#!/bin/bash set -euo pipefail # Generate a temporary self-signed TLS certificate for a domain. # Intended for staging environments on AlmaLinux/RHEL/CentOS. # # Usage: generate-self-signed-cert.sh [days] [keys_dir] # domain FQDN, e.g. example.staging.local # days Validity in days (default: 30) # keys_dir Directory to write keys/certs (default: /var/lib/jelastic/keys) DOMAIN="${1:-}" DAYS="${2:-30}" KEYS_DIR="${3:-/var/lib/jelastic/keys}" if [[ -z "$DOMAIN" ]]; then echo "Usage: $0 [days] [keys_dir]" >&2 exit 1 fi if ! command -v openssl >/dev/null 2>&1; then echo "[ERROR] openssl not found. Please install openssl." >&2 exit 2 fi mkdir -p "$KEYS_DIR" cd "$KEYS_DIR" KEY_FILE="${DOMAIN}.key" CRT_FILE="${DOMAIN}.cer" CHAIN_FILE="${DOMAIN}.fullchain.pem" echo "[INFO] Generating RSA key (${KEY_FILE})…" openssl genrsa -out "$KEY_FILE" 2048 >/dev/null 2>&1 TMP_CONF=$(mktemp) cat >"$TMP_CONF" </dev/null 2>&1 rm -f "$TMP_CONF" # Build a fullchain (for self-signed, it's just the leaf repeated for compatibility) cat "$CRT_FILE" > "$CHAIN_FILE" # Maintain generic filenames used by other tooling cp -f "$CRT_FILE" cert.pem cp -f "$CHAIN_FILE" fullchain.pem cp -f "$CRT_FILE" ca.cer chmod 0644 "$CRT_FILE" "$CHAIN_FILE" cert.pem fullchain.pem ca.cer chmod 0600 "$KEY_FILE" echo "[SUCCESS] Self-signed certificate created:" echo " Key: $KEYS_DIR/$KEY_FILE" echo " Cert: $KEYS_DIR/$CRT_FILE" echo " Fullchain: $KEYS_DIR/$CHAIN_FILE" echo "[NOTE] Apply/reload your web server to use the new certificate." exit 0