79 lines
2.0 KiB
Bash
79 lines
2.0 KiB
Bash
#!/bin/bash
|
|
set -euo pipefail
|
|
|
|
# Generate a temporary self-signed TLS certificate for a domain.
|
|
# Intended for staging environments on AlmaLinux/RHEL/CentOS.
|
|
#
|
|
# Usage: generate-self-signed-cert.sh <domain> [days] [keys_dir]
|
|
# domain FQDN, e.g. example.staging.local
|
|
# days Validity in days (default: 30)
|
|
# keys_dir Directory to write keys/certs (default: /var/lib/jelastic/keys)
|
|
|
|
DOMAIN="${1:-}"
|
|
DAYS="${2:-30}"
|
|
KEYS_DIR="${3:-/var/lib/jelastic/keys}"
|
|
|
|
if [[ -z "$DOMAIN" ]]; then
|
|
echo "Usage: $0 <domain> [days] [keys_dir]" >&2
|
|
exit 1
|
|
fi
|
|
|
|
if ! command -v openssl >/dev/null 2>&1; then
|
|
echo "[ERROR] openssl not found. Please install openssl." >&2
|
|
exit 2
|
|
fi
|
|
|
|
mkdir -p "$KEYS_DIR"
|
|
cd "$KEYS_DIR"
|
|
|
|
KEY_FILE="${DOMAIN}.key"
|
|
CRT_FILE="${DOMAIN}.cer"
|
|
CHAIN_FILE="${DOMAIN}.fullchain.pem"
|
|
|
|
echo "[INFO] Generating RSA key (${KEY_FILE})…"
|
|
openssl genrsa -out "$KEY_FILE" 2048 >/dev/null 2>&1
|
|
|
|
TMP_CONF=$(mktemp)
|
|
cat >"$TMP_CONF" <<CONF
|
|
[req]
|
|
distinguished_name = req_distinguished_name
|
|
x509_extensions = v3_req
|
|
prompt = no
|
|
|
|
[req_distinguished_name]
|
|
CN = ${DOMAIN}
|
|
|
|
[v3_req]
|
|
keyUsage = digitalSignature, keyEncipherment
|
|
extendedKeyUsage = serverAuth
|
|
subjectAltName = @alt_names
|
|
|
|
[alt_names]
|
|
DNS.1 = ${DOMAIN}
|
|
DNS.2 = www.${DOMAIN}
|
|
CONF
|
|
|
|
echo "[INFO] Creating self-signed certificate valid for ${DAYS} days (${CRT_FILE})…"
|
|
openssl req -x509 -new -nodes -key "$KEY_FILE" -sha256 -days "$DAYS" -out "$CRT_FILE" -config "$TMP_CONF" >/dev/null 2>&1
|
|
rm -f "$TMP_CONF"
|
|
|
|
# Build a fullchain (for self-signed, it's just the leaf repeated for compatibility)
|
|
cat "$CRT_FILE" > "$CHAIN_FILE"
|
|
|
|
# Maintain generic filenames used by other tooling
|
|
cp -f "$CRT_FILE" cert.pem
|
|
cp -f "$CHAIN_FILE" fullchain.pem
|
|
cp -f "$CRT_FILE" ca.cer
|
|
|
|
chmod 0644 "$CRT_FILE" "$CHAIN_FILE" cert.pem fullchain.pem ca.cer
|
|
chmod 0600 "$KEY_FILE"
|
|
|
|
echo "[SUCCESS] Self-signed certificate created:"
|
|
echo " Key: $KEYS_DIR/$KEY_FILE"
|
|
echo " Cert: $KEYS_DIR/$CRT_FILE"
|
|
echo " Fullchain: $KEYS_DIR/$CHAIN_FILE"
|
|
echo "[NOTE] Apply/reload your web server to use the new certificate."
|
|
|
|
exit 0
|
|
|