From 6d0f38965d8b3dc28a0e4c5bd726ef251f221c43 Mon Sep 17 00:00:00 2001 From: Wolfgang Hottgenroth Date: Sun, 30 Nov 2025 16:05:41 +0100 Subject: [PATCH] certs scripts --- .gitignore | 2 ++ tools/create-client-cert.sh | 42 +++++++++++++++++------------------ tools/decrypt-certificates.sh | 13 +++++++++++ tools/encrypt-certificates.sh | 13 +++++++++++ tools/setup-ca.sh | 13 +++++------ 5 files changed, 54 insertions(+), 29 deletions(-) create mode 100755 tools/decrypt-certificates.sh create mode 100755 tools/encrypt-certificates.sh diff --git a/.gitignore b/.gitignore index 2c4d835..4dc0615 100644 --- a/.gitignore +++ b/.gitignore @@ -66,3 +66,5 @@ apps/homekit/homekit.state tools/ca/ tools/clients/ +tools/certificates/ +tools/certificates.tgz diff --git a/tools/create-client-cert.sh b/tools/create-client-cert.sh index c1996fb..91bd5d9 100755 --- a/tools/create-client-cert.sh +++ b/tools/create-client-cert.sh @@ -12,7 +12,7 @@ CLIENT_NAME="$1" P12_PASSWORD="$2" # Check if CA exists -if [ ! -f "ca/ca.crt" ] || [ ! -f "ca/ca.key" ]; then +if [ ! -f "certificates/ca/ca.crt" ] || [ ! -f "certificates/ca/ca.key" ]; then echo "Error: CA not found. Please run setup-ca.sh first." exit 1 fi @@ -21,49 +21,47 @@ echo "=== Creating Client Certificate ===" echo "Client Name: $CLIENT_NAME" # Create client directory -mkdir -p clients/$CLIENT_NAME +mkdir -p certificates/clients/$CLIENT_NAME # Generate client private key echo "Generating client private key..." -openssl genrsa -out clients/$CLIENT_NAME/$CLIENT_NAME.key 2048 - +openssl genrsa -out certificates/clients/$CLIENT_NAME/$CLIENT_NAME.key 2048 # Generate client certificate signing request echo "Generating client certificate signing request..." -openssl req -new -key clients/$CLIENT_NAME/$CLIENT_NAME.key \ - -out clients/$CLIENT_NAME/$CLIENT_NAME.csr \ +openssl req -new -key certificates/clients/$CLIENT_NAME/$CLIENT_NAME.key \ + -out certificates/clients/$CLIENT_NAME/$CLIENT_NAME.csr \ -subj "/DC=de/DC=hottis/DC=homea2/CN=$CLIENT_NAME" # Sign the client certificate echo "Signing client certificate..." -openssl x509 -req -in clients/$CLIENT_NAME/$CLIENT_NAME.csr \ - -CA ca/ca.crt -CAkey ca/ca.key -CAcreateserial \ - -out clients/$CLIENT_NAME/$CLIENT_NAME.crt \ +openssl x509 -req -in certificates/clients/$CLIENT_NAME/$CLIENT_NAME.csr \ + -CA certificates/ca/ca.crt -CAkey certificates/ca/ca.key -CAcreateserial \ + -out certificates/clients/$CLIENT_NAME/$CLIENT_NAME.crt \ -days 365 -sha256 # Create PKCS#12 bundle echo "Creating PKCS#12 bundle..." openssl pkcs12 -export \ - -out clients/$CLIENT_NAME/$CLIENT_NAME.p12 \ - -inkey clients/$CLIENT_NAME/$CLIENT_NAME.key \ - -in clients/$CLIENT_NAME/$CLIENT_NAME.crt \ - -certfile ca/ca.crt \ + -out certificates/clients/$CLIENT_NAME/$CLIENT_NAME.p12 \ + -inkey certificates/clients/$CLIENT_NAME/$CLIENT_NAME.key \ + -in certificates/clients/$CLIENT_NAME/$CLIENT_NAME.crt \ + -certfile certificates/ca/ca.crt \ -name "$CLIENT_NAME Home Automation Client" \ -passout pass:$P12_PASSWORD # Set appropriate permissions -chmod 400 clients/$CLIENT_NAME/$CLIENT_NAME.key -chmod 644 clients/$CLIENT_NAME/$CLIENT_NAME.crt -chmod 644 clients/$CLIENT_NAME/$CLIENT_NAME.p12 +chmod 400 certificates/clients/$CLIENT_NAME/$CLIENT_NAME.key +chmod 644 certificates/clients/$CLIENT_NAME/$CLIENT_NAME.crt +chmod 