#!/bin/bash -x 

# licence : gpl v2
# copyright : 8d technologies, xavier renaut

# use -e v3_ca for ca
# cert_server_selfsigned_create.sh -e v3_ca YOUR-COMPANY-cacert
# -p no password
# -n no extensions

pass=1

days="2190"
# 20 years
days="7300"

size="1024"
size="2048"
size="3072"
size="4096"
extensions="-extensions server"
extfile="-extfile /etc/ssl/openssl.cnf"


while getopts npse:y: o ; do
        case "$o" in
                p)
                        echo no password
                        pass=0
                        ;;

    s)
      echo using -extensions server
      extensions="-extensions server"
        ;;
    e)

       extensions="-extensions $OPTARG"
        echo using $extensions
        ;;
    y)
    years=$OPTARG
    days=$(( $years * 365 ))
    echo using $years years of validity = $days days

    ;;

    n)
        echo  -e "\033[0;31m will remove extensions  \033[0m"
        remove_extensions=1
        ;;

esac
done

shift $(($OPTIND - 1))


if [ "$remove_extensions" = "1" ]
then
    extensions=""
    extfile=""

else
echo -e "\033[0;31m Will use $extensions \033[0m"
fi






[ "$1" = "" ] && echo server name\? && exit 1
i=$1

if [ "$pass" = "0" ]; then
openssl req -new $extensions -x509 -sha256 -days $days -nodes -out $i.pem -newkey rsa:$size -keyout $i.pem 

else

openssl genrsa -aes256 -out $i.key $size &&
# extfile cannot be used
openssl req -new -sha256 -key $i.key -out $i.csr &&

openssl gendh 512 > $i.dh &&
openssl x509 -req $extfile $extensions -sha256 -days $days -in $i.csr -signkey $i.key -out $i.crt &&
cat $i.crt $i.key > $i.pem
openssl pkcs12 -export -clcerts -in $i.crt -inkey $i.key -out $i.p12

fi

# p12 : 
#openssl pkcs12 -export -clcerts -in $i.crt -inkey $i.key -out $i.p12

#req
# 
# -extensions .. specify certificate extension section (override value in config file)
# -reqexts ..    specify request extension section (override value in config file)

#x509
# -extfile        - configuration file with X509V3 extensions to add
# -extensions     - section from config file with X509V3 extensions to add


# CA.pl :  -newca
# openssl req  -sha1 -new -x509 -keyout cacert.key -out cacert.pem -days 2190 -set_serial 1 
# openssl x509 -in cacert.pem -noout -next_serial -out serial
# display openssl x509 -text -noout -in cacert.pem

# add to x509 / req  : -set_serial 1