Update generate-p12.sh

Whatchawnt · web-flow · commit 00a5008771de · 2025-07-14T13:41:46.000-04:00
1. Added Option to parse in the npm value (I.E. npm-10)  as a required variable which is the npm value that the certificate files are stored in (I.E. '/etc/letsencrypt/live/npm-10/'   and   '/etc/letsencrypt/archive/npm-10/' )
2. Added the option to parse a password into the script to be used as the p12 password for securing the private key within the generated PKCS12 file.
3. Added Variable in script to allow the user to keep the root certificate that the script generates ($KEEP_ROOT_CERTIFICATE which it is set to true by default).
4. Added Simlinks for the .p12 file (follows the current convention)
5. Added Simlink for the root certificate, if the user chooses to keep the root certificate by setting the variable $KEEP_ROOT_CERTIFICATE to true (follows the current convention)
4. Added automatic cleanup for temporary files as well as the root file when the variable $KEEP_ROOT_CERTIFICATE is set to false.
diff --git a/backend/scripts/generate-p12.sh b/backend/scripts/generate-p12.sh
@@ -1,6 +1,95 @@
 #!/bin/bash
 #
 #
+
+SCRIPT_NAME="$(basename "$0")"
+
+print_help() {
+  cat <<EOF
+Usage: $SCRIPT_NAME --npm <name> [--password <password>]
+
+Options:
+  --npm <name>         Required. Name or identifier used for the certificate. Must be in the form "npm-#" 
+  --password <string>  Optional. Password to secure the PKCS#12 (.p12) file. If not provided the scipt will use the script default.
+  -h, --help           Show this help message and exit.
+
+Example:
+  ./$SCRIPT_NAME --npm npm-123
+  ./$SCRIPT_NAME --npm npm-123 --password secret123
+EOF
+}
+
+# Initialize Required Input variables
+NPM_NAME=""
+PKCS12_PASSWORD=""
+
+# Exit early and show help if no arguments were provided
+if [[ $# -eq 0 ]]; then
+  echo -e "\nERROR - No arguments provided.\n"
+  print_help
+  exit 1
+fi
+
+# Parse arguments
+while [[ $# -gt 0 ]]; do
+	case "$1" in
+		--npm)
+			NPM_NAME="$2"
+			NPM_NAME="${NPM_NAME,,}"
+			REGEX_FOR_NPM_MATCH='^(N|n)(P|p)(M|m)\-[0-9]+$'
+			VALIDATE_NPM_NAME=$(echo "$NPM_NAME" | grep -P "$REGEX_FOR_NPM_MATCH")
+						
+			#Validate the NPM_NAME
+			if [[ -z "$2" || "$2" == --* ]]
+			then
+				echo -e "\nERROR: --npm requires a value."
+				exit 1
+			fi
+			if [[ -z "$NPM_NAME" ]]
+			then
+				echo -e "\nERROR: --npm requires a value."
+				exit 1
+			elif [[ -z "$VALIDATE_NPM_NAME" ]]
+			then
+				echo -e "\nERROR: --npm input must be in the form npm-#\n"
+				exit 1
+			fi
+		  
+			shift 2
+			;;
+		--password)
+			#Verify the argument data was not passed in as password instead if the user did not supply a password.
+			if [[ -z "$2" || "$2" == --* ]]
+			then
+				echo -e "\nERROR: --password requires a value."
+				exit 1
+			fi
+			PKCS12_PASSWORD="$2"
+			shift 2
+			;;
+		-h|--help)
+			print_help
+			exit 0
+			;;
+		*)
+			echo -e "\nError: Unsupported argument: $1\n"
+			print_help
+			exit 1
+			;;
+	esac
+done
+
+
+#Use the default password if the user did not supply one.
+#If the Password Variable is passed in this script will use it for encrypting the p12 private key when generating the p12.
+#If the password was not provided then the default password (below) will be used.
+if [[ -z "$PKCS12_PASSWORD" ]]
+then 
+	#The Password Provided by the user (Default: password)
+	PKCS12_PASSWORD="password"
+fi
+
+
 # Selected Cipher would be passed in from the GUI but this is an example of what the GUI could provide for a selected CIPHER
 SELECTED_CIPHER="aes-256-cbc"
 SELECTED_CIPHER="${SELECTED_CIPHER^^}"
@@ -17,7 +106,7 @@ PATH_TO_ARCHIVE="/etc/letsencrypt/archive"
 