644 certificates/clients/$CLIENT_NAME/$CLIENT_NAME.p12 # Verify client certificate echo "Verifying client certificate..." -openssl x509 -noout -text -in clients/$CLIENT_NAME/$CLIENT_NAME.crt - +openssl x509 -noout -text -in certificates/clients/$CLIENT_NAME/$CLIENT_NAME.crt echo "" echo "=== Client Certificate Created ===" -echo "Client Certificate: clients/$CLIENT_NAME/$CLIENT_NAME.crt" -echo "Client Private Key: clients/$CLIENT_NAME/$CLIENT_NAME.key" -echo "PKCS#12 Bundle: clients/$CLIENT_NAME/$CLIENT_NAME.p12" +echo "Client Certificate: certificates/clients/$CLIENT_NAME/$CLIENT_NAME.crt" +echo "Client Private Key: certificates/clients/$CLIENT_NAME/$CLIENT_NAME.key" +echo "PKCS#12 Bundle: certificates/clients/$CLIENT_NAME/$CLIENT_NAME.p12" echo "" echo "Installation Instructions:" echo "1. Import the PKCS#12 file into your browser/application" @@ -71,4 +69,4 @@ echo "2. The bundle contains both the client certificate and CA certificate" echo "3. Password for PKCS#12 file: $P12_PASSWORD" echo "" echo "For testing with curl:" -echo "curl --cert clients/$CLIENT_NAME/$CLIENT_NAME.crt --key clients/$CLIENT_NAME/$CLIENT_NAME.key --cacert ca/ca.crt https://homea2.hottis.de/" \ No newline at end of file +echo "curl --cert certificates/clients/$CLIENT_NAME/$CLIENT_NAME.crt --key certificates/clients/$CLIENT_NAME/$CLIENT_NAME.key https://homea2.hottis.de/" \ No newline at end of file diff --git a/tools/decrypt-certificates.sh b/tools/decrypt-certificates.sh new file mode 100755 index 0000000..a04b369 --- /dev/null +++ b/tools/decrypt-certificates.sh @@ -0,0 +1,13 @@ +#!/bin/bash + + + +set -e + +gpg --decrypt --pinentry-mode=loopback --output secrets.tgz secrets.asc + +tar -xzvf secrets.tgz ./secret-configuration/ + +rm secrets.tgz + + diff --git a/tools/encrypt-certificates.sh b/tools/encrypt-certificates.sh new file mode 100755 index 0000000..5e4a570 --- /dev/null +++ b/tools/encrypt-certificates.sh @@ -0,0 +1,13 @@ +#!/bin/bash + + + +set -e + +tar -czvf certificates.tgz ./certificates/ + +gpg --symmetric --cipher-algo AES256 --armor --pinentry-mode=loopback --output certificates.asc certificates.tgz + +rm certificates.tgz + + diff --git a/tools/setup-ca.sh b/tools/setup-ca.sh index d94929e..ad64285 100755 --- a/tools/setup-ca.sh +++ b/tools/setup-ca.sh @@ -4,21 +4,20 @@ set -e echo "=== mTLS CA Setup ===" # Create CA directory -mkdir -p ca +mkdir -p certificates/ca # Generate CA private key echo "Generating CA private key..." -openssl genrsa -out ca/ca.key 2048 - +openssl genrsa -out certificates/ca/ca.key 2048 # Generate CA certificate echo "Generating CA certificate..." -openssl req -new -x509 -days 3650 -key ca/ca.key -out ca/ca.crt \ +openssl req -new -x509 -days 3650 -key certificates/ca/ca.key -out certificates/ca/ca.crt \ -subj "/DC=de/DC=hottis/DC=homea2/CN=Home Automation CA" echo "" echo "=== CA Setup Complete ===" -echo "CA Certificate: ca/ca.crt" -echo "CA Private Key: ca/ca.key" +echo "CA Certificate: certificates/ca/ca.crt" +echo "CA Private Key: certificates/ca/ca.key" echo "" echo "Deploy to Kubernetes:" -echo "kubectl create secret generic mtls-ca-cert --from-file=ca.crt=ca/ca.crt -n homea2" \ No newline at end of file +echo "kubectl create secret generic mtls-ca-cert --from-file=ca.crt=certificates/ca/ca.crt -n homea2" \ No newline at end of file