#!/bin/sh
set -e

TMPFILE=`tempfile -d /var/tmp -p apache2-cn`
TMPFILE2=`tempfile -d /var/tmp -p apache2-cn`

trap "rm -f $TMPFILE $TMPFILE2" 1 2 15;

CONFDIR="$1"
FQDN="$2"
WEBMASTER="$3"
DOMAIN="$4"

sslcrt=/etc/ssl/certs
sslkey=/etc/ssl/private
A2CNDIR=$(dirname $0)

if [ -z "$4" ]; then
  echo "Usage: $0 <confdir> <fqdn> <email> <org>"
  echo
  echo "	confdir is ignored"
  echo "	fqdn    is the fully qualified name of the web server"
  echo "	email   address that will appear in the certificate"
  echo "	org     is the organization name"
  exit 2
fi

# XXX validate the arguments

export RANDFILE=/dev/urandom
cd /etc/ssl

if [ ! -f ${sslkey}/ca.key ]; then
# CA
openssl genrsa -out $sslkey/ca.key 1024
cat <<EOF > $TMPFILE
[ req ]
default_bits           = 1024
default_keyfile        = ca.pem
distinguished_name     = req_distinguished_name
attributes             = req_attributes
prompt                 = no

[ req_distinguished_name ]
C                      = HR
O                      = $DOMAIN
CN                     = $FQDN CA
emailAddress           = $WEBMASTER

[ req_attributes ]

EOF
openssl req -config $TMPFILE -new -key ${sslkey}/ca.key -out ${sslkey}/ca.csr
cat >$TMPFILE <<EOT
extensions = x509v3
[ x509v3 ]
subjectAltName   = email:copy
basicConstraints = CA:true,pathlen:0
nsComment        = "CARNet apache2-cn package generated custom CA certificate"
nsCertType       = sslCA
EOT
openssl x509 -extfile $TMPFILE -days 3651 -signkey ${sslkey}/ca.key \
  -in ${sslkey}/ca.csr -req -out ${sslcrt}/ca.pem
openssl x509 -noout -modulus -in ${sslcrt}/ca.pem | \
  read mod1
openssl rsa -noout -modulus -in ${sslkey}/ca.key | \
  read mod2
if [ "$mod1" != "$mod2" ]; then
  echo "Moduli for CA keys don't match."
  exit 1
fi
cd ${sslcrt}
ln -sf ca.pem $(openssl x509 -hash -noout -in ca.pem)

KEYS="${KEYS}
 - ${sslcrt}/ca.pem"
KEYS="${KEYS}
 - ${sslkey}/ca.key"

fi # CA

# server
openssl genrsa -out ${sslkey}/apache2.key 1024
echo 01 > "$TMPFILE2"
sed "s/HOST/$FQDN/g; s/DOMAIN/$DOMAIN/g; s/WEBMASTER/$WEBMASTER/g" \
  <  $A2CNDIR/templates/openssl.cnf > "$TMPFILE"
openssl req -config "$TMPFILE" -new -nodes \
  -key ${sslkey}/apache2.key -out ${sslkey}/apache2.csr
openssl x509 -extfile "$TMPFILE" -days 3650 \
  -CAserial "$TMPFILE2" -CA ${sslcrt}/ca.pem -CAkey ${sslkey}/ca.key \
  -in ${sslkey}/apache2.csr -req -out ${sslcrt}/apache2.pem
# verify
openssl x509 -noout -modulus -in ${sslcrt}/apache2.pem | read mod1
openssl rsa -noout -modulus -in ${sslkey}/apache2.key | read mod2
if [ "$mod1" != "$mod2" ]; then
  echo "Moduli for server keys don't match."
  exit 1
fi

KEYS="${KEYS}
 - ${sslcrt}/apache2.pem"
KEYS="${KEYS}
 - ${sslkey}/apache2.key"

cd ${sslcrt}
ln -sf apache2.pem $(openssl x509 -hash -noout -in apache2.pem)
 
rm -f $TMPFILE $TMPFILE2

echo "Successfully generated server key pairs:"
echo "$KEYS"
echo