docker/core/traefik/scripts/init-mtls-ca.sh

#!/usr/bin/env bash
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
TRAEFIK_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
CA_DIR="${TRAEFIK_ROOT}/certs/ca"

CA_KEY="${CA_DIR}/clients-ca.key"
CA_CERT="${CA_DIR}/clients-ca.crt"
CA_SERIAL="${CA_DIR}/clients-ca.srl"

DAYS="${DAYS:-3650}"
SUBJECT="${SUBJECT:-/CN=Traefik Private Admin Client CA/O=Homelab}"

mkdir -p "${CA_DIR}"
chmod 700 "${CA_DIR}"

if [[ -f "${CA_KEY}" || -f "${CA_CERT}" ]]; then
  echo "Refusing to overwrite existing CA material in ${CA_DIR}."
  echo "Delete existing files first if you intentionally want to rotate the CA."
  exit 1
fi

openssl genrsa -out "${CA_KEY}" 4096
chmod 600 "${CA_KEY}"

openssl req -x509 -new -nodes \
  -key "${CA_KEY}" \
  -sha256 \
  -days "${DAYS}" \
  -subj "${SUBJECT}" \
  -out "${CA_CERT}"
chmod 644 "${CA_CERT}"

rm -f "${CA_SERIAL}"

echo "Created mTLS client CA: ${CA_CERT}"
echo "Use issue-mtls-client-cert.sh to issue client certificates signed by this CA."