coolify/app/Helpers/SslHelper.php

<?php

namespace App\Helpers;

use App\Models\SslCertificate;
use Carbon\CarbonImmutable;

class SslHelper
{
    private const DEFAULT_ORGANIZATION_NAME = 'Coolify';

    public static function generateSslCertificate(
        string $commonName,
        array $additionalSans = [],
        ?string $resourceType = null,
        ?int $resourceId = null,
        ?int $serverId = null,
        ?string $organizationName = null,
        int $validityDays = 365,
        ?string $caCert = null,
        ?string $caKey = null
    ): SslCertificate {
        $organizationName ??= self::DEFAULT_ORGANIZATION_NAME;

        try {
            $privateKey = openssl_pkey_new([
                'private_key_type' => OPENSSL_KEYTYPE_EC,
                'curve_name' => 'secp521r1',
            ]);

            if ($privateKey === false) {
                throw new \RuntimeException('Failed to generate private key: '.openssl_error_string());
            }

            if (! openssl_pkey_export($privateKey, $privateKeyStr)) {
                throw new \RuntimeException('Failed to export private key: '.openssl_error_string());
            }

            $dn = [
                'commonName' => $commonName,
                'organizationName' => $organizationName,
                'subjectAltName' => implode(', ', array_merge(["DNS:$commonName"], $additionalSans)),
            ];

            $csr = openssl_csr_new($dn, $privateKey, [
                'digest_alg' => 'sha512',
                'config' => null,
                'encrypt_key' => false,
            ]);

            if ($csr === false) {
                throw new \RuntimeException('Failed to generate CSR: '.openssl_error_string());
            }

            $certificate = openssl_csr_sign(
                $csr,
                $caCert ?? null,
                $caKey ?? $privateKey,
                $validityDays,
                [
                    'digest_alg' => 'sha512',
                    'config' => null,
                ],
                random_int(PHP_INT_MIN, PHP_INT_MAX)
            );

            if ($certificate === false) {
                throw new \RuntimeException('Failed to sign certificate: '.openssl_error_string());
            }

            if (! openssl_x509_export($certificate, $certificateStr)) {
                throw new \RuntimeException('Failed to export certificate: '.openssl_error_string());
            }

            return SslCertificate::create([
                'ssl_certificate' => $certificateStr,
                'ssl_private_key' => $privateKeyStr,
                'resource_type' => $resourceType,
                'resource_id' => $resourceId,
                'server_id' => $serverId,
                'valid_until' => CarbonImmutable::now()->addDays($validityDays),
            ]);
        } catch (\Throwable $e) {
            throw new \RuntimeException('SSL Certificate generation failed: '.$e->getMessage(), 0, $e);
        }
    }
}
feat(ssl): ssl generation helper 2025-01-30 13:17:12 +00:00			`<?php`

			`namespace App\Helpers;`

			`use App\Models\SslCertificate;`
feat(ssl): improve SSL helper - improve security by making certificates valid for only 90 days instead of 10 years - add SubjectAltName - remove unnecessary parameters - use carbon immutable to make sure expiration date stays the same 2025-01-30 18:52:21 +00:00			`use Carbon\CarbonImmutable;`
feat(ssl): ssl generation helper 2025-01-30 13:17:12 +00:00
			`class SslHelper`
			`{`
feat(ssl): improve SSL helper - improve security by making certificates valid for only 90 days instead of 10 years - add SubjectAltName - remove unnecessary parameters - use carbon immutable to make sure expiration date stays the same 2025-01-30 18:52:21 +00:00			`private const DEFAULT_ORGANIZATION_NAME = 'Coolify';`
feat(ssl): ssl generation helper 2025-01-30 13:17:12 +00:00
			`public static function generateSslCertificate(`
feat(ssl): improve SSL helper - improve security by making certificates valid for only 90 days instead of 10 years - add SubjectAltName - remove unnecessary parameters - use carbon immutable to make sure expiration date stays the same 2025-01-30 18:52:21 +00:00			`string $commonName,`
feat(ssl): improve SSL helper - improve function parameters - set default validity to 1 year as resources need to be manually restarted to use the new certificates - use the CA cert to sign certificates 2025-01-31 12:37:34 +00:00			`array $additionalSans = [],`
			`?string $resourceType = null,`
			`?int $resourceId = null,`
			`?int $serverId = null,`
feat(ssl): improve SSL helper - improve security by making certificates valid for only 90 days instead of 10 years - add SubjectAltName - remove unnecessary parameters - use carbon immutable to make sure expiration date stays the same 2025-01-30 18:52:21 +00:00			`?string $organizationName = null,`
feat(ssl): improve SSL helper - improve function parameters - set default validity to 1 year as resources need to be manually restarted to use the new certificates - use the CA cert to sign certificates 2025-01-31 12:37:34 +00:00			`int $validityDays = 365,`
			`?string $caCert = null,`
			`?string $caKey = null`
feat(ssl): ssl generation helper 2025-01-30 13:17:12 +00:00			`): SslCertificate {`
feat(ssl): improve SSL helper - improve security by making certificates valid for only 90 days instead of 10 years - add SubjectAltName - remove unnecessary parameters - use carbon immutable to make sure expiration date stays the same 2025-01-30 18:52:21 +00:00			`$organizationName ??= self::DEFAULT_ORGANIZATION_NAME;`
feat(ssl): ssl generation helper 2025-01-30 13:17:12 +00:00
			`try {`
			`$privateKey = openssl_pkey_new([`
feat(ssl): migrate to `ECC`certificates using `secp521r1` - Replace RSA 4096 with ECDSA secp521r1 for stronger security (256-bit vs 112-bit) - Faster certificate generation (3-4x speed improvement) - 75% smaller key sizes (0.8KB vs 3.2KB) improves storage and transmission 2025-01-30 18:21:18 +00:00			`'private_key_type' => OPENSSL_KEYTYPE_EC,`
			`'curve_name' => 'secp521r1',`
feat(ssl): ssl generation helper 2025-01-30 13:17:12 +00:00			`]);`

