Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env bash
- set -e
- SUBJ="/C=TW/ST=Taiwan/L=TPE/O=Goooooooooogle/OU=Goooooooooogle DevOops Team/emailAddress=reboot@goooooooooogle.com"
- ROOT_CA_NAME=GoooooooooogleRootCA
- ROOT_CA_DAYS=$((365*4))
- ROOT_CA_BITS=8192
- CERT_NAME=devoops-pve01
- CERT_DAYS=365
- CERT_BITS=8192
- CERT_IP=10.0.10.1
- CERT_DOMAIN=pve01.devoops.goooooooooogle.com
- CERT_SUBJ="$SUBJ"#"/CN=$CERT_DOMAIN"
- PVE_NODE=devoopsPVE01
- function openssl_config()
- {
- cat /etc/ssl/openssl.cnf
- printf "\n[req]\nreq_extensions = v3_req\n[ v3_req ]\nsubjectAltName = IP:$CERT_IP,DNS:$CERT_DOMAIN\n"
- }
- if [ ! -f "$ROOT_CA_NAME".key -a ! -f "$ROOT_CA_NAME".crt ]
- then
- echo "[+] Generate Root CA key and cert"
- openssl genrsa -des3 -out "$ROOT_CA_NAME".key $ROOT_CA_BITS
- openssl req -x509 -new -nodes -key "$ROOT_CA_NAME".key -subj "$SUBJ" -sha256 -days $ROOT_CA_DAYS -out "$ROOT_CA_NAME".crt
- else
- echo "[*] Root CA key or Root CA cert existed"
- fi
- echo "[*] Root CA cert info"
- openssl x509 -in "$ROOT_CA_NAME".crt -text -noout
- if [ ! -f "$CERT_NAME".key ]
- then
- echo "[+] Generate private key"
- openssl genrsa -out "$CERT_NAME".key $CERT_BITS
- else
- echo "[*] Private key existed"
- fi
- echo "[+] Generate CSR (cert signing request)"
- openssl req -new -sha256 -key "$CERT_NAME".key -subj "$CERT_SUBJ" -config <(openssl_config) -out "$CERT_NAME".csr
- echo "[*] CSR info"
- openssl req -text -noout -in "$CERT_NAME".csr
- echo "[*] Sign cert with root CA private key"
- openssl x509 -req -in "$CERT_NAME".csr -CA "$ROOT_CA_NAME".crt -CAkey "$ROOT_CA_NAME".key -CAcreateserial -out "$CERT_NAME".crt -days $CERT_DAYS -sha256 -extensions v3_req -extfile <(openssl_config)
- echo "[*] Cert info"
- openssl x509 -in "$CERT_NAME".crt -text -noout
- if [ -d "/etc/pve/nodes/$PVE_NODE" ]
- then
- echo "[*] Proxmox VE detected"
- echo -n "[?] Deploy to Proxmox VE now? (y/N) "
- read yn_deploy
- if [ "$yn_deploy" = "Y" -o "$yn_deploy" = "y" ]
- then
- # full cert chain
- cat "$CERT_NAME".crt "$ROOT_CA_NAME".crt > fullchain.crt
- # deploy certs to Proxmox VE
- cp /root/certs/"$CERT_NAME".key /etc/pve/nodes/$PVE_NODE/pveproxy-ssl.key
- cp /root/certs/fullchain.crt /etc/pve/nodes/$PVE_NODE/pveproxy-ssl.pem
- echo "[+] Certs deployed, now restart pveproxy"
- systemctl restart pveproxy
- fi
- fi
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement