_DIR/rootCA.pfx" \
|
||||
-inkey "$CERTS_DIR/rootCA.key" -in "$CERTS_DIR/rootCA.crt" -passout pass:
|
||||
# Export intermediate CA to .pfx (Windows)
|
||||
openssl pkcs12 -export -out "$CERTS_DIR/intermediateCA.pfx" -inkey "$CERTS_DIR/intermediateCA.key" -in "$CERTS_DIR/intermediateCA.crt" -passout pass:
|
||||
|
||||
openssl pkcs12 -export -out "$CERTS_DIR/intermediateCA.pfx" \
|
||||
-inkey "$CERTS_DIR/intermediateCA.key" -in "$CERTS_DIR/intermediateCA.crt" -passout pass:
|
||||
# Export wildcard cert to .pfx (Windows)
|
||||
openssl pkcs12 -export -out "$CERTS_DIR/wildcard.pfx" -inkey "$CERTS_DIR/wildcard.key" -in "$CERTS_DIR/wildcard.crt" -passout pass:
|
||||
|
||||
openssl pkcs12 -export -out "$CERTS_DIR/wildcard.pfx" \
|
||||
-inkey "$CERTS_DIR/wildcard.key" -in "$CERTS_DIR/wildcard.crt" -passout pass:
|
||||
# Export root CA to .p12 (Cross-platform)
|
||||
openssl pkcs12 -export -out "$CERTS_DIR/rootCA.p12" -inkey "$CERTS_DIR/rootCA.key" -in "$CERTS_DIR/rootCA.crt" -passout pass:
|
||||
|
||||
openssl pkcs12 -export -out "$CERTS_DIR/rootCA.p12" \
|
||||
-inkey "$CERTS_DIR/rootCA.key" -in "$CERTS_DIR/rootCA.crt" -passout pass:
|
||||
# Export intermediate CA to .p12 (Cross-platform)
|
||||
openssl pkcs12 -export -out "$CERTS_DIR/intermediateCA.p12" -inkey "$CERTS_DIR/intermediateCA.key" -in "$CERTS_DIR/intermediateCA.crt" -passout pass:
|
||||
|
||||
openssl pkcs12 -export -out "$CERTS_DIR/intermediateCA.p12" \
|
||||
-inkey "$CERTS_DIR/intermediateCA.key" -in "$CERTS_DIR/intermediateCA.crt" -passout pass:
|
||||
# Export wildcard cert to .p12 (Cross-platform)
|
||||
openssl pkcs12 -export -out "$CERTS_DIR/wildcard.p12" -inkey "$CERTS_DIR/wildcard.key" -in "$CERTS_DIR/wildcard.crt" -passout pass:
|
||||
openssl pkcs12 -export -out "$CERTS_DIR/wildcard.p12" \
|
||||
-inkey "$CERTS_DIR/wildcard.key" -in "$CERTS_DIR/wildcard.crt" -passout pass:
|
||||
}
|
||||
|
||||
# Main script execution
|
||||
|
||||
Reference in New Issue
Block a user