#!/bin/bash

#############################################################################################
# 用途: 生成 Docker 远程证书生成脚本
# 作者: 丁辉
# 编写时间: 2024-01-03
#############################################################################################

# 加载检测脚本
source <(curl -sS https://gitee.com/offends/Shell/raw/main/Check_command.sh)

# 定义变量
IP="127.0.0.1"
PASSWORD="123456"
VALIDITY_PERIOD=3650

SEND_INFO "开始生成 Docker 远程证书,请稍等..."

CHECK_DIR "/usr/local/ca"

cd /usr/local/ca

# 生成 CA 私钥
openssl genrsa -aes256 -passout pass:"$PASSWORD" -out ca-key.pem 4096

# 生成 CA 证书
openssl req -new -x509 -days $VALIDITY_PERIOD -key ca-key.pem -passin pass:"$PASSWORD" -sha256 -out ca.pem -subj "/C=CN/ST=./L=./O=./CN=$IP"

# 生成服务器私钥
openssl genrsa -out server-key.pem 4096

# 生成服务器证书签名请求
openssl req -subj "/CN=$IP" -sha256 -new -key server-key.pem -out server.csr

# 生成服务器证书
echo subjectAltName = IP:$IP,IP:0.0.0.0 >> server.cnf

openssl x509 -req -days $VALIDITY_PERIOD -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -passin "pass:$PASSWORD" -CAcreateserial -out server-cert.pem -extfile server.cnf

# 生成客户端私钥
openssl genrsa -out key.pem 4096

# 生成客户端证书签名请求
openssl req -subj '/CN=client' -new -key key.pem -out client.csr

# 生成客户端证书
echo extendedKeyUsage = clientAuth >> server.cnf

echo extendedKeyUsage = clientAuth > server-client.cnf

openssl x509 -req -days $VALIDITY_PERIOD -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -passin "pass:$PASSWORD" -CAcreateserial -out cert.pem -extfile server-client.cnf

# 清理文件
rm -rf client.csr server.csr server.cnf server-client.cnf

# 修改权限
chmod 0400 ca-key.pem key.pem server-key.pem

chmod 0444 ca.pem server-cert.pem cert.pem

SEND_INFO "Docker 远程证书生成完毕,正在移动目录请稍等..."

CHECK_DIR "/etc/docker/cert/2375/"

cp server-*.pem /etc/docker/cert/2375/

cp ca.pem /etc/docker/cert/2375/

rm -rf /usr/local/ca/

SEND_INFO "Docker 远程证书移动完毕,请手动配置 Docker 远程证书路径为 /etc/docker/cert/2375/"