#!/usr/bin/env bashset -eSUBJ="/C=TW/ST=Taiwan/L=TPE/O=Goooooooooogle/OU=Goo

1. #!/usr/bin/env bash
2.  
3. set -e
4.  
5. SUBJ="/C=TW/ST=Taiwan/L=TPE/O=Goooooooooogle/OU=Goooooooooogle DevOops Team/emailAddress=reboot@goooooooooogle.com"
6.  
7. ROOT_CA_NAME=GoooooooooogleRootCA
8. ROOT_CA_DAYS=$((365*4))
9. ROOT_CA_BITS=8192
10.  
11. CERT_NAME=devoops-pve01
12. CERT_DAYS=365
13. CERT_BITS=8192
14. CERT_IP=10.0.10.1
15. CERT_DOMAIN=pve01.devoops.goooooooooogle.com
16. CERT_SUBJ="$SUBJ"#"/CN=$CERT_DOMAIN"
17.  
18. PVE_NODE=devoopsPVE01
19.  
20. function openssl_config()
21. {
22. cat /etc/ssl/openssl.cnf
23. printf "\n[req]\nreq_extensions = v3_req\n[ v3_req ]\nsubjectAltName = IP:$CERT_IP,DNS:$CERT_DOMAIN\n"
24. }
25.  
26. if [ ! -f "$ROOT_CA_NAME".key -a ! -f "$ROOT_CA_NAME".crt ]
27. then
28. echo "[+] Generate Root CA key and cert"
29. openssl genrsa -des3 -out "$ROOT_CA_NAME".key $ROOT_CA_BITS
30. openssl req -x509 -new -nodes -key "$ROOT_CA_NAME".key -subj "$SUBJ" -sha256 -days $ROOT_CA_DAYS -out "$ROOT_CA_NAME".crt
31. else
32. echo "[*] Root CA key or Root CA cert existed"
33. fi
34.  
35. echo "[*] Root CA cert info"
36. openssl x509 -in "$ROOT_CA_NAME".crt -text -noout
37.  
38. if [ ! -f "$CERT_NAME".key ]
39. then
40. echo "[+] Generate private key"
41. openssl genrsa -out "$CERT_NAME".key $CERT_BITS
42. else
43. echo "[*] Private key existed"
44. fi
45.  
46. echo "[+] Generate CSR (cert signing request)"
47. openssl req -new -sha256 -key "$CERT_NAME".key -subj "$CERT_SUBJ" -config <(openssl_config) -out "$CERT_NAME".csr
48.  
49. echo "[*] CSR info"
50. openssl req -text -noout -in "$CERT_NAME".csr
51.  
52. echo "[*] Sign cert with root CA private key"
53. openssl x509 -req -in "$CERT_NAME".csr -CA "$ROOT_CA_NAME".crt -CAkey "$ROOT_CA_NAME".key -CAcreateserial -out "$CERT_NAME".crt -days $CERT_DAYS -sha256 -extensions v3_req -extfile <(openssl_config)
54.  
55. echo "[*] Cert info"
56. openssl x509 -in "$CERT_NAME".crt -text -noout
57.  
58. if [ -d "/etc/pve/nodes/$PVE_NODE" ]
59. then
60. echo "[*] Proxmox VE detected"
61. echo -n "[?] Deploy to Proxmox VE now? (y/N) "
62. read yn_deploy
63.  
64. if [ "$yn_deploy" = "Y" -o "$yn_deploy" = "y" ]
65. then
66. # full cert chain
67. cat "$CERT_NAME".crt "$ROOT_CA_NAME".crt > fullchain.crt
68. # deploy certs to Proxmox VE
69. cp /root/certs/"$CERT_NAME".key /etc/pve/nodes/$PVE_NODE/pveproxy-ssl.key
70. cp /root/certs/fullchain.crt /etc/pve/nodes/$PVE_NODE/pveproxy-ssl.pem
71. echo "[+] Certs deployed, now restart pveproxy"
72. systemctl restart pveproxy
73. fi
74. fi