 
 #The Specific Folder Name for the NPM cert, Should be the text "npm" followe by a hyphen and numbers (I.E. npm-3)
-NPM_FOLDER="npm-10"
+NPM_FOLDER="$NPM_NAME"
 
 #The Directory containing the certificate and privcate key for a npm configuration
 NPM_PATH="$PATH_TO_LIVE/$NPM_FOLDER"
@@ -59,11 +148,16 @@ then
 	#The Name to give the PKCS12 file generated by the script (with extension). It will be placd in the same file as the private key file.
 	PKCS12_FILE_NAME="fullpkcs12-$INCREMENT_NUMBER.p12"
 	echo "PKCS12 FILE NAME: $PKCS12_FILE_NAME"
+	ROOT_CERTIFICATE_FILENAME="root$INCREMENT_NUMBER.pem"
 	PKCS12_SIMLINK_NAME="fullpkcs12.p12"
+	ROOT_CERTIFICATE_SIMLINK_NAME="root.pem"
 else
 	#The Name to give the PKCS12 file generated by the script (with extension). It will be placd in the same file as the private key file.
 	PKCS12_FILE_NAME="fullpkcs12.p12"
 	echo "PKCS12 FILE NAME: $PKCS12_FILE_NAME"
+	ROOT_CERTIFICATE_FILENAME="root$INCREMENT_NUMBER.pem"
+	PKCS12_SIMLINK_NAME="fullpkcs12.p12"
+	ROOT_CERTIFICATE_SIMLINK_NAME="root.pem"
 fi
 
 
@@ -74,13 +168,13 @@ echo "PKCS12 FULL PATH: $PKCS12_FULL_PATH"
 PKCS12_SIMLINK_PATH="$NPM_PATH/$PKCS12_SIMLINK_NAME"
 echo "PKCS12 SIMLINK PATH: $PKCS12_SIMLINK_PATH"
 
-#Root Certificate File Name (with extension) the root file does not exist so will need to create it later from the fullchain
-ROOT_CERTIFICATE="root$INCREMENT_NUMBER.pem"
-ROOT_FULL_PATH=$(dirname "$GET_PATH")"/$ROOT_CERTIFICATE"
-echo "ROOT_FULL_PATH: $ROOT_FULL_PATH"
 
-#The Password Provided by the user (Default: password)
-PKCS12_PASSWORD="password"
+#Root Certificate File Name (with extension) the root file does not exist so will need to create it later from the fullchain
+#ROOT_CERTIFICATE_FILENAME="root$INCREMENT_NUMBER.pem"
+ROOT_FULL_PATH=$(dirname "$GET_PATH")"/$ROOT_CERTIFICATE_FILENAME"
+echo "ROOT FULL PATH: $ROOT_FULL_PATH"
+ROOT_CERTIFICATE_SIMLINK_PATH="$NPM_PATH/$ROOT_CERTIFICATE_SIMLINK_NAME"
+echo "ROOT CERTIFICATE SIMLINK PATH: $ROOT_CERTIFICATE_SIMLINK_PATH"
 
 #Create an Array of CIPHER ALGORITHMS
 #Remove the lines "Legacy:" and "Provided:" from the created List of Cipher Algorithms
@@ -94,6 +188,13 @@ ARRAY_OF_DIGEST_ALGORITHMS=($(echo "${LIST_OF_DIGEST_ALGORITHMS}" | sed -E '/^Le
 #ARRAY of Temp files that are generated by the script. At the end they will be removed
 declare -a TEMP_FILES_ARRAY=()
 
+#owner, used when running chown
+OWNER="npm"
+#Group, used when running chown
+GROUP="npm"
+
+#Keep the root Certificate generated by this script, or delete it after using it temporarily
+KEEP_ROOT_CERTIFICATE=true
 
