danny-source · May 10, 2019 13:20
diff --git a/make_certs.sh b/make_certs.sh
 #!/usr/bin/env bash

 set -e

 SUBJ="/C=TW/ST=Taiwan/L=TPE/O=Goooooooooogle/OU=Goooooooooogle DevOops Team/[email protected]"

 ROOT_CA_NAME=GoooooooooogleRootCA
 ROOT_CA_DAYS=$((365*4))
 ROOT_CA_BITS=8192

 CERT_NAME=devoops-pve01
 CERT_DAYS=365
 CERT_BITS=8192
 CERT_IP=10.0.10.1
 CERT_DOMAIN=pve01.devoops.goooooooooogle.com
 CERT_SUBJ="$SUBJ"#"/CN=$CERT_DOMAIN"

 PVE_NODE=devoopsPVE01

 function openssl_config()
 {
        cat /etc/ssl/openssl.cnf
        printf "\n[req]\nreq_extensions = v3_req\n[ v3_req ]\nsubjectAltName = IP:$CERT_IP,DNS:$CERT_DOMAIN\n"
 }

 if [ ! -f "$ROOT_CA_NAME".key -a ! -f "$ROOT_CA_NAME".crt ]
 then
        echo "[+] Generate Root CA key and cert"
        openssl genrsa -des3 -out "$ROOT_CA_NAME".key $ROOT_CA_BITS
        openssl req -x509 -new -nodes -key "$ROOT_CA_NAME".key -subj "$SUBJ" -sha256 -days $ROOT_CA_DAYS -out "$ROOT_CA_NAME".crt
 else
        echo "[*] Root CA key or Root CA cert existed"
 fi

 echo "[*] Root CA cert info"
 openssl x509 -in "$ROOT_CA_NAME".crt -text -noout

 if [ ! -f "$CERT_NAME".key ]
 then
        echo "[+] Generate private key"
        openssl genrsa -out "$CERT_NAME".key $CERT_BITS
 else
        echo "[*] Private key existed"
 fi

 echo "[+] Generate CSR (cert signing request)"
 openssl req -new -sha256 -key "$CERT_NAME".key -subj "$CERT_SUBJ" -config <(openssl_config) -out "$CERT_NAME".csr

 echo "[*] CSR info"
 openssl req -text -noout -in "$CERT_NAME".csr

 echo "[*] Sign cert with root CA private key"
 openssl x509 -req -in "$CERT_NAME".csr -CA "$ROOT_CA_NAME".crt -CAkey "$ROOT_CA_NAME".key -CAcreateserial -out "$CERT_NAME".crt -days $CERT_DAYS -sha256 -extensions v3_req -extfile <(openssl_config)

 echo "[*] Cert info"
 openssl x509 -in "$CERT_NAME".crt -text -noout

 if [ -d "/etc/pve/nodes/$PVE_NODE" ]
 then
        echo "[*] Proxmox VE detected"
        echo -n "[?] Deploy to Proxmox VE now? (y/N) "
        read yn_deploy

        if [ "$yn_deploy" = "Y" -o "$yn_deploy" = "y" ]
        then
                # full cert chain
                cat "$CERT_NAME".crt "$ROOT_CA_NAME".crt > fullchain.crt
                # deploy certs to Proxmox VE
                cp /root/certs/"$CERT_NAME".key /etc/pve/nodes/$PVE_NODE/pveproxy-ssl.key
                cp /root/certs/fullchain.crt /etc/pve/nodes/$PVE_NODE/pveproxy-ssl.pem
                echo "[+] Certs deployed, now restart pveproxy"
                systemctl restart pveproxy
        fi
 fi
	#!/usr/bin/env bash

	set -e

	SUBJ="/C=TW/ST=Taiwan/L=TPE/O=Goooooooooogle/OU=Goooooooooogle DevOops Team/[email protected]"

	ROOT_CA_NAME=GoooooooooogleRootCA
	ROOT_CA_DAYS=$((365*4))
	ROOT_CA_BITS=8192

	CERT_NAME=devoops-pve01
	CERT_DAYS=365
	CERT_BITS=8192
	CERT_IP=10.0.10.1
	CERT_DOMAIN=pve01.devoops.goooooooooogle.com
	CERT_SUBJ="$SUBJ"#"/CN=$CERT_DOMAIN"

	PVE_NODE=devoopsPVE01

	function openssl_config()
	{
	cat /etc/ssl/openssl.cnf
	printf "\n[req]\nreq_extensions = v3_req\n[ v3_req ]\nsubjectAltName = IP:$CERT_IP,DNS:$CERT_DOMAIN\n"
	}

	if [ ! -f "$ROOT_CA_NAME".key -a ! -f "$ROOT_CA_NAME".crt ]
	then
	echo "[+] Generate Root CA key and cert"
	openssl genrsa -des3 -out "$ROOT_CA_NAME".key $ROOT_CA_BITS
	openssl req -x509 -new -nodes -key "$ROOT_CA_NAME".key -subj "$SUBJ" -sha256 -days $ROOT_CA_DAYS -out "$ROOT_CA_NAME".crt
	else
	echo "[*] Root CA key or Root CA cert existed"
	fi

	echo "[*] Root CA cert info"
	openssl x509 -in "$ROOT_CA_NAME".crt -text -noout

	if [ ! -f "$CERT_NAME".key ]
	then
	echo "[+] Generate private key"
	openssl genrsa -out "$CERT_NAME".key $CERT_BITS
	else
	echo "[*] Private key existed"
	fi

	echo "[+] Generate CSR (cert signing request)"
	openssl req -new -sha256 -key "$CERT_NAME".key -subj "$CERT_SUBJ" -config <(openssl_config) -out "$CERT_NAME".csr

	echo "[*] CSR info"
	openssl req -text -noout -in "$CERT_NAME".csr

	echo "[*] Sign cert with root CA private key"
	openssl x509 -req -in "$CERT_NAME".csr -CA "$ROOT_CA_NAME".crt -CAkey "$ROOT_CA_NAME".key -CAcreateserial -out "$CERT_NAME".crt -days $CERT_DAYS -sha256 -extensions v3_req -extfile <(openssl_config)

	echo "[*] Cert info"
	openssl x509 -in "$CERT_NAME".crt -text -noout

	if [ -d "/etc/pve/nodes/$PVE_NODE" ]
	then
	echo "[*] Proxmox VE detected"
	echo -n "[?] Deploy to Proxmox VE now? (y/N) "
	read yn_deploy

	if [ "$yn_deploy" = "Y" -o "$yn_deploy" = "y" ]
	then
	# full cert chain
	cat "$CERT_NAME".crt "$ROOT_CA_NAME".crt > fullchain.crt
	# deploy certs to Proxmox VE
	cp /root/certs/"$CERT_NAME".key /etc/pve/nodes/$PVE_NODE/pveproxy-ssl.key
	cp /root/certs/fullchain.crt /etc/pve/nodes/$PVE_NODE/pveproxy-ssl.pem
	echo "[+] Certs deployed, now restart pveproxy"
	systemctl restart pveproxy
	fi
	fi