#! /bin/bash

. "/home/alex/code/ca-scripts/lib/ca-functions"

usage() {
    cat <<__EOT__
Usage: $PROGNAME [options]

Options:
  -h, --help            Print this helpful message!
  -c, --encrypt         Encrypt CA private key with Triple-DES
  -f, --config FILE     Use config file instead of $CONFFILE
  -i, --template FILE   Use alternative index.html template
  -o, --output FILE     Generate CA index.html in FILE
  -s, --crt-only        Only generate CA cert/key, use pre-created config
  -x, --cnf-only        Only generate CA config file, don't create CA cert/key

__EOT__
}

short='hcf:i:o:sx'
long='help,encrypt,config:,template:,output:,crt-only,cnf-only'
opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" )
if [ 0 -ne $? ]; then echo; usage; exit 1; fi
eval set -- "$opts";

while :; do
    case "$1" in
        -h|--help) usage; exit 0;;
        -c|--encrypt) CRYPTKEY=""; shift;;
        -f|--config) shift; CONFFILE="$1"; shift;;
        -i|--template) shift; INDEXTPL="$1"; shift;;
        -o|--output) shift; INDEXOUT="$1"; shift;;
        -s|--crt-only) CRT_ONLY=1; shift;;
        -x|--cnf-only) CNF_ONLY=1; shift;;
        --) shift; break;;
        *) echo "Unknown value '$1'"; exit 1;;
    esac
done

# load up the configuration file
CA_CRT_TYPE="ca"
ca_load_conf

if [ 1 -eq "$CRT_ONLY" -a 1 -eq "$CNF_ONLY" ]; then
    error "The --crt-only and --cnf-only options are mutually exclusive."
fi

if [ 1 -ne "$CRT_ONLY" ]; then
    # create the directory structure that'll be populated by the scripts
    mkdir -p $CA_HOME/{cnf,crl,crt,csr,db,idx,key,p12}
    echo "01" > $CA_HOME/db/crlnumber
    touch $CA_HOME/db/index.txt
    touch $CA_HOME/db/.rand

    # generate an openssl configuration for this CA
    ca_template ca-config "$CA_HOME/cnf/$CA_NAME.ca.cnf"
fi
if [ 1 -ne "$CNF_ONLY" ]; then
    # generate a self-signed cert that is valid for 10 years, with
    #  ... the private key in $CA_HOME/key/$CA_NAME.ca.key
    #  ... the certificate in $CA_HOME/crt/$CA_NAME.ca.crt
    #  ... using the config in $CA_HOME/cnf/$CA_NAME.ca.cnf
    openssl req -new $CRYPTKEY -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" \
      -keyout "$CA_HOME/key/$CA_NAME.ca.key" \
      -out    "$CA_HOME/csr/$CA_NAME.ca.csr"
    chmod 600 "$CA_HOME/key/$CA_NAME.ca.key"

    openssl ca -create_serial -selfsign -days 3652 -batch \
      -name ca_scripts -extensions ca_x509_extensions \
      -config  "$CA_HOME/cnf/$CA_NAME.ca.cnf" \
      -in      "$CA_HOME/csr/$CA_NAME.ca.csr" \
      -keyfile "$CA_HOME/key/$CA_NAME.ca.key" \
      -out     "$CA_HOME/crt/$CA_NAME.ca.crt"

    # generate an initial CRL too (yes it will be empty, but we should serve it)
    ca_gen_crl
    if [ -n "$INDEXOUT" ]; then
        ca_checksum
        ca_template $INDEXTPL $INDEXOUT
    fi
fi