 #Start This script only if The Certificate Chain File exist, and the private key exist, and both are also readable.
 if [[ -z "$CERTIFICATE_CHAIN_FILE_FULL_PATH" ]] && [[ -f  "$CERTIFICATE_CHAIN_FILE_FULL_PATH" ]] && [[ -r  "$CERTIFICATE_CHAIN_FILE_FULL_PATH" ]]
@@ -119,7 +220,7 @@ then
 	TEMP_FILES_ARRAY+=("cert_temp_01.pem")
 	TEMP_FILES_ARRAY+=("cert_temp_02.pem")
 
-	FOUND_ROOT_CERTIFICATE=false
+	FOUND_ROOT_CERTIFICATE_FILENAME=false
 	# Loop through each extracted certificate
 	for cert_temp_file in cert_temp_*.pem
 	do
@@ -137,15 +238,15 @@ then
 		if [[ "$subject" == "$issuer" ]]
 		then
 			echo -e "\n  Found root certificate: $cert_temp_file"
-			FOUND_ROOT_CERTIFICATE=true
+			FOUND_ROOT_CERTIFICATE_FILENAME=true
 			#Save the certificate file in the  same directory as the private key file
 			cp "$cert_temp_file" "$CERTIFICATE_FILE_FULL_PATH"
 			break
 		fi
 	done
 	
 	#If the root certificate was not found in the certificate chain
-	if [[ "$FOUND_ROOT_CERTIFICATE" == false ]]
+	if [[ "$FOUND_ROOT_CERTIFICATE_FILENAME" == false ]]
 	then
 		#If the Root Certificate was not found within the certificate chain then obtain it from the intermediate chain
 		# Extract each certificate into its own file
@@ -196,7 +297,7 @@ then
 				TEMP_FILES_ARRAY+=("issuer_cert_temp.der")
 			fi
 			
-			echo -e "\nProcessing $ROOT_CERTIFICATE ..."
+			echo -e "\nProcessing $ROOT_CERTIFICATE_FILENAME ..."
     	
 			# Get subject and issuer
 			issuer_subject=$(openssl x509 -noout -subject -issuer -in "$ROOT_FULL_PATH" 2>/dev/null)
@@ -301,14 +402,14 @@ then
 		echo -e "\nSuccessfully generated PKCS12"
 		echo -e "\nPKCS12 Full Path: $PKCS12_FULL_PATH"
 		
-		#Change the ownership to npm:npm
-		chown npm:npm "$PKCS12_FULL_PATH"
+		#Change the ownership to "$OWNER:$GROUP"
+		chown "$OWNER:$GROUP" "$PKCS12_FULL_PATH"
 		
 		if [[ $? -eq 0 ]]
 		then
-			echo -e "\nSuccessfully changed $PKCS12_FULL_PATH User and Group ownership to npm"
+			echo -e "\nSuccessfully changed $PKCS12_FULL_PATH User and Group ownership to $OWNER:$GROUP"
 		else
-			echo "\nERROR - Unable to change $PKCS12_FULL_PATH User and Group ownership to npm"
+			echo "\nERROR - Unable to change $PKCS12_FULL_PATH User and Group ownership to $OWNER:$GROUP"
 			exit 1
 		fi
 
@@ -329,33 +430,35 @@ then
 		then
 			echo -e "\nERROR - Relative Path variable is empty."
 		fi
-		
-		
+			
 		#ln -s "to-here" <- "from-here". The from-here should not exist yet, it is to be created, while the to-here should already exist.
 		#Create the links relative to the path
 		ln -sf "$RELATIVE_SOURCE" "$SYMLINK_DIR/$SYMLINK_NAME"
 		
 		if [[ $? -eq 0 ]]
 		then
-			echo -e "\nSuccessfully created SimLink"
+			echo "  Successfully created SimLink"
 		else
 			echo "\nERROR - Unable to create SimLink"
 			exit 1
 		fi
 		
