#!/bin/sh
#
# This is a script to help generate certificates for use with TLS.
#
# NOTE: you must make differences to the certificate fields 
#       (e.g. the e-mail address), otherwise the new certificate
#       overwrites the previously created and the script fails.
#

CA="CA_nlab"

PREFIX=/usr/local/etc/openssl

CONFIG=${PREFIX}/openssl.conf
CA_DIR=${PREFIX}/${CA}

##
## Initialize
##

rm -rf ${CA_DIR} root* cert* *.pem *.der

# Create directories
mkdir ${CA_DIR}
mkdir ${CA_DIR}/certs
mkdir ${CA_DIR}/crl
mkdir ${CA_DIR}/newcerts
mkdir ${CA_DIR}/private
touch ${CA_DIR}/index.txt

##
## CA
##

# Create a new CA certificate and private key
openssl req -config ${CONFIG}			\
	-new					\
	-x509					\
	-keyout ${CA_DIR}/private/cakey.pem	\
        -out ${CA_DIR}/cacert.pem		\
	-days 730				\
	-passout pass:pw4ca

# Create CA certificate serial number
openssl x509 					\
	-in ${CA_DIR}/cacert.pem		\
	-noout					\
	-next_serial				\
	-out ${CA_DIR}/serial

##
## CLIENT
##

# Create a client certificate request and private key
openssl req -config ${CONFIG}                   \
	-new					\
	-keyout clientkey.pem			\
	-out newreq.pem				\
	-days 730				\
	-passout pass:pw4client

# Sign client certificate with CA's private key
openssl ca -config ${CONFIG}			\
	-policy policy_anything			\
	-key pw4ca				\
	-out clientcert.pem			\
	-passin pass:pw4client			\
	-infiles newreq.pem

rm -f newreq.pem

# Export PKCS#12 version of the client certificate
openssl pkcs12					\
	-export					\
	-in clientcert.pem			\
	-inkey clientkey.pem			\
	-out clientcert.p12			\
	-clcerts				\
	-passin pass:pw4client			\
	-passout pass:pw4client

rm -f clientcert.pem

openssl pkcs12					\
	-in clientcert.p12			\
	-out clientcert.pem			\
	-passin pass:pw4client			\
	-passout pass:pw4client

openssl x509					\
	-inform PEM				\
	-outform DER				\
	-in clientcert.pem			\
	-out clientcert.der 

##
## SERVER
##

# Create a server certificate request and private key
openssl req -config ${CONFIG}                   \
        -new                                    \
        -keyout serverkey.pem                   \
        -out newreq.pem                         \
        -days 730                               \
        -passout pass:pw4server

# Sign server certificate with CA's private key
openssl ca -config ${CONFIG}                    \
        -policy policy_anything                 \
        -key pw4ca                              \
        -out servercert.pem                     \
        -passin pass:pw4server                  \
        -infiles newreq.pem

rm -f newreq.pem

# Export PKCS#12 version of the server certificate
openssl pkcs12                                  \
        -export                                 \
        -in servercert.pem                      \
        -inkey serverkey.pem                    \
        -out servercert.p12                     \
        -clcerts                                \
        -passin pass:pw4server                  \
        -passout pass:pw4server

rm -f servercert.pem

openssl pkcs12                                  \
        -in servercert.p12                      \
        -out servercert.pem                     \
        -passin pass:pw4server                  \
        -passout pass:pw4server

openssl x509                                    \
        -inform PEM                             \
        -outform DER                            \
        -in servercert.pem                      \
        -out servercert.der