feat: add reset certs functionality to CLI

- Introduced a new CLI action to reset certificates, prompting the user for confirmation before deletion.
- Updated the generateMasterCerts utility to use ECDSA with P-256 for key generation, enhancing security.
- Extended the certificate validity period from 3 to 10 years for improved longevity.

Author: kastov

src/bin/cli/cli.ts

@@ -13,6 +13,7 @@ const prisma = new PrismaClient({
 
 const enum CLI_ACTIONS {
     EXIT = 'exit',
+    RESET_CERTS = 'reset-certs',
     RESET_SUPERADMIN = 'reset-superadmin',
 }
 
@@ -58,6 +59,46 @@ async function resetSuperadmin() {
         process.exit(1);
     }
 }
+
+async function resetCerts() {
+    const answer = await consola.prompt(
+        'Are you sure you want to delete the certs? You will need to add new certs to all nodes again.',
+        {
+            type: 'confirm',
+            required: true,
+        },
+    );
+
+    if (!answer) {
+        consola.error('❌ Aborted.');
+        process.exit(1);
+    }
+
+    consola.start('🔄 Deleting certs...');
+
+    const keygen = await prisma.keygen.findFirst();
+
+    if (!keygen) {
+        consola.error('❌ Certs not found.');
+        process.exit(1);
+    }
+
+    try {
+        await prisma.keygen.delete({
+            where: {
+                uuid: keygen.uuid,
+            },
+        });
+        consola.success(`✅ Certs deleted successfully.`);
+        consola.warn(
+            `Restart Remnawave to apply changes by running "docker compose down && docker compose up -d".`,
+        );
+    } catch (error) {
+        consola.error('❌ Failed to reset certs:', error);
+        process.exit(1);
+    }
+}
+
 async function main() {
     consola.box('Remnawave Rescue CLI v0.1');
 
@@ -78,6 +119,11 @@ async function main() {
                 label: 'Reset superadmin',
                 hint: 'Fully reset superadmin',
             },
+            {
+                value: CLI_ACTIONS.RESET_CERTS,
+                label: 'Reset certs',
+                hint: 'Fully reset certs',
+            },
             {
                 value: CLI_ACTIONS.EXIT,
                 label: 'Exit',
@@ -90,6 +136,9 @@ async function main() {
         case CLI_ACTIONS.RESET_SUPERADMIN:
             await resetSuperadmin();
             break;
+        case CLI_ACTIONS.RESET_CERTS:
+            await resetCerts();
+            break;
         case CLI_ACTIONS.EXIT:
             consola.info('👋 Exiting...');
             process.exit(0);

src/common/utils/certs/generate-certs.util.ts

@@ -21,10 +21,9 @@ export async function generateMasterCerts() {
 
     // === CA (Certificate Authority) ===
     const caAlgorithm = {
-        name: 'RSASSA-PKCS1-v1_5',
+        name: 'ECDSA',
+        namedCurve: 'P-256',
         hash: { name: 'SHA-256' },
-        publicExponent: new Uint8Array([1, 0, 1]),
-        modulusLength: 2048,
     };
 
     const caKeys = await crypto.subtle.generateKey(caAlgorithm, true, ['sign', 'verify']);
@@ -54,10 +53,9 @@ export async function generateMasterCerts() {
 
     // === Client (Master) ===
     const clientAlgorithm = {
-        name: 'RSASSA-PKCS1-v1_5',
+        name: 'ECDSA',
+        namedCurve: 'P-256',
         hash: { name: 'SHA-256' },
-        publicExponent: new Uint8Array([1, 0, 1]),
-        modulusLength: 2048,
     };
 
     const clientKeys = await crypto.subtle.generateKey(clientAlgorithm, true, ['sign', 'verify']);
@@ -66,7 +64,7 @@ export async function generateMasterCerts() {
         serialNumber: '02',
         subject: `CN=${genRandomString()}`,
         notBefore: new Date(),
-        notAfter: new Date(new Date().setFullYear(new Date().getFullYear() + 3)),
+        notAfter: new Date(new Date().setFullYear(new Date().getFullYear() + 10)),
         issuer: caCert.subjectName,
         publicKey: clientKeys.publicKey,
         signingKey: caKeys.privateKey,
@@ -110,7 +108,8 @@ export async function generateNodeCert(
         'pkcs8',
         pemToArrayBuffer(caKeyPem),
         {
-            name: 'RSASSA-PKCS1-v1_5',
+            name: 'ECDSA',
+            namedCurve: 'P-256',
             hash: { name: 'SHA-256' },
         },
         false,
@@ -119,9 +118,8 @@ export async function generateNodeCert(
 
     const nodeKeys = await crypto.subtle.generateKey(
         {
-            name: 'RSASSA-PKCS1-v1_5',
-            modulusLength: 2048,
-            publicExponent: new Uint8Array([1, 0, 1]),
+            name: 'ECDSA',
+            namedCurve: 'P-256',
             hash: { name: 'SHA-256' },
         },
         true,