SHARE
TWEET

Untitled

a guest May 19th, 2019 50 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env bash
  2.  
  3. set -e
  4.  
  5. SUBJ="/C=TW/ST=Taiwan/L=TPE/O=Goooooooooogle/OU=Goooooooooogle DevOops Team/emailAddress=reboot@goooooooooogle.com"
  6.  
  7. ROOT_CA_NAME=GoooooooooogleRootCA
  8. ROOT_CA_DAYS=$((365*4))
  9. ROOT_CA_BITS=8192
  10.  
  11. CERT_NAME=devoops-pve01
  12. CERT_DAYS=365
  13. CERT_BITS=8192
  14. CERT_IP=10.0.10.1
  15. CERT_DOMAIN=pve01.devoops.goooooooooogle.com
  16. CERT_SUBJ="$SUBJ"#"/CN=$CERT_DOMAIN"
  17.  
  18. PVE_NODE=devoopsPVE01
  19.  
  20. function openssl_config()
  21. {
  22.         cat /etc/ssl/openssl.cnf
  23.         printf "\n[req]\nreq_extensions = v3_req\n[ v3_req ]\nsubjectAltName = IP:$CERT_IP,DNS:$CERT_DOMAIN\n"
  24. }
  25.  
  26. if [ ! -f "$ROOT_CA_NAME".key -a ! -f "$ROOT_CA_NAME".crt ]
  27. then
  28.         echo "[+] Generate Root CA key and cert"
  29.         openssl genrsa -des3 -out "$ROOT_CA_NAME".key $ROOT_CA_BITS
  30.         openssl req -x509 -new -nodes -key "$ROOT_CA_NAME".key -subj "$SUBJ" -sha256 -days $ROOT_CA_DAYS -out "$ROOT_CA_NAME".crt
  31. else
  32.         echo "[*] Root CA key or Root CA cert existed"
  33. fi
  34.  
  35. echo "[*] Root CA cert info"
  36. openssl x509 -in "$ROOT_CA_NAME".crt -text -noout
  37.  
  38. if [ ! -f "$CERT_NAME".key ]
  39. then
  40.         echo "[+] Generate private key"
  41.         openssl genrsa -out "$CERT_NAME".key $CERT_BITS
  42. else
  43.         echo "[*] Private key existed"
  44. fi
  45.  
  46. echo "[+] Generate CSR (cert signing request)"
  47. openssl req -new -sha256 -key "$CERT_NAME".key -subj "$CERT_SUBJ" -config <(openssl_config) -out "$CERT_NAME".csr
  48.  
  49. echo "[*] CSR info"
  50. openssl req -text -noout -in "$CERT_NAME".csr
  51.  
  52. echo "[*] Sign cert with root CA private key"
  53. openssl x509 -req -in "$CERT_NAME".csr -CA "$ROOT_CA_NAME".crt -CAkey "$ROOT_CA_NAME".key -CAcreateserial -out "$CERT_NAME".crt -days $CERT_DAYS -sha256 -extensions v3_req -extfile <(openssl_config)
  54.  
  55. echo "[*] Cert info"
  56. openssl x509 -in "$CERT_NAME".crt -text -noout
  57.  
  58. if [ -d "/etc/pve/nodes/$PVE_NODE" ]
  59. then
  60.         echo "[*] Proxmox VE detected"
  61.         echo -n "[?] Deploy to Proxmox VE now? (y/N) "
  62.         read yn_deploy
  63.  
  64.         if [ "$yn_deploy" = "Y" -o "$yn_deploy" = "y" ]
  65.         then
  66.                 # full cert chain
  67.                 cat "$CERT_NAME".crt "$ROOT_CA_NAME".crt > fullchain.crt
  68.                 # deploy certs to Proxmox VE
  69.                 cp /root/certs/"$CERT_NAME".key /etc/pve/nodes/$PVE_NODE/pveproxy-ssl.key
  70.                 cp /root/certs/fullchain.crt /etc/pve/nodes/$PVE_NODE/pveproxy-ssl.pem
  71.                 echo "[+] Certs deployed, now restart pveproxy"
  72.                 systemctl restart pveproxy
  73.         fi
  74. fi
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top