further fixes.

gencerts.sh

@@ -11,8 +11,10 @@ fi
 # Define CERTS_DIR without trailing slash
 CERTS_DIR="/opt/files/certs"
 mkdir -p "$CERTS_DIR"
-echo "generating cnf files"
+
-# Create OpenSSL configuration files
+echo "Generating OpenSSL configuration files..."
+
+# Root CA Configuration
 cat > "${CERTS_DIR}/openssl_root_ca.cnf" <<EOF
 [ req ]
 default_bits        = 4096
@@ -31,6 +33,7 @@ basicConstraints = critical, CA:true
 keyUsage = critical, digitalSignature, keyCertSign, cRLSign
 EOF
 
+# Intermediate CA Configuration
 cat > "${CERTS_DIR}/openssl_intermediate_ca.cnf" <<EOF
 [ req ]
 default_bits        = 4096
@@ -49,7 +52,8 @@ basicConstraints = critical, CA:true, pathlen:0
 keyUsage = critical, digitalSignature, keyCertSign, cRLSign
 EOF
 
-cat > "${CERTS_DIR}/openssl_wildcard.cnf" <<EOF
+# Wildcard CSR Configuration (minimal, no extensions)
+cat > "${CERTS_DIR}/openssl_wildcard_csr.cnf" <<EOF
 [ req ]
 default_bits        = 4096
 distinguished_name  = req_distinguished_name
@@ -61,6 +65,16 @@ req_extensions      = v3_req
 CN = *.$DOMAIN
 
 [ v3_req ]
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = $DOMAIN
+DNS.2 = *.$DOMAIN
+EOF
+
+# Wildcard Certificate Configuration (extensions for signing)
+cat > "${CERTS_DIR}/openssl_wildcard_cert.cnf" <<EOF
+[ v3_cert ]
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer:always
 basicConstraints = CA:FALSE
@@ -72,50 +86,52 @@ subjectAltName = @alt_names
 DNS.1 = $DOMAIN
 DNS.2 = *.$DOMAIN
 EOF
-echo "cnf files generated"
+
+echo "Configuration files generated."
+
 # Function to generate root CA
 generate_root_ca() {
     echo "Generating Root CA..."
     openssl genrsa -out "${CERTS_DIR}/rootCA.key" 4096
-    echo "key generated"
+    echo "Root CA key generated."
     openssl req -x509 -new -nodes -key "${CERTS_DIR}/rootCA.key" \
         -sha256 -days 3650 -out "${CERTS_DIR}/rootCA.crt" \
         -config "${CERTS_DIR}/openssl_root_ca.cnf" -extensions v3_ca
-    echo "crt generated"
+    echo "Root CA certificate generated."
 }
 
 # Function to generate intermediate CA
 generate_intermediate_ca() {
     echo "Generating Intermediate CA..."
     openssl genrsa -out "${CERTS_DIR}/intermediateCA.key" 4096
-    echo "key generated"
+    echo "Intermediate CA key generated."
     openssl req -new -key "${CERTS_DIR}/intermediateCA.key" \
         -out "${CERTS_DIR}/intermediateCA.csr" \
         -config "${CERTS_DIR}/openssl_intermediate_ca.cnf"
-    echo "csr generated"
+    echo "Intermediate CA CSR generated."
     openssl x509 -req -in "${CERTS_DIR}/intermediateCA.csr" \
         -CA "${CERTS_DIR}/rootCA.crt" -CAkey "${CERTS_DIR}/rootCA.key" \
         -CAcreateserial -out "${CERTS_DIR}/intermediateCA.crt" \
         -days 3650 -sha256 -extfile "${CERTS_DIR}/openssl_intermediate_ca.cnf" \
         -extensions v3_ca
-    echo "crt generated and signed with root CA"
+    echo "Intermediate CA certificate generated and signed with Root CA."
 }
 
 # Function to generate wildcard certificate
 generate_wildcard_cert() {
     echo "Generating Wildcard Certificate..."
     openssl genrsa -out "${CERTS_DIR}/wildcard.key" 4096
-    echo "key generated"
+    echo "Wildcard key generated."
     openssl req -new -key "${CERTS_DIR}/wildcard.key" \
         -out "${CERTS_DIR}/wildcard.csr" \
-        -config "${CERTS_DIR}/openssl_wildcard.cnf"
+        -config "${CERTS_DIR}/openssl_wildcard_csr.cnf"
-    echo "csr generated"
+    echo "Wildcard CSR generated."
     openssl x509 -req -in "${CERTS_DIR}/wildcard.csr" \
         -CA "${CERTS_DIR}/intermediateCA.crt" -CAkey "${CERTS_DIR}/intermediateCA.key" \
         -CAcreateserial -out "${CERTS_DIR}/wildcard.crt" \
-        -days 3650 -sha256 -extfile "${CERTS_DIR}/openssl_wildcard.cnf" \
+        -days 3650 -sha256 -extfile "${CERTS_DIR}/openssl_wildcard_cert.cnf" \
-        -extensions v3_req
+        -extensions v3_cert
-    echo "crt generated and signed with intermediate CA"
+    echo "Wildcard certificate generated and signed with Intermediate CA."
 }
 
 # Function to export certificates for cross-platform compatibility
@@ -124,27 +140,27 @@ export_certs() {
     # Export root CA to .pfx (Windows)
     openssl pkcs12 -export -out "${CERTS_DIR}/rootCA.pfx" \
         -inkey "${CERTS_DIR}/rootCA.key" -in "${CERTS_DIR}/rootCA.crt" -passout pass:
-    echo "rootCA pfx exported"
+    echo "Root CA PFX exported."
     # Export intermediate CA to .pfx (Windows)
     openssl pkcs12 -export -out "${CERTS_DIR}/intermediateCA.pfx" \
         -inkey "${CERTS_DIR}/intermediateCA.key" -in "${CERTS_DIR}/intermediateCA.crt" -passout pass:
-    echo "IntermediateCA pfx exported"
+    echo "Intermediate CA PFX exported."
     # Export wildcard cert to .pfx (Windows)
     openssl pkcs12 -export -out "${CERTS_DIR}/wildcard.pfx" \
         -inkey "${CERTS_DIR}/wildcard.key" -in "${CERTS_DIR}/wildcard.crt" -passout pass:
-    echo "wildcard pfx exported"
+    echo "Wildcard PFX exported."
     # Export root CA to .p12 (Cross-platform)
     openssl pkcs12 -export -out "${CERTS_DIR}/rootCA.p12" \
         -inkey "${CERTS_DIR}/rootCA.key" -in "${CERTS_DIR}/rootCA.crt" -passout pass:
-    echo "root p12 exported"
+    echo "Root CA P12 exported."
     # Export intermediate CA to .p12 (Cross-platform)
     openssl pkcs12 -export -out "${CERTS_DIR}/intermediateCA.p12" \
         -inkey "${CERTS_DIR}/intermediateCA.key" -in "${CERTS_DIR}/intermediateCA.crt" -passout pass:
-    echo "intermediate p12 exported"
+    echo "Intermediate CA P12 exported."
     # Export wildcard cert to .p12 (Cross-platform)
     openssl pkcs12 -export -out "${CERTS_DIR}/wildcard.p12" \
         -inkey "${CERTS_DIR}/wildcard.key" -in "${CERTS_DIR}/wildcard.crt" -passout pass:
-    echo "wildcard p12 exported"
+    echo "Wildcard P12 exported."
 }
 
 # Main script execution