#!/bin/bash # Self-Signed Certificate Generator for Uggla Drone Detection System # Creates a 10-year certificate with interactive domain configuration set -e # Colors for output RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' # No Color # Certificate configuration CERT_DIR="/etc/ssl/uggla" CERT_NAME="uggla" CERT_KEY="${CERT_DIR}/${CERT_NAME}.key" CERT_CRT="${CERT_DIR}/${CERT_NAME}.crt" CERT_CSR="${CERT_DIR}/${CERT_NAME}.csr" CERT_CONF="${CERT_DIR}/${CERT_NAME}.conf" DAYS=3650 # 10 years echo -e "${BLUE}======================================${NC}" echo -e "${BLUE} Uggla SSL Certificate Generator${NC}" echo -e "${BLUE} For External Proxy Configuration${NC}" echo -e "${BLUE}======================================${NC}" echo # Check if running as root if [[ $EUID -ne 0 ]]; then echo -e "${RED}This script must be run as root to create certificates in /etc/ssl/${NC}" echo "Please run: sudo $0" exit 1 fi # Create SSL directory if it doesn't exist mkdir -p "${CERT_DIR}" echo -e "${YELLOW}This script will generate a self-signed SSL certificate valid for 10 years.${NC}" echo -e "${YELLOW}Certificate will be placed in /etc/ssl/uggla/ for your external proxy.${NC}" echo -e "${YELLOW}You'll need to provide certificate details and domain names.${NC}" echo # Collect certificate information echo -e "${GREEN}Enter certificate information:${NC}" read -p "Country (2 letter code) [SE]: " COUNTRY COUNTRY=${COUNTRY:-SE} read -p "State/Province [Stockholm]: " STATE STATE=${STATE:-Stockholm} read -p "City [Stockholm]: " CITY CITY=${CITY:-Stockholm} read -p "Organization [Uggla Systems]: " ORG ORG=${ORG:-"Uggla Systems"} read -p "Organizational Unit [IT Department]: " OU OU=${OU:-"IT Department"} read -p "Common Name (main domain) [localhost]: " CN CN=${CN:-localhost} echo echo -e "${GREEN}Enter Subject Alternative Names (SANs):${NC}" echo -e "${YELLOW}Press Enter after each domain. Enter empty line when done.${NC}" echo -e "${YELLOW}Examples: example.com, www.example.com, 192.168.1.100, localhost${NC}" echo # Collect SANs SANS=() SANS+=("DNS:${CN}") # Add CN as first SAN SANS+=("DNS:localhost") SANS+=("IP:127.0.0.1") SANS+=("IP:::1") echo "Default SANs added: ${CN}, localhost, 127.0.0.1, ::1" echo "Enter additional domains/IPs:" while true; do read -p "Domain or IP: " DOMAIN if [[ -z "$DOMAIN" ]]; then break fi # Determine if it's an IP or domain if [[ $DOMAIN =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]] || [[ $DOMAIN =~ ^[0-9a-fA-F:]+$ ]]; then SANS+=("IP:${DOMAIN}") echo "Added IP: ${DOMAIN}" else SANS+=("DNS:${DOMAIN}") echo "Added domain: ${DOMAIN}" fi done echo echo -e "${BLUE}Certificate Configuration Summary:${NC}" echo "Country: ${COUNTRY}" echo "State: ${STATE}" echo "City: ${CITY}" echo "Organization: ${ORG}" echo "Organizational Unit: ${OU}" echo "Common Name: ${CN}" echo "SANs: ${SANS[*]}" echo "Validity: ${DAYS} days (10 years)" echo "Output directory: ${CERT_DIR}" echo read -p "Continue with certificate generation? (y/N): " CONFIRM if [[ ! $CONFIRM =~ ^[Yy]$ ]]; then echo "Certificate generation cancelled." exit 1 fi echo echo -e "${GREEN}Generating certificate...${NC}" # Create OpenSSL configuration file cat > "${CERT_CONF}" << EOF [req] default_bits = 4096 prompt = no default_md = sha256 distinguished_name = dn req_extensions = v3_req [dn] C=${COUNTRY} ST=${STATE} L=${CITY} O=${ORG} OU=${OU} CN=${CN} [v3_req] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] EOF # Add SANs to config for i in "${!SANS[@]}"; do echo "${SANS[$i]}" | sed 's/DNS:/DNS.'$((i+1))' = /' | sed 's/IP:/IP.'$((i+1))' = /' >> "${CERT_CONF}" done echo -e "${YELLOW}Step 1/3: Generating private key...${NC}" openssl genrsa -out "${CERT_KEY}" 4096 echo -e "${YELLOW}Step 2/3: Generating certificate signing request...${NC}" openssl req -new -key "${CERT_KEY}" -out "${CERT_CSR}" -config "${CERT_CONF}" echo -e "${YELLOW}Step 3/3: Generating self-signed certificate...${NC}" openssl x509 -req -in "${CERT_CSR}" -signkey "${CERT_KEY}" -out "${CERT_CRT}" -days "${DAYS}" -extensions v3_req -extfile "${CERT_CONF}" # Set appropriate permissions chmod 600 "${CERT_KEY}" chmod 644 "${CERT_CRT}" # Clean up temporary files rm "${CERT_CSR}" "${CERT_CONF}" echo echo -e "${GREEN}======================================${NC}" echo -e "${GREEN} Certificate Generation Complete!${NC}" echo -e "${GREEN}======================================${NC}" echo echo -e "${GREEN}Certificate files created:${NC}" echo "Private Key: ${CERT_KEY}" echo "Certificate: ${CERT_CRT}" echo echo -e "${BLUE}Certificate Information:${NC}" openssl x509 -in "${CERT_CRT}" -text -noout | grep -A 5 "Subject:" openssl x509 -in "${CERT_CRT}" -text -noout | grep -A 10 "Subject Alternative Name" echo echo -e "${BLUE}Certificate validity:${NC}" openssl x509 -in "${CERT_CRT}" -dates -noout echo echo -e "${YELLOW}Next steps:${NC}" echo "1. Configure your external proxy (nginx/apache/traefik) to use these certificates:" echo " Certificate: ${CERT_CRT}" echo " Private Key: ${CERT_KEY}" echo "" echo "2. Example nginx configuration:" echo " server {" echo " listen 443 ssl;" echo " ssl_certificate ${CERT_CRT};" echo " ssl_certificate_key ${CERT_KEY};" echo " location /uggla/ {" echo " proxy_pass http://localhost:8080/uggla/;" echo " }" echo " }" echo "" echo "3. Example Apache configuration:" echo " " echo " SSLEngine on" echo " SSLCertificateFile ${CERT_CRT}" echo " SSLCertificateKeyFile ${CERT_KEY}" echo " ProxyPass /uggla/ http://localhost:8080/uggla/" echo " " echo "" echo "4. Docker cluster should run on internal ports (8080/8443)" echo "5. External proxy forwards traffic to Docker cluster" echo echo -e "${RED}Warning: This is a self-signed certificate.${NC}" echo -e "${RED}Browsers will show security warnings. Add to trusted certificates if needed.${NC}" echo echo -e "${GREEN}Certificate generation completed successfully!${NC}"