108 lines
3.4 KiB
Bash
108 lines
3.4 KiB
Bash
#!/bin/bash
|
|
|
|
SUBDOMAIN="$1"
|
|
CERT_PASS="$2"
|
|
|
|
if [ -z "$SUBDOMAIN" ] || [ -z "$CERT_PASS" ]; then
|
|
echo "Uso: $0 <subdominio> <contraseña-certificados>"
|
|
exit 1
|
|
fi
|
|
|
|
rm -rf CA
|
|
mkdir -p CA
|
|
cd CA
|
|
|
|
cat >openssl.cnf <<EOF
|
|
[ca]
|
|
default_ca = CA_default
|
|
|
|
[CA_default]
|
|
dir = $PWD
|
|
EOF
|
|
|
|
cat >>openssl.cnf <<'EOF'
|
|
certs = $dir/certs
|
|
new_certs_dir = $dir/newcerts
|
|
database = $dir/index.txt
|
|
serial = $dir/serial
|
|
default_md = sha256
|
|
policy = policy_loose
|
|
copy_extensions = copy
|
|
|
|
private_key = $dir/private/ca.key.pem
|
|
certificate = $dir/certs/ca.crt.pem
|
|
|
|
[policy_loose]
|
|
countryName = optional
|
|
stateOrProvinceName = optional
|
|
localityName = optional
|
|
organizationName = optional
|
|
organizationalUnitName = optional
|
|
commonName = supplied
|
|
emailAddress = optional
|
|
|
|
[req]
|
|
default_bits = 2048
|
|
distinguished_name = req_distinguished_name
|
|
default_md = sha256
|
|
|
|
[req_distinguished_name]
|
|
countryName = Country Name (2 letter code)
|
|
EOF
|
|
|
|
mkdir -p certs csr newcerts private
|
|
chmod 0700 private
|
|
touch index.txt
|
|
echo 1000 >serial
|
|
|
|
function gen_cert() {
|
|
NAME="$1"
|
|
DOMAIN="$NAME.$SUBDOMAIN"
|
|
PASS="$CERT_PASS"
|
|
CA_PASS_FILE="./ca-pass"
|
|
|
|
FILE_PRIVKEY_PASS="./$NAME-pass"
|
|
KEY_FILE="private/$DOMAIN.key.pem"
|
|
KEY_NOPASS_FILE="private/$DOMAIN.key.nopass.pem"
|
|
SUBJ="/C=ES/ST=Madrid/L=Madrid/CN=$DOMAIN"
|
|
ADDEXT="subjectAltName=DNS:$DOMAIN"
|
|
CSR="csr/$DOMAIN.csr.pem"
|
|
CERT_FILE="certs/$DOMAIN.crt.pem"
|
|
|
|
echo "$PASS" >"$FILE_PRIVKEY_PASS"
|
|
chmod 0600 "$FILE_PRIVKEY_PASS"
|
|
|
|
openssl genrsa -aes256 -out "$KEY_FILE" -passout file:"$FILE_PRIVKEY_PASS" 2048
|
|
openssl rsa -in "$KEY_FILE" -passin file:"$FILE_PRIVKEY_PASS" -out "$KEY_NOPASS_FILE" >/dev/null 2>&1
|
|
openssl req -config openssl.cnf -key "$KEY_FILE" -passin file:"$FILE_PRIVKEY_PASS" -new -sha256 -subj "$SUBJ" -addext "$ADDEXT" -out "$CSR"
|
|
openssl ca -config openssl.cnf -batch -passin file:"$CA_PASS_FILE" -days 375 -notext -md sha256 -in "$CSR" -out "$CERT_FILE" >/dev/null 2>&1
|
|
echo "Dominio generado: $DOMAIN"
|
|
}
|
|
|
|
## Generar CA
|
|
CA_PASS_FILE="./ca-pass"
|
|
echo "$CERT_PASS" >"$CA_PASS_FILE"
|
|
chmod 0600 "$CA_PASS_FILE"
|
|
openssl genrsa -aes256 -out private/ca.key.pem -passout file:"$CA_PASS_FILE" 4096
|
|
openssl req -config openssl.cnf -key private/ca.key.pem -passin file:"$CA_PASS_FILE" -new -x509 -days 7300 -sha256 -subj "/C=ES/ST=Madrid/L=Madrid/CN=ca.$SUBDOMAIN.mytld" -out certs/ca.crt.pem
|
|
|
|
## Componentes a generar certificados
|
|
# COMPONENTES y su correspondencia:
|
|
# "os" → OpenSearch (certificado para /etc/opensearch/)
|
|
# "osdb" → OpenSearch Dashboards (certificado para /etc/opensearch-dashboards/)
|
|
# "jrem" → systemd-journal-remote (certificado para /etc/systemd/)
|
|
# "prom" → Prometheus (certificado para /etc/prometheus/)
|
|
# "graf" → Grafana (certificado para /etc/grafana/)
|
|
# "jb" → Journalbeat del cliente (certificado para /etc/journalbeat/)
|
|
# "agent-fb" → Filebeat del cliente ogagent (certificado para /etc/filebeat/)
|
|
# "server" → Servidor ogcore/ogboot/intermedio (uso genérico del certificado)
|
|
|
|
COMPONENTES=("os" "osdb" "jrem" "jb" "prom" "graf" "server" "agent-fb")
|
|
|
|
for comp in "${COMPONENTES[@]}"; do
|
|
gen_cert "oglog-$comp"
|
|
echo "address=/oglog-$comp.$SUBDOMAIN/127.0.0.1" >> /tmp/dnsmasq.oglog.conf
|
|
done
|
|
|
|
cd ..
|