drone-detector/generate-ssl-cert.sh

#!/bin/bash

# Self-Signed Certificate Generator for Uggla Drone Detection System
# Creates a 10-year certificate with interactive domain configuration

set -e

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color

# Certificate configuration
CERT_DIR="/etc/ssl/uggla"
CERT_NAME="uggla"
CERT_KEY="${CERT_DIR}/${CERT_NAME}.key"
CERT_CRT="${CERT_DIR}/${CERT_NAME}.crt"
CERT_CSR="${CERT_DIR}/${CERT_NAME}.csr"
CERT_CONF="${CERT_DIR}/${CERT_NAME}.conf"
DAYS=3650  # 10 years

echo -e "${BLUE}======================================${NC}"
echo -e "${BLUE}  Uggla SSL Certificate Generator${NC}"
echo -e "${BLUE}  For External Proxy Configuration${NC}"
echo -e "${BLUE}======================================${NC}"
echo

# Check if running as root
if [[ $EUID -ne 0 ]]; then
   echo -e "${RED}This script must be run as root to create certificates in /etc/ssl/${NC}"
   echo "Please run: sudo $0"
   exit 1
fi

# Create SSL directory if it doesn't exist
mkdir -p "${CERT_DIR}"

echo -e "${YELLOW}This script will generate a self-signed SSL certificate valid for 10 years.${NC}"
echo -e "${YELLOW}Certificate will be placed in /etc/ssl/uggla/ for your external proxy.${NC}"
echo -e "${YELLOW}You'll need to provide certificate details and domain names.${NC}"
echo

# Collect certificate information
echo -e "${GREEN}Enter certificate information:${NC}"
read -p "Country (2 letter code) [SE]: " COUNTRY
COUNTRY=${COUNTRY:-SE}

read -p "State/Province [Stockholm]: " STATE
STATE=${STATE:-Stockholm}

read -p "City [Stockholm]: " CITY
CITY=${CITY:-Stockholm}

read -p "Organization [Uggla Systems]: " ORG
ORG=${ORG:-"Uggla Systems"}

read -p "Organizational Unit [IT Department]: " OU
OU=${OU:-"IT Department"}

read -p "Common Name (main domain) [localhost]: " CN
CN=${CN:-localhost}

echo
echo -e "${GREEN}Enter Subject Alternative Names (SANs):${NC}"
echo -e "${YELLOW}Press Enter after each domain. Enter empty line when done.${NC}"
echo -e "${YELLOW}Examples: example.com, www.example.com, 192.168.1.100, localhost${NC}"
echo

# Collect SANs
SANS=()
SANS+=("DNS:${CN}")  # Add CN as first SAN
SANS+=("DNS:localhost")
SANS+=("IP:127.0.0.1")
SANS+=("IP:::1")

echo "Default SANs added: ${CN}, localhost, 127.0.0.1, ::1"
echo "Enter additional domains/IPs:"

while true; do
    read -p "Domain or IP: " DOMAIN
    if [[ -z "$DOMAIN" ]]; then
        break
    fi
    
    # Determine if it's an IP or domain
    if [[ $DOMAIN =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]] || [[ $DOMAIN =~ ^[0-9a-fA-F:]+$ ]]; then
        SANS+=("IP:${DOMAIN}")
        echo "Added IP: ${DOMAIN}"
    else
        SANS+=("DNS:${DOMAIN}")
        echo "Added domain: ${DOMAIN}"
    fi
done

echo
echo -e "${BLUE}Certificate Configuration Summary:${NC}"
echo "Country: ${COUNTRY}"
echo "State: ${STATE}"
echo "City: ${CITY}"
echo "Organization: ${ORG}"
echo "Organizational Unit: ${OU}"
echo "Common Name: ${CN}"
echo "SANs: ${SANS[*]}"
echo "Validity: ${DAYS} days (10 years)"
echo "Output directory: ${CERT_DIR}"
echo

read -p "Continue with certificate generation? (y/N): " CONFIRM
if [[ ! $CONFIRM =~ ^[Yy]$ ]]; then
    echo "Certificate generation cancelled."
    exit 1
fi

echo
echo -e "${GREEN}Generating certificate...${NC}"

