#!/bin/sh -e

export domain="$(basename $PWD)"
seed="$(hexdump -n10 -e '10/1 "%02o" "\n"' /dev/urandom)"
config=\
"[ ca ]
default_ca = CA_default

[ CA_default ]
dir = $PWD
certs = \$dir/certs
certificate = \$dir/CA.crt
private_key = \$dir/CA.key
default_md = sha256
default_days = 365
email_in_dn = no
RANDFILE = /dev/urandom
database = /dev/null

[ req ]
distinguished_name = req_distinguished_name
prompt = no
encrypt_key = no
default_md = sha256
default_bits = 2048

[ req_distinguished_name]
#C = 2 letter country code
#ST = State
#L = Locality
#O = Organization name
#OU = Organizational unit
#emailAddress = email address
CN = *.*.\${ENV::domain}
"

usage () {
    echo "Usage: $0 init|gen|sign|resign"
}

init () {
    mkdir -p "certs" "keys"
    echo "$config" > "openssl.cnf"
    openssl genrsa \
        -out CA.key
    openssl req \
        -x509 \
        -config openssl.cnf \
        -new \
        -key CA.key \
        -out CA.crt
}

sign_key () {
    csr="$(mktemp -t ssl-ca)"
    export domain="$1.$(basename $PWD)"
    openssl req \
        -key keys/$1 \
        -new \
        -config openssl.cnf \
        -out "$csr"
    fqdn="$1.$domain" openssl x509 \
        -req \
        -in "$csr" \
        -out "certs/$1" \
        -CA CA.crt \
        -set_serial $seed \
        -extensions v3_ca \
        -CAkey CA.key
    rm "$csr"
}

gen_key () {
    openssl genrsa -out "keys/$1"
}

if [ $# -lt 1 ]
then
    usage
    exit 1
fi

case "$1" in
    init)
        init
        ;;
    gen)
        gen_key "$2"
        sign_key "$2"
        ;;
    sign)
        for key in keys/*
        do
            if [ ! -f "certs/$(basename $key)" ]
            then
                sign_key "$(basename $key)"
            fi
        done
        ;;
    resign)
        for key in keys/*
        do
            sign_key "$(basename $key)"
        done
        ;;
    *)
        usage
        exit 1
        ;;
esac