-		#Change the ownership to npm:npm for SimLink
-		chown -h npm:npm "$PKCS12_SIMLINK_PATH"
+		#Change the ownership to "$OWNER:$GROUP" for SimLink
+		chown -h "$OWNER:$GROUP" "$PKCS12_SIMLINK_PATH"
 		
 		if [[ $? -eq 0 ]]
 		then
-			echo -e "\nSuccessfully changed $PKCS12_SIMLINK_PATH User and Group ownership to npm"
+			echo "  Successfully changed $PKCS12_SIMLINK_PATH User and Group ownership to $OWNER:$GROUP"
 		else
-			echo "\nERROR - Unable to change $PKCS12_SIMLINK_PATH User and Group ownership to npm"
+			echo "\nERROR - Unable to change $PKCS12_SIMLINK_PATH User and Group ownership to $OWNER:$GROUP"
 			exit 1
 		fi
 		
-		#The Root Certificate that was created by this script is no longer needed after generating the .p12 file so add it to the array of temporary files to delete
-		TEMP_FILES_ARRAY+=("$ROOT_FULL_PATH")	# Comment out if you want to keep the Root Certificate geenrated by this script (Generated from downloaing the root from the Intermediate CA Certificate).
+		if [[ "$KEEP_ROOT_CERTIFICATE" == false ]]
+		then
+			#The Root Certificate that was created by this script is no longer needed after generating the .p12 file so add it to the array of temporary files to delete
+			TEMP_FILES_ARRAY+=("$ROOT_FULL_PATH")	# When $KEEP_ROOT_CERTIFICATE is set to true the script will keep the file and create a simlink for it as well
+		fi
 		
 		echo -e "\n\nCleaning up temporary files..."
 		for temp_file in "${TEMP_FILES_ARRAY[@]}"
@@ -370,6 +473,48 @@ then
 				echo -e "  Successfully deleted '$temp_file'"
 			fi
 		done
+		
+		#If the Root Path still exist then the user must have comented out the deletion of the root.pem file. So generate a simlink for it as well.
+		if [[ -f "$ROOT_FULL_PATH" ]]
+		then
+			echo -e "\nCreating SimLink for root certificate..."
+			#Change the ownership to "$OWNER:$GROUP"
+			chown "$OWNER:$GROUP" "$ROOT_FULL_PATH"
+
+			# Get the directory where the symlink will be created
+			SYMLINK_DIR="$(dirname "$ROOT_CERTIFICATE_SIMLINK_PATH")"
+
+			# Get the relative path from the symlink destination to the source file
+			RELATIVE_SOURCE="$(realpath --relative-to="$SYMLINK_DIR" "$ROOT_FULL_PATH")"
+			
+			if [[ -z "$RELATIVE_SOURCE" ]]
+			then
+				echo -e "\nERROR - Relative Path variable is empty."
+			fi
+						
+			#ln -s "to-here" <- "from-here". The from-here should not exist yet, it is to be created, while the to-here should already exist.
+			#Create the links relative to the path
+			ln -sf "$RELATIVE_SOURCE" "$SYMLINK_DIR/$ROOT_CERTIFICATE_SIMLINK_NAME"
+			
+			if [[ $? -eq 0 ]]
+			then
+				echo "  Successfully created SimLink"
+			else
+				echo "\nERROR - Unable to create SimLink"
+				exit 1
+			fi
+			
+			#Change the ownership to "$OWNER:$GROUP" for SimLink
+			chown -h "$OWNER:$GROUP" "$ROOT_CERTIFICATE_SIMLINK_PATH"
+			
+			if [[ $? -eq 0 ]]
+			then
+				echo "  Successfully changed $ROOT_CERTIFICATE_SIMLINK_PATH User and Group ownership to $OWNER:$GROUP"
+			else
+				echo "\nERROR - Unable to change $ROOT_CERTIFICATE_SIMLINK_PATH User and Group ownership to $OWNER:$GROUP"
+				exit 1
+			fi
+		fi
 		echo ""
 	else
 		echo -e "\nERROR - Unable to Generate PKCS12 '$PKCS12_FULL_PATH'\n"
