mTLS

2025-11-29 21:35:35 +01:00
parent 63857671f9
commit bb27296310
14 changed files with 149 additions and 1851 deletions
--- a/tools/create-client-cert.sh
+++ b/tools/create-client-cert.sh
@@ -0,0 +1,73 @@
+#!/bin/bash
+set -e
+
+# Check if client name is provided
+if [ $# -eq 0 ]; then
+    echo "Usage: $0 <client-name>"
+    echo "Example: $0 john.doe"
+    exit 1
+fi
+
+CLIENT_NAME="$1"
+
+# Check if CA exists
+if [ ! -f "ca/ca.crt" ] || [ ! -f "ca/ca.key" ]; then
+    echo "Error: CA not found. Please run setup-ca.sh first."
+    exit 1
+fi
+
+echo "=== Creating Client Certificate ==="
+echo "Client Name: $CLIENT_NAME"
+
+# Create client directory
+mkdir -p clients/$CLIENT_NAME
+
+# Generate client private key
+echo "Generating client private key..."
+openssl genrsa -out clients/$CLIENT_NAME/$CLIENT_NAME.key 2048
+
+# Generate client certificate signing request
+echo "Generating client certificate signing request..."
+openssl req -new -key clients/$CLIENT_NAME/$CLIENT_NAME.key \
+    -out clients/$CLIENT_NAME/$CLIENT_NAME.csr \
+    -subj "/DC=de/DC=hottis/DC=homea2/CN=$CLIENT_NAME"
+
+# Sign the client certificate
+echo "Signing client certificate..."
+openssl x509 -req -in clients/$CLIENT_NAME/$CLIENT_NAME.csr \
+    -CA ca/ca.crt -CAkey ca/ca.key -CAcreateserial \
+    -out clients/$CLIENT_NAME/$CLIENT_NAME.crt \
+    -days 365 -sha256
+
+# Create PKCS#12 bundle
+echo "Creating PKCS#12 bundle..."
+openssl pkcs12 -export \
+    -out clients/$CLIENT_NAME/$CLIENT_NAME.p12 \
+    -inkey clients/$CLIENT_NAME/$CLIENT_NAME.key \
+    -in clients/$CLIENT_NAME/$CLIENT_NAME.crt \
+    -certfile ca/ca.crt \
+    -name "$CLIENT_NAME Home Automation Client" \
+    -passout pass:
+
+# Set appropriate permissions
+chmod 400 clients/$CLIENT_NAME/$CLIENT_NAME.key
+chmod 644 clients/$CLIENT_NAME/$CLIENT_NAME.crt
+chmod 644 clients/$CLIENT_NAME/$CLIENT_NAME.p12
+
+# Verify client certificate
+echo "Verifying client certificate..."
+openssl x509 -noout -text -in clients/$CLIENT_NAME/$CLIENT_NAME.crt
+
+echo ""
+echo "=== Client Certificate Created ==="
+echo "Client Certificate: clients/$CLIENT_NAME/$CLIENT_NAME.crt"
+echo "Client Private Key: clients/$CLIENT_NAME/$CLIENT_NAME.key"
+echo "PKCS#12 Bundle: clients/$CLIENT_NAME/$CLIENT_NAME.p12"
+echo ""
+echo "Installation Instructions:"
+echo "1. Import the PKCS#12 file into your browser/application"
+echo "2. The bundle contains both the client certificate and CA certificate"
+echo "3. No password is set for the PKCS#12 file (you can add one by modifying the -passout parameter)"
+echo ""
+echo "For testing with curl:"
+echo "curl --cert clients/$CLIENT_NAME/$CLIENT_NAME.crt --key clients/$CLIENT_NAME/$CLIENT_NAME.key --cacert ca/ca.crt https://homea2.hottis.de/"