110 lines
3.2 KiB
Bash
110 lines
3.2 KiB
Bash
#!/bin/bash
|
|
|
|
set -e
|
|
|
|
# === 0. Preguntar por el hostname real ===
|
|
read -rp "🖥️ Introduce el nombre DNS real del servidor (ej: opengnsys-server.local.es): " REAL_HOSTNAME
|
|
|
|
if [[ -z "$REAL_HOSTNAME" ]]; then
|
|
echo "❌ El nombre del host no puede estar vacío"
|
|
exit 1
|
|
fi
|
|
|
|
BASE_DIR="mtls-certs"
|
|
mkdir -p "$BASE_DIR/ca"
|
|
|
|
# === 1. Crear CA si no existe ===
|
|
if [ ! -f "$BASE_DIR/ca/ca.crt" ]; then
|
|
openssl genrsa -out "$BASE_DIR/ca/ca.key" 4096
|
|
openssl req -x509 -new -nodes -key "$BASE_DIR/ca/ca.key" -sha256 -days 3650 \
|
|
-out "$BASE_DIR/ca/ca.crt" \
|
|
-subj "/C=ES/ST=Madrid/L=Madrid/O=Opengnsys/OU=CA/CN=opengnsys-ca"
|
|
fi
|
|
|
|
# === 2. Servicios y puertos ===
|
|
declare -A services=(
|
|
["ogcore"]=8443
|
|
["ogrepo"]=8006
|
|
["ogboot"]=8081
|
|
["ogdhcp"]=8082
|
|
["ogagent"]=8000
|
|
)
|
|
|
|
# === 3. Crear certificados por servicio ===
|
|
for service in "${!services[@]}"; do
|
|
port="${services[$service]}"
|
|
echo "🔧 Generando certificado para $service (puerto $port)..."
|
|
|
|
read -rp "🌐 Introduce la IP del servicio $service: " SERVICE_IP
|
|
if [[ -z "$SERVICE_IP" ]]; then
|
|
echo "❌ La IP no puede estar vacía"
|
|
exit 1
|
|
fi
|
|
|
|
DIR="$BASE_DIR/$service"
|
|
mkdir -p "$DIR"
|
|
|
|
openssl genrsa -out "$DIR/$service.key" 2048
|
|
|
|
openssl req -new -key "$DIR/$service.key" -out "$DIR/$service.csr" \
|
|
-subj "/C=ES/ST=Madrid/L=Madrid/O=Opengnsys/OU=$service/CN=$service.local"
|
|
|
|
# Archivo de extensión para SAN
|
|
cat > "$DIR/$service.ext" <<EOF
|
|
authorityKeyIdentifier=keyid,issuer
|
|
basicConstraints=CA:FALSE
|
|
keyUsage = digitalSignature, keyEncipherment
|
|
extendedKeyUsage = serverAuth, clientAuth
|
|
subjectAltName = @alt_names
|
|
|
|
[alt_names]
|
|
DNS.1 = $service.local
|
|
DNS.2 = $REAL_HOSTNAME
|
|
IP.1 = $SERVICE_IP
|
|
EOF
|
|
|
|
openssl x509 -req -in "$DIR/$service.csr" -CA "$BASE_DIR/ca/ca.crt" \
|
|
-CAkey "$BASE_DIR/ca/ca.key" -CAcreateserial \
|
|
-out "$DIR/$service.crt" -days 825 -sha256 -extfile "$DIR/$service.ext"
|
|
|
|
rm "$DIR/$service.csr"
|
|
done
|
|
|
|
echo "✅ Certificados generados en ./$BASE_DIR con hostname real: $REAL_HOSTNAME"
|
|
|
|
# === 4. Crear certificado de cliente para navegador ===
|
|
CLIENT_DIR="$BASE_DIR/cliente"
|
|
mkdir -p "$CLIENT_DIR"
|
|
|
|
echo "🔐 Generando certificado de cliente para navegador..."
|
|
|
|
openssl genrsa -out "$CLIENT_DIR/cliente.key" 2048
|
|
|
|
openssl req -new -key "$CLIENT_DIR/cliente.key" \
|
|
-subj "/C=ES/ST=Madrid/L=Madrid/O=Opengnsys/OU=clientes/CN=cliente-navegador" \
|
|
-out "$CLIENT_DIR/cliente.csr"
|
|
|
|
cat > "$CLIENT_DIR/cliente.ext" <<EOF
|
|
authorityKeyIdentifier=keyid,issuer
|
|
basicConstraints=CA:FALSE
|
|
keyUsage = digitalSignature, keyEncipherment
|
|
extendedKeyUsage = clientAuth
|
|
EOF
|
|
|
|
openssl x509 -req -in "$CLIENT_DIR/cliente.csr" -CA "$BASE_DIR/ca/ca.crt" \
|
|
-CAkey "$BASE_DIR/ca/ca.key" -CAcreateserial \
|
|
-out "$CLIENT_DIR/cliente.crt" -days 825 -sha256 -extfile "$CLIENT_DIR/cliente.ext"
|
|
|
|
# Crear archivo .p12 para navegador
|
|
openssl pkcs12 -export \
|
|
-inkey "$CLIENT_DIR/cliente.key" \
|
|
-in "$CLIENT_DIR/cliente.crt" \
|
|
-certfile "$BASE_DIR/ca/ca.crt" \
|
|
-out "$CLIENT_DIR/cliente-navegador.p12" \
|
|
-name "Certificado Cliente Navegador"
|
|
|
|
rm "$CLIENT_DIR/cliente.csr" "$CLIENT_DIR/cliente.ext"
|
|
|
|
echo "✅ Certificado de cliente para navegador creado en:"
|
|
echo " $CLIENT_DIR/cliente-navegador.p12"
|