certs scripts

.gitignore

@@ -66,3 +66,5 @@ apps/homekit/homekit.state
 
 tools/ca/
 tools/clients/
+tools/certificates/
+tools/certificates.tgz

tools/create-client-cert.sh

@@ -12,7 +12,7 @@ CLIENT_NAME="$1"
 P12_PASSWORD="$2"
 
 # Check if CA exists
-if [ ! -f "ca/ca.crt" ] || [ ! -f "ca/ca.key" ]; then
+if [ ! -f "certificates/ca/ca.crt" ] || [ ! -f "certificates/ca/ca.key" ]; then
     echo "Error: CA not found. Please run setup-ca.sh first."
     exit 1
 fi
@@ -21,49 +21,47 @@ echo "=== Creating Client Certificate ==="
 echo "Client Name: $CLIENT_NAME"
 
 # Create client directory
-mkdir -p clients/$CLIENT_NAME
+mkdir -p certificates/clients/$CLIENT_NAME
 
 # Generate client private key
 echo "Generating client private key..."
-openssl genrsa -out clients/$CLIENT_NAME/$CLIENT_NAME.key 2048
-
+openssl genrsa -out certificates/clients/$CLIENT_NAME/$CLIENT_NAME.key 2048
 # Generate client certificate signing request
 echo "Generating client certificate signing request..."
-openssl req -new -key clients/$CLIENT_NAME/$CLIENT_NAME.key \
-    -out clients/$CLIENT_NAME/$CLIENT_NAME.csr \
+openssl req -new -key certificates/clients/$CLIENT_NAME/$CLIENT_NAME.key \
+    -out certificates/clients/$CLIENT_NAME/$CLIENT_NAME.csr \
     -subj "/DC=de/DC=hottis/DC=homea2/CN=$CLIENT_NAME"
 
 # Sign the client certificate
 echo "Signing client certificate..."
-openssl x509 -req -in clients/$CLIENT_NAME/$CLIENT_NAME.csr \
-    -CA ca/ca.crt -CAkey ca/ca.key -CAcreateserial \
-    -out clients/$CLIENT_NAME/$CLIENT_NAME.crt \
+openssl x509 -req -in certificates/clients/$CLIENT_NAME/$CLIENT_NAME.csr \
+    -CA certificates/ca/ca.crt -CAkey certificates/ca/ca.key -CAcreateserial \
+    -out certificates/clients/$CLIENT_NAME/$CLIENT_NAME.crt \
     -days 365 -sha256
 
 # Create PKCS#12 bundle
 echo "Creating PKCS#12 bundle..."
 openssl pkcs12 -export \
-    -out clients/$CLIENT_NAME/$CLIENT_NAME.p12 \
-    -inkey clients/$CLIENT_NAME/$CLIENT_NAME.key \
-    -in clients/$CLIENT_NAME/$CLIENT_NAME.crt \
-    -certfile ca/ca.crt \
+    -out certificates/clients/$CLIENT_NAME/$CLIENT_NAME.p12 \
+    -inkey certificates/clients/$CLIENT_NAME/$CLIENT_NAME.key \
+    -in certificates/clients/$CLIENT_NAME/$CLIENT_NAME.crt \
+    -certfile certificates/ca/ca.crt \
     -name "$CLIENT_NAME Home Automation Client" \
     -passout pass:$P12_PASSWORD
 
 # Set appropriate permissions
-chmod 400 clients/$CLIENT_NAME/$CLIENT_NAME.key
-chmod 644 clients/$CLIENT_NAME/$CLIENT_NAME.crt
-chmod 644 clients/$CLIENT_NAME/$CLIENT_NAME.p12
+chmod 400 certificates/clients/$CLIENT_NAME/$CLIENT_NAME.key
+chmod 644 certificates/clients/$CLIENT_NAME/$CLIENT_NAME.crt
+chmod 644 certificates/clients/$CLIENT_NAME/$CLIENT_NAME.p12
 
 # Verify client certificate
 echo "Verifying client certificate..."
-openssl x509 -noout -text -in clients/$CLIENT_NAME/$CLIENT_NAME.crt
-
+openssl x509 -noout -text -in certificates/clients/$CLIENT_NAME/$CLIENT_NAME.crt
 echo ""
 echo "=== Client Certificate Created ==="
-echo "Client Certificate: clients/$CLIENT_NAME/$CLIENT_NAME.crt"
-echo "Client Private Key: clients/$CLIENT_NAME/$CLIENT_NAME.key"
-echo "PKCS#12 Bundle: clients/$CLIENT_NAME/$CLIENT_NAME.p12"
+echo "Client Certificate: certificates/clients/$CLIENT_NAME/$CLIENT_NAME.crt"
+echo "Client Private Key: certificates/clients/$CLIENT_NAME/$CLIENT_NAME.key"
+echo "PKCS#12 Bundle: certificates/clients/$CLIENT_NAME/$CLIENT_NAME.p12"
 echo ""
 echo "Installation Instructions:"
 echo "1. Import the PKCS#12 file into your browser/application"
@@ -71,4 +69,4 @@ echo "2. The bundle contains both the client certificate and CA certificate"
 echo "3. Password for PKCS#12 file: $P12_PASSWORD"
 echo ""
 echo "For testing with curl:"
-echo "curl --cert clients/$CLIENT_NAME/$CLIENT_NAME.crt --key clients/$CLIENT_NAME/$CLIENT_NAME.key --cacert ca/ca.crt https://homea2.hottis.de/"
+echo "curl --cert certificates/clients/$CLIENT_NAME/$CLIENT_NAME.crt --key certificates/clients/$CLIENT_NAME/$CLIENT_NAME.key https://homea2.hottis.de/"

tools/decrypt-certificates.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+
+
+set -e
+
+gpg --decrypt --pinentry-mode=loopback --output secrets.tgz secrets.asc
+
+tar -xzvf secrets.tgz ./secret-configuration/
+
+rm secrets.tgz
+
+

tools/encrypt-certificates.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+
+
+set -e
+
+tar -czvf certificates.tgz ./certificates/
+
+gpg --symmetric --cipher-algo AES256 --armor --pinentry-mode=loopback --output certificates.asc certificates.tgz
+
+rm certificates.tgz
+
+

tools/setup-ca.sh

@@ -4,21 +4,20 @@ set -e
 echo "=== mTLS CA Setup ==="
 
 # Create CA directory
-mkdir -p ca
+mkdir -p certificates/ca
 
 # Generate CA private key
 echo "Generating CA private key..."
-openssl genrsa -out ca/ca.key 2048
-
+openssl genrsa -out certificates/ca/ca.key 2048
 # Generate CA certificate
 echo "Generating CA certificate..."
-openssl req -new -x509 -days 3650 -key ca/ca.key -out ca/ca.crt \
+openssl req -new -x509 -days 3650 -key certificates/ca/ca.key -out certificates/ca/ca.crt \
     -subj "/DC=de/DC=hottis/DC=homea2/CN=Home Automation CA"
 
 echo ""
 echo "=== CA Setup Complete ==="
-echo "CA Certificate: ca/ca.crt"
-echo "CA Private Key: ca/ca.key"
+echo "CA Certificate: certificates/ca/ca.crt"
+echo "CA Private Key: certificates/ca/ca.key"
 echo ""
 echo "Deploy to Kubernetes:"
-echo "kubectl create secret generic mtls-ca-cert --from-file=ca.crt=ca/ca.crt -n homea2"
+echo "kubectl create secret generic mtls-ca-cert --from-file=ca.crt=certificates/ca/ca.crt -n homea2"