65 lines
1.6 KiB
Bash
65 lines
1.6 KiB
Bash
#!/bin/bash
|
|
|
|
# Generate self-signed certificate for PostgreSQL proxy
|
|
# Usage: ./generate-cert.sh [hostname1] [hostname2] ...
|
|
|
|
HOSTNAMES=("dev.db.deinserver.co" "tst.db.deinserver.co" "prd.db.deinserver.co")
|
|
|
|
# Add additional hostnames from command line arguments
|
|
if [ $# -gt 0 ]; then
|
|
HOSTNAMES=("$@")
|
|
fi
|
|
|
|
# Create certs directory if it doesn't exist
|
|
mkdir -p certs
|
|
|
|
# Build subject alternative names (SAN)
|
|
SAN=""
|
|
for hostname in "${HOSTNAMES[@]}"; do
|
|
if [ -n "$SAN" ]; then
|
|
SAN="${SAN},DNS:${hostname}"
|
|
else
|
|
SAN="DNS:${hostname}"
|
|
fi
|
|
done
|
|
|
|
echo "Generating self-signed certificate for: ${HOSTNAMES[*]}"
|
|
echo "SAN: ${SAN}"
|
|
|
|
# Generate private key
|
|
openssl genrsa -out certs/server.key 2048
|
|
|
|
# Generate certificate signing request
|
|
openssl req -new -key certs/server.key -out certs/server.csr -subj "/CN=${HOSTNAMES[0]}" -addext "subjectAltName=${SAN}"
|
|
|
|
# Generate self-signed certificate (valid for 10 years)
|
|
openssl x509 -req -days 3650 -in certs/server.csr -signkey certs/server.key -out certs/server.crt -extensions v3_req -extfile <(
|
|
cat <<EOF
|
|
[req]
|
|
distinguished_name = req_distinguished_name
|
|
req_extensions = v3_req
|
|
|
|
[v3_req]
|
|
subjectAltName = @alt_names
|
|
|
|
[alt_names]
|
|
EOF
|
|
for i in "${!HOSTNAMES[@]}"; do
|
|
echo "DNS.$((i+1)) = ${HOSTNAMES[$i]}"
|
|
done
|
|
)
|
|
|
|
# Clean up CSR
|
|
rm certs/server.csr
|
|
|
|
echo "Certificate generated successfully!"
|
|
echo "Certificate: certs/server.crt"
|
|
echo "Private key: certs/server.key"
|
|
echo ""
|
|
echo "Add to your config.yaml:"
|
|
echo "tls:"
|
|
echo " enabled: true"
|
|
echo " cert_file: /path/to/certs/server.crt"
|
|
echo " key_file: /path/to/certs/server.key"
|
|
|