#! /bin/sh

CLIENT=$1
if [ -z "${CLIENT}" ] ; then
	echo "Usage: $0 FQDN"
	exit 1
fi

set -e

CACERT=ca/ca.crt
CAKEY=private/ca.key
CLIENTKEY=clients/${CLIENT}/${CLIENT}.key
CLIENTPUB=clients/${CLIENT}/${CLIENT}.pub
CLIENTCSR=clients/${CLIENT}/${CLIENT}.csr
CLIENTCRT=certs/${CLIENT}.crt
PASSFILE=

if [ -e ca.pass ] ; then
	PASSFILE="-passin file:ca.pass"
fi

mkdir -p clients/${CLIENT}
mkdir -p certs

cat x509v3.cnf > x509v3_ca.cnf
cat >> x509v3_ca.cnf <<!

[ x509v3_FQDN ]
keyUsage		= \$ENV::CERTUSAGE
subjectAltName		= DNS:${CLIENT}
extendedKeyUsage	= \$ENV::EXTCERTUSAGE
nsCertType		= \$ENV::NSCERTTYPE
!

sed 's/^commonName.*/commonName='${CLIENT}'/' openssl.cnf > "sign-${CLIENT}.cnf"

# Create the clients key if not already available
if [ \! -f "${CLIENTKEY}" ] ; then
	openssl genrsa -out "${CLIENTKEY}" 2048
fi
if [ \! -f "${CLIENTPUB}" ] ; then
	openssl rsa -in "${CLIENTKEY}" -pubout -out "${CLIENTPUB}"
fi

# Create a signing requrest
openssl req -new -key "${CLIENTKEY}" \
    -config "sign-${CLIENT}.cnf" -out "${CLIENTCSR}"

# And sign the certificate
openssl x509 -req -sha256 -days 3650 \
    -in "${CLIENTCSR}" \
    -CA "${CACERT}" -CAkey "${CAKEY}" \
    -CAcreateserial \
    -extfile x509v3_ca.cnf -extensions x509v3_FQDN \
    -out "${CLIENTCRT}" \
    ${PASSFILE}
openssl verify -CAfile "${CACERT}" "${CLIENTCRT}"

rm -f x509v3_ca.cnf "sign-${CLIENT}.cnf"