SDGDen/CloudDeploy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
08d451fb3cb75a1fa2f753b8677bf15adb32e2fd
CloudDeploy/gencerts.sh
SDGDen eb8c1f8609 further fixes.
2026-03-09 15:29:01 +01:00

175 lines
6.1 KiB
Bash
Raw Blame History

#!/bin/bash
# Script to generate modern self-signed certificates for Nginx Proxy Manager with OpenSSL v3 extensions
# Prompt for domain
read -p "Enter the domain for the certificates (e.g., example.com): " DOMAIN
if [ -z "$DOMAIN" ]; then
echo "Error: Domain not provided."
exit 1
fi
# Define CERTS_DIR without trailing slash
CERTS_DIR="/opt/files/certs"
mkdir -p "$CERTS_DIR"
echo "Generating OpenSSL configuration files..."
# Root CA Configuration
cat > "${CERTS_DIR}/openssl_root_ca.cnf" <<EOF
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = v3_ca
[ req_distinguished_name ]
CN = $DOMAIN Root CA
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, keyCertSign, cRLSign
EOF
# Intermediate CA Configuration
cat > "${CERTS_DIR}/openssl_intermediate_ca.cnf" <<EOF
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = v3_ca
[ req_distinguished_name ]
CN = $DOMAIN Intermediate CA
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, keyCertSign, cRLSign
EOF
# Wildcard CSR Configuration (minimal, no extensions)
cat > "${CERTS_DIR}/openssl_wildcard_csr.cnf" <<EOF
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
req_extensions = v3_req
[ req_distinguished_name ]
CN = *.$DOMAIN
[ v3_req ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = $DOMAIN
DNS.2 = *.$DOMAIN
EOF
# Wildcard Certificate Configuration (extensions for signing)
cat > "${CERTS_DIR}/openssl_wildcard_cert.cnf" <<EOF
[ v3_cert ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = $DOMAIN
DNS.2 = *.$DOMAIN
EOF
echo "Configuration files generated."
# Function to generate root CA
generate_root_ca() {
echo "Generating Root CA..."
openssl genrsa -out "${CERTS_DIR}/rootCA.key" 4096
echo "Root CA key generated."
openssl req -x509 -new -nodes -key "${CERTS_DIR}/rootCA.key" \
-sha256 -days 3650 -out "${CERTS_DIR}/rootCA.crt" \
-config "${CERTS_DIR}/openssl_root_ca.cnf" -extensions v3_ca
echo "Root CA certificate generated."
}
# Function to generate intermediate CA
generate_intermediate_ca() {
echo "Generating Intermediate CA..."
openssl genrsa -out "${CERTS_DIR}/intermediateCA.key" 4096
echo "Intermediate CA key generated."
openssl req -new -key "${CERTS_DIR}/intermediateCA.key" \
-out "${CERTS_DIR}/intermediateCA.csr" \
-config "${CERTS_DIR}/openssl_intermediate_ca.cnf"
echo "Intermediate CA CSR generated."
openssl x509 -req -in "${CERTS_DIR}/intermediateCA.csr" \
-CA "${CERTS_DIR}/rootCA.crt" -CAkey "${CERTS_DIR}/rootCA.key" \
-CAcreateserial -out "${CERTS_DIR}/intermediateCA.crt" \
-days 3650 -sha256 -extfile "${CERTS_DIR}/openssl_intermediate_ca.cnf" \
-extensions v3_ca
echo "Intermediate CA certificate generated and signed with Root CA."
}
# Function to generate wildcard certificate
generate_wildcard_cert() {
echo "Generating Wildcard Certificate..."
openssl genrsa -out "${CERTS_DIR}/wildcard.key" 4096
echo "Wildcard key generated."
openssl req -new -key "${CERTS_DIR}/wildcard.key" \
-out "${CERTS_DIR}/wildcard.csr" \
-config "${CERTS_DIR}/openssl_wildcard_csr.cnf"
echo "Wildcard CSR generated."
openssl x509 -req -in "${CERTS_DIR}/wildcard.csr" \
-CA "${CERTS_DIR}/intermediateCA.crt" -CAkey "${CERTS_DIR}/intermediateCA.key" \
-CAcreateserial -out "${CERTS_DIR}/wildcard.crt" \
-days 3650 -sha256 -extfile "${CERTS_DIR}/openssl_wildcard_cert.cnf" \
-extensions v3_cert
echo "Wildcard certificate generated and signed with Intermediate CA."
}
# Function to export certificates for cross-platform compatibility
export_certs() {
echo "Exporting certificates for cross-platform compatibility..."
# Export root CA to .pfx (Windows)
openssl pkcs12 -export -out "${CERTS_DIR}/rootCA.pfx" \
-inkey "${CERTS_DIR}/rootCA.key" -in "${CERTS_DIR}/rootCA.crt" -passout pass:
echo "Root CA PFX exported."
# Export intermediate CA to .pfx (Windows)
openssl pkcs12 -export -out "${CERTS_DIR}/intermediateCA.pfx" \
-inkey "${CERTS_DIR}/intermediateCA.key" -in "${CERTS_DIR}/intermediateCA.crt" -passout pass:
echo "Intermediate CA PFX exported."
# Export wildcard cert to .pfx (Windows)
openssl pkcs12 -export -out "${CERTS_DIR}/wildcard.pfx" \
-inkey "${CERTS_DIR}/wildcard.key" -in "${CERTS_DIR}/wildcard.crt" -passout pass:
echo "Wildcard PFX exported."
# Export root CA to .p12 (Cross-platform)
openssl pkcs12 -export -out "${CERTS_DIR}/rootCA.p12" \
-inkey "${CERTS_DIR}/rootCA.key" -in "${CERTS_DIR}/rootCA.crt" -passout pass:
echo "Root CA P12 exported."
# Export intermediate CA to .p12 (Cross-platform)
openssl pkcs12 -export -out "${CERTS_DIR}/intermediateCA.p12" \
-inkey "${CERTS_DIR}/intermediateCA.key" -in "${CERTS_DIR}/intermediateCA.crt" -passout pass:
echo "Intermediate CA P12 exported."
# Export wildcard cert to .p12 (Cross-platform)
openssl pkcs12 -export -out "${CERTS_DIR}/wildcard.p12" \
-inkey "${CERTS_DIR}/wildcard.key" -in "${CERTS_DIR}/wildcard.crt" -passout pass:
echo "Wildcard P12 exported."
}
# Main script execution
generate_root_ca
generate_intermediate_ca
generate_wildcard_cert
export_certs
echo "Certificates generated and saved in ${CERTS_DIR}:"
echo "- Root CA: rootCA.crt, rootCA.key, rootCA.pfx, rootCA.p12"
echo "- Intermediate CA: intermediateCA.crt, intermediateCA.key, intermediateCA.pfx, intermediateCA.p12"
echo "- Wildcard: wildcard.crt, wildcard.key, wildcard.pfx, wildcard.p12"
Reference in New Issue View Git Blame Copy Permalink