72 lines
1.6 KiB
Bash
72 lines
1.6 KiB
Bash
#!/usr/bin/env bash
|
|
# selfsigned.sh — create a long-lived self-signed cert with SANs
|
|
# Usage: sudo ./selfsigned.sh [days] [outdir]
|
|
|
|
set -euo pipefail
|
|
|
|
# Prompt for domain if not provided
|
|
read -rp "Enter the domain (e.g., panel.example.com): " DOMAIN
|
|
if [[ -z "$DOMAIN" ]]; then
|
|
echo "Domain cannot be empty." >&2
|
|
exit 1
|
|
fi
|
|
|
|
DAYS="${1:-36500}" # Default: 100 years
|
|
OUTDIR="${2:-/etc/ssl/selfsigned/$DOMAIN}"
|
|
|
|
command -v openssl >/dev/null 2>&1 || { echo "openssl is required"; exit 1; }
|
|
|
|
mkdir -p "$OUTDIR"
|
|
chmod 700 "$OUTDIR"
|
|
|
|
CONF="$OUTDIR/openssl.cnf"
|
|
KEY="$OUTDIR/$DOMAIN.key"
|
|
CRT="$OUTDIR/$DOMAIN.crt"
|
|
PEM="$OUTDIR/$DOMAIN.pem"
|
|
|
|
cat > "$CONF" <<EOF
|
|
[req]
|
|
default_bits = 4096
|
|
prompt = no
|
|
default_md = sha256
|
|
distinguished_name = dn
|
|
x509_extensions = v3_req
|
|
|
|
[dn]
|
|
C = US
|
|
O = Self-Signed
|
|
OU = IT
|
|
CN = ${DOMAIN}
|
|
|
|
[v3_req]
|
|
basicConstraints = critical, CA:false
|
|
keyUsage = critical, digitalSignature, keyEncipherment
|
|
extendedKeyUsage = serverAuth
|
|
subjectAltName = @alt_names
|
|
|
|
[alt_names]
|
|
DNS.1 = ${DOMAIN}
|
|
DNS.2 = *.${DOMAIN}
|
|
IP.1 = 127.0.0.1
|
|
EOF
|
|
|
|
# Generate key + cert
|
|
openssl req -x509 -nodes -newkey rsa:4096 \
|
|
-days "$DAYS" \
|
|
-keyout "$KEY" \
|
|
-out "$CRT" \
|
|
-config "$CONF"
|
|
|
|
# Combined PEM (useful for HAProxy, some tools)
|
|
cat "$CRT" "$KEY" > "$PEM"
|
|
chmod 600 "$KEY" "$CRT" "$PEM"
|
|
|
|
echo "✅ Self-signed certificate created:"
|
|
echo " Cert : $CRT"
|
|
echo " Key : $KEY"
|
|
echo " PEM : $PEM"
|
|
echo " Conf : $CONF"
|
|
echo
|
|
echo "📌 Add this to your nginx config:"
|
|
echo " ssl_certificate $CRT;"
|
|
echo " ssl_certificate_key $KEY;" |