#!/usr/bin/env python # -*- coding: utf-8 -*- import os import datetime import shutil from pathlib import Path from cryptography import x509 from cryptography.x509.oid import NameOID from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.hazmat.primitives.serialization import Encoding, PrivateFormat, NoEncryption import ipaddress def generate_mercedes_certificate(): """ Generiert ein vollständiges Mercedes-Benz-Zertifikat mit korrekten Metadaten und alternativen Namen. """ print("Generiere Mercedes-Benz SSL-Zertifikat...") # Verzeichnispfade definieren und alte Zertifikate löschen old_ssl_dir = "app/instance/ssl" if os.path.exists(old_ssl_dir): print(f"Lösche alten SSL-Ordner: {old_ssl_dir}") try: shutil.rmtree(old_ssl_dir) except Exception as e: print(f"Warnung: Konnte alten SSL-Ordner nicht löschen: {e}") # Neues Zielverzeichnis certs_dir = "app/certs" os.makedirs(certs_dir, exist_ok=True) # Pfade zu Zertifikat und Schlüssel cert_path = os.path.join(certs_dir, "myp.crt") key_path = os.path.join(certs_dir, "myp.key") # Entferne alte Zertifikate, falls vorhanden for path in [cert_path, key_path]: if os.path.exists(path): os.remove(path) try: # Privaten Schlüssel mit 4096 Bit generieren (sicherer) private_key = rsa.generate_private_key( public_exponent=65537, key_size=4096, ) # Aktuelles Datum und Ablaufdatum (1 Jahr gültig) now = datetime.datetime.now() valid_until = now + datetime.timedelta(days=365) # Liste aller möglichen Hostnamen/IPs hostnames = [ "localhost", "raspberrypi", "m040tbaraspi001", "m040tbaraspi001.de040.corpintra.net", "mbag.corpintra.net", "mbag.mb.corpintra.net" ] # IP-Adressen (als String, werden später konvertiert) ip_addresses = [ "127.0.0.1", "192.168.0.101", "192.168.0.102", "192.168.0.103", "192.168.0.104", "192.168.0.105", "192.168.0.106" ] # Erweiterte Zertifikatsattribute für Mercedes-Benz subject = issuer = x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, "raspberrypi"), x509.NameAttribute(NameOID.ORGANIZATION_NAME, "Mercedes-Benz AG"), x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, "Werk 040 Berlin"), x509.NameAttribute(NameOID.LOCALITY_NAME, "Berlin"), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "Berlin"), x509.NameAttribute(NameOID.COUNTRY_NAME, "DE"), x509.NameAttribute(NameOID.EMAIL_ADDRESS, "admin@mercedes-benz.com"), ]) # Subject Alternative Names (SAN) erstellen san_list = [] for hostname in hostnames: san_list.append(x509.DNSName(hostname)) # IP-Adressen hinzufügen for ip in ip_addresses: san_list.append(x509.IPAddress(ipaddress.IPv4Address(ip))) # Zertifikat erstellen cert = x509.CertificateBuilder().subject_name( subject ).issuer_name( issuer ).public_key( private_key.public_key() ).serial_number( x509.random_serial_number() ).not_valid_before( now ).not_valid_after( valid_until ).add_extension( x509.SubjectAlternativeName(san_list), critical=False, ).add_extension( x509.BasicConstraints(ca=True, path_length=None), critical=True ).add_extension( x509.KeyUsage( digital_signature=True, content_commitment=False, key_encipherment=True, data_encipherment=False, key_agreement=False, key_cert_sign=True, crl_sign=True, encipher_only=False, decipher_only=False ), critical=True ).add_extension( x509.ExtendedKeyUsage([ x509.oid.ExtendedKeyUsageOID.SERVER_AUTH, x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH, x509.oid.ExtendedKeyUsageOID.CODE_SIGNING ]), critical=False ).sign(private_key, hashes.SHA256()) # Zertifikat und Schlüssel speichern with open(key_path, "wb") as f: f.write(private_key.private_bytes( encoding=Encoding.PEM, format=PrivateFormat.TraditionalOpenSSL, encryption_algorithm=NoEncryption() )) with open(cert_path, "wb") as f: f.write(cert.public_bytes(Encoding.PEM)) print(f"Mercedes-Benz SSL-Zertifikat wurde erfolgreich erstellt:") print(f"- Zertifikat: {os.path.abspath(cert_path)}") print(f"- Schlüssel: {os.path.abspath(key_path)}") print(f"- Gültig bis: {valid_until.strftime('%d.%m.%Y')}") print(f"- Hostnamen: {', '.join(hostnames)}") print(f"- IP-Adressen: {', '.join(ip_addresses)}") # Kopieren des Zertifikats in das Frontend-Verzeichnis frontend_ssl_dir = "../frontend/ssl" os.makedirs(frontend_ssl_dir, exist_ok=True) shutil.copy2(cert_path, os.path.join(frontend_ssl_dir, "myp.crt")) shutil.copy2(key_path, os.path.join(frontend_ssl_dir, "myp.key")) print(f"Zertifikate wurden in das Frontend-Verzeichnis kopiert: {os.path.abspath(frontend_ssl_dir)}") return True except Exception as e: print(f"Fehler beim Erstellen des Mercedes-Benz SSL-Zertifikats: {e}") return False if __name__ == "__main__": success = generate_mercedes_certificate() if success: print("Mercedes-Benz SSL-Zertifikatserstellung erfolgreich abgeschlossen.") else: print("Fehler bei der Zertifikatserstellung!") exit(1)