hermes-agent/scripts/gen_fleet_ca.sh

#!/usr/bin/env bash
# gen_fleet_ca.sh — Generate the Hermes fleet Certificate Authority.
#
# Usage:
#   ./scripts/gen_fleet_ca.sh [--out-dir <dir>]
#
# Outputs (default: ~/.hermes/pki/ca/):
#   fleet-ca.key   — CA private key  (chmod 600, keep secret)
#   fleet-ca.crt   — CA certificate  (distribute to all fleet nodes)
#
# The CA is valid for 10 years.  Regenerate + redistribute when it expires.
# Refs #806

set -euo pipefail

CA_SUBJECT="/CN=Hermes Fleet CA/O=Hermes/OU=Fleet"
CA_DAYS=3650   # 10 years

# ---------------------------------------------------------------------------
# Parse args
# ---------------------------------------------------------------------------
OUT_DIR="${HOME}/.hermes/pki/ca"

while [[ $# -gt 0 ]]; do
    case "$1" in
        --out-dir)  OUT_DIR="$2"; shift 2 ;;
        -h|--help)
            echo "Usage: $0 [--out-dir <dir>]"
            exit 0
            ;;
        *)
            echo "Unknown option: $1" >&2
            exit 1
            ;;
    esac
done

# ---------------------------------------------------------------------------
# Prereq check
# ---------------------------------------------------------------------------
if ! command -v openssl &>/dev/null; then
    echo "ERROR: openssl not found. Install OpenSSL and re-run." >&2
    exit 1
fi

mkdir -p "$OUT_DIR"
chmod 700 "$OUT_DIR"

CA_KEY="$OUT_DIR/fleet-ca.key"
CA_CRT="$OUT_DIR/fleet-ca.crt"

if [[ -f "$CA_KEY" || -f "$CA_CRT" ]]; then
    echo "Fleet CA already exists in $OUT_DIR"
    echo "  $CA_KEY"
    echo "  $CA_CRT"
    echo "Delete them manually if you want to regenerate."
    exit 0
fi

echo "Generating fleet CA in $OUT_DIR ..."

# Generate 4096-bit RSA key for the CA
openssl genrsa -out "$CA_KEY" 4096 2>/dev/null
chmod 600 "$CA_KEY"

# Self-sign the CA certificate
openssl req -new -x509 \
    -key "$CA_KEY" \
    -out "$CA_CRT" \
    -days "$CA_DAYS" \
    -subj "$CA_SUBJECT" \
    -addext "basicConstraints=critical,CA:TRUE,pathlen:0" \
    -addext "keyUsage=critical,keyCertSign,cRLSign" \
    -addext "subjectKeyIdentifier=hash" 2>/dev/null

chmod 644 "$CA_CRT"

echo ""
echo "Fleet CA generated successfully:"
echo "  Private key : $CA_KEY  (keep secret)"
echo "  Certificate : $CA_CRT  (distribute to all fleet nodes)"
echo ""
openssl x509 -in "$CA_CRT" -noout -subject -dates