			`if ($privateKey === false) {`
			`throw new \RuntimeException('Failed to generate private key: '.openssl_error_string());`
			`}`

			`if (! openssl_pkey_export($privateKey, $privateKeyStr)) {`
			`throw new \RuntimeException('Failed to export private key: '.openssl_error_string());`
			`}`

			`$dn = [`
			`'commonName' => $commonName,`
			`'organizationName' => $organizationName,`
feat(ssl): improve SSL helper - improve security by making certificates valid for only 90 days instead of 10 years - add SubjectAltName - remove unnecessary parameters - use carbon immutable to make sure expiration date stays the same 2025-01-30 18:52:21 +00:00			`'subjectAltName' => implode(', ', array_merge(["DNS:$commonName"], $additionalSans)),`
feat(ssl): ssl generation helper 2025-01-30 13:17:12 +00:00			`];`

			`$csr = openssl_csr_new($dn, $privateKey, [`
chore(ssl): improve code in ssl helper 2025-01-30 13:37:12 +00:00			`'digest_alg' => 'sha512',`
feat(ssl): ssl generation helper 2025-01-30 13:17:12 +00:00			`'config' => null,`
chore(ssl): improve code in ssl helper 2025-01-30 13:37:12 +00:00			`'encrypt_key' => false,`
feat(ssl): ssl generation helper 2025-01-30 13:17:12 +00:00			`]);`

			`if ($csr === false) {`
			`throw new \RuntimeException('Failed to generate CSR: '.openssl_error_string());`
			`}`

			`$certificate = openssl_csr_sign(`
			`$csr,`
feat(ssl): improve SSL helper - improve function parameters - set default validity to 1 year as resources need to be manually restarted to use the new certificates - use the CA cert to sign certificates 2025-01-31 12:37:34 +00:00			`$caCert ?? null,`
			`$caKey ?? $privateKey,`
			`$validityDays,`
feat(ssl): ssl generation helper 2025-01-30 13:17:12 +00:00			`[`
chore(ssl): improve code in ssl helper 2025-01-30 13:37:12 +00:00			`'digest_alg' => 'sha512',`
feat(ssl): ssl generation helper 2025-01-30 13:17:12 +00:00			`'config' => null,`
			`],`
			`random_int(PHP_INT_MIN, PHP_INT_MAX)`
			`);`

			`if ($certificate === false) {`
			`throw new \RuntimeException('Failed to sign certificate: '.openssl_error_string());`
			`}`

			`if (! openssl_x509_export($certificate, $certificateStr)) {`
			`throw new \RuntimeException('Failed to export certificate: '.openssl_error_string());`
			`}`

			`return SslCertificate::create([`
			`'ssl_certificate' => $certificateStr,`
			`'ssl_private_key' => $privateKeyStr,`
			`'resource_type' => $resourceType,`
			`'resource_id' => $resourceId,`
feat(ssl): improve SSL helper - improve function parameters - set default validity to 1 year as resources need to be manually restarted to use the new certificates - use the CA cert to sign certificates 2025-01-31 12:37:34 +00:00			`'server_id' => $serverId,`
			`'valid_until' => CarbonImmutable::now()->addDays($validityDays),`
feat(ssl): ssl generation helper 2025-01-30 13:17:12 +00:00			`]);`
			`} catch (\Throwable $e) {`
			`throw new \RuntimeException('SSL Certificate generation failed: '.$e->getMessage(), 0, $e);`
			`}`
			`}`
			`}`