#!/bin/bash
##############################################################################
#
# Generate self-signed CA certificate and issue a host SSL certificate
# For testing purposes only
#
# Author: Mark R. Bannister, Jane Street Group LLC.
#
##############################################################################
umask 077
h_on=$(tput setaf 3)$(tput bold)
h_off=$(tput sgr0)
root_key=keys/rootCA.key
root_crt=certs/rootCA.crt
root_days=730

if [ $# -ne 1 ]; then
    echo ERROR: missing hostname argument >&2
    exit 1
fi

hostname="$1"
if [ "${hostname#*.}" = "$hostname" ]; then
    echo ERROR: hostname must be fully qualified >&2
    exit 1
fi

host_key="keys/$hostname.key"
host_csr="certs/$hostname.csr"
host_crt="certs/$hostname.crt"
host_days=365

#
# Create self-signed CA key and cert, if missing
#
if [ ! -f $root_key -o ! -f $root_crt ]; then
    echo "${h_on}Generating $root_key and $root_crt${h_off}"
    openssl req -x509 -config ca.conf \
        -newkey rsa:4096 -nodes -keyout $root_key -out $root_crt \
        -days $root_days || exit 1
fi

#
# Create the server key and cert
#
echo "${h_on}Generating $host_key and $host_crt${h_off}"
openssl req -new -reqexts v3_req \
        -config <(sed "s/%HOSTNAME%/$hostname/" server.conf) \
        -newkey rsa:4096 -nodes -keyout "$host_key" -out "$host_csr" || exit 1
openssl x509 -req -in "$host_csr" -extensions v3_req \
        -extfile <(sed "s/%HOSTNAME%/$hostname/" server.conf)  \
        -CA $root_crt -CAkey $root_key -CAcreateserial \
        -days $host_days -out "$host_crt" || exit 1

echo "${h_on}Done${h_off}"
exit 0