# Create OpenSSL configuration file
cat > "${CERT_CONF}" << EOF
[req]
default_bits = 4096
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = v3_req

[dn]
C=${COUNTRY}
ST=${STATE}
L=${CITY}
O=${ORG}
OU=${OU}
CN=${CN}

[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
EOF

# Add SANs to config
for i in "${!SANS[@]}"; do
    echo "${SANS[$i]}" | sed 's/DNS:/DNS.'$((i+1))' = /' | sed 's/IP:/IP.'$((i+1))' = /' >> "${CERT_CONF}"
done

echo -e "${YELLOW}Step 1/3: Generating private key...${NC}"
openssl genrsa -out "${CERT_KEY}" 4096

echo -e "${YELLOW}Step 2/3: Generating certificate signing request...${NC}"
openssl req -new -key "${CERT_KEY}" -out "${CERT_CSR}" -config "${CERT_CONF}"

echo -e "${YELLOW}Step 3/3: Generating self-signed certificate...${NC}"
openssl x509 -req -in "${CERT_CSR}" -signkey "${CERT_KEY}" -out "${CERT_CRT}" -days "${DAYS}" -extensions v3_req -extfile "${CERT_CONF}"

# Set appropriate permissions
chmod 600 "${CERT_KEY}"
chmod 644 "${CERT_CRT}"

# Clean up temporary files
rm "${CERT_CSR}" "${CERT_CONF}"

echo
echo -e "${GREEN}======================================${NC}"
echo -e "${GREEN}  Certificate Generation Complete!${NC}"
echo -e "${GREEN}======================================${NC}"
echo
echo -e "${GREEN}Certificate files created:${NC}"
echo "Private Key: ${CERT_KEY}"
echo "Certificate: ${CERT_CRT}"
echo
echo -e "${BLUE}Certificate Information:${NC}"
openssl x509 -in "${CERT_CRT}" -text -noout | grep -A 5 "Subject:"
openssl x509 -in "${CERT_CRT}" -text -noout | grep -A 10 "Subject Alternative Name"
echo
echo -e "${BLUE}Certificate validity:${NC}"
openssl x509 -in "${CERT_CRT}" -dates -noout

echo
echo -e "${YELLOW}Next steps:${NC}"
echo "1. Configure your external proxy (nginx/apache/traefik) to use these certificates:"
echo "   Certificate: ${CERT_CRT}"
echo "   Private Key: ${CERT_KEY}"
echo ""
echo "2. Example nginx configuration:"
echo "   server {"
echo "     listen 443 ssl;"
echo "     ssl_certificate ${CERT_CRT};"
echo "     ssl_certificate_key ${CERT_KEY};"
echo "     location /uggla/ {"
echo "       proxy_pass http://localhost:8080/uggla/;"
echo "     }"
echo "   }"
echo ""
echo "3. Example Apache configuration:"
echo "   <VirtualHost *:443>"
echo "     SSLEngine on"
echo "     SSLCertificateFile ${CERT_CRT}"
echo "     SSLCertificateKeyFile ${CERT_KEY}"
echo "     ProxyPass /uggla/ http://localhost:8080/uggla/"
echo "   </VirtualHost>"
echo ""
echo "4. Docker cluster should run on internal ports (8080/8443)"
echo "5. External proxy forwards traffic to Docker cluster"
echo
echo -e "${RED}Warning: This is a self-signed certificate.${NC}"
echo -e "${RED}Browsers will show security warnings. Add to trusted certificates if needed.${NC}"
echo
echo -e "${GREEN}Certificate generation completed successfully!${NC}"