#!/usr/bin/env bash

# How to use
# 1. Make this script executable:
# chmod +x ./self-signed-ssl.sh
# 2. Run script and provide domain name:
# ./self-signed-ssl.sh mydomain.com


# print usage
DOMAIN=$1
if [ -z "$1" ]; then 

    echo "USAGE: $0 domain.lan"
    echo ""
    echo "This will generate a non-secure self-signed wildcard certificate for a given domain."
    echo "This should only be used in a Non-Production and Development environment."
    exit
fi

#
# Generate self signed certs
#

# Add wildcard
WILDCARD="*.$DOMAIN"
# Limit the validity period, it should be as short as you can handle from the
# maintenance standpoint. Best Practice is 12 months Max
VALIDITY="365"

# This can be used for OCSP Responder for testing purposes which requires a
# Root certificate with a certificate(s) generated from it.
# First we will create a self-signed Root certificate using openssl then
# Create the derived Wildcard certificate

# Edit your own Certificate Attributes:
    # C: CountryName
    # S: StateOrProvinceName
    # L (localityName): Locality
    # O: Organization
    # CN (commonName): CommonName
    # OU (organizationalUnitName): OrganizationalUnit
    # emailAddress: Email Name

# Set our RootCA Certificate Attributes
SUBJ_ROOTCA="
C=US
ST=CO
O=Local Development
localityName=Local Development
commonName=RootCA
organizationalUnitName=Local Development
emailAddress=RootCA@t3st.org
"

# Set our Server Certificate Attributes
SUBJ_SERVER="
C=US
ST=CO
O=Local Development
localityName=Local Development
commonName=$WILDCARD
organizationalUnitName=Local Development
emailAddress=admin@t3st.org
"

# Generate self signed root CA cert
openssl req -nodes -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt\
       -subj "$(echo -n "$SUBJ_ROOTCA" | tr "\n" "/")"

# Generate server cert to be signed
openssl req -nodes -newkey rsa:2048  -subj "$(echo -n "$SUBJ_SERVER" | tr "\n" "/")" -keyout "$DOMAIN.key" -out "$DOMAIN.csr"

# Create a CA-Signed Certificates for Your Non-production Apps valid for x Days
openssl x509 -days $VALIDITY -req -in "$DOMAIN.csr" -CA ca.crt -CAkey ca.key -CAcreateserial -out "$DOMAIN.crt"

#
# Generate Client Cert
# (Uncomment openssl commands below when needed)
#


# Set our Server Certificate Attributes
# SUBJ_CLIENT="
# C=US
# ST=CO
# O=Local Development
# localityName=Local Development
# commonName=$WILDCARD
# organizationalUnitName=Local Development
# emailAddress=admin@t3st.org
# "

# Generate a client cert to be signed
# openssl req -nodes -newkey rsa:2048 -keyout client.key -out client.csr \
#  -subj "$(echo -n "$SUBJ_CLIENT" | tr "\n" "/")"
    
# # Sign the client cert
# openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl -out client.crt

# # Create client PEM file
# cat client.key client.crt > client.pem

# Create clientPFX file (for Java, C#, etc) openssl pkcs12 -inkey client.key -in
# client.crt -export -out client.pfx