#! /bin/bash

##########
# Config #
##########
TMP_SSL_CERTIFICATE_NAME=$(basename "($(dirname "$(realpath "$0")")")
TMP_SSL_CERTIFICAT_RSA_BITS=3072
TMP_SSL_CERTIFICAT_GENERATE_SELFSIGNED=1
TMP_SSL_CERTIFICAT_SELFSIGNED_VALID_DAYS=1095
#########

if [ -n "$1" ]; then TMP_SSL_CERTIFICATE_NAME=$1; fi

TMP_SSL_CERTIFICATE_ROOTPATH=$(dirname "$0")
TMP_SSL_CERTIFICATE_FULLNAME=${TMP_SSL_CERTIFICATE_NAME}
TMP_SSL_CERTIFICATE_PREFIX_COMMAND=

# Windows / MinGW workaround
[[ "$(uname)" =~ "MINGW" ]] && TMP_SSL_CERTIFICATE_PREFIX_COMMAND="winpty "

# Change the default commonName from openssl.conf to the one from $TMP_SSL_CERTIFICATE_NAME
sed -i -e "s/^\(commonName_default\s*=\).*$/\1 ${TMP_SSL_CERTIFICATE_NAME}/gmi" "${TMP_SSL_CERTIFICATE_ROOTPATH}/openssl.conf"

${TMP_SSL_CERTIFICATE_PREFIX_COMMAND}openssl genrsa -des3 -out "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.key" ${TMP_SSL_CERTIFICAT_RSA_BITS}
${TMP_SSL_CERTIFICATE_PREFIX_COMMAND}openssl req -new -key "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.key" -out "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.csr" -config "${TMP_SSL_CERTIFICATE_ROOTPATH}/openssl.conf"
cp "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.key" "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.key.org"
${TMP_SSL_CERTIFICATE_PREFIX_COMMAND}openssl rsa -in "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.key.org" -out "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.key"

# Self-signing
if [ "${TMP_SSL_CERTIFICAT_GENERATE_SELFSIGNED}" -eq "1" ];
then
  ${TMP_SSL_CERTIFICATE_PREFIX_COMMAND}openssl x509 -req -extensions v3_req -days ${TMP_SSL_CERTIFICAT_SELFSIGNED_VALID_DAYS} -in "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.csr" -signkey "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.key" -out "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.crt" -extfile "${TMP_SSL_CERTIFICATE_ROOTPATH}/openssl.conf"
  # CA Cert
  ${TMP_SSL_CERTIFICATE_PREFIX_COMMAND}openssl x509 -req -days ${TMP_SSL_CERTIFICAT_SELFSIGNED_VALID_DAYS} -in "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.csr" -CA "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.crt" -CAkey "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.key" -set_serial 01 -out "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.ca.crt"
  # (Optional) Install CA cert
  if [ -f "/etc/redhat-release" ];
  then
    update-ca-trust force-enable
    cp "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.ca.crt" "/etc/pki/ca-trust/source/anchors/"
    update-ca-trust extract
  elif [ -f "/etc/debian-release" ];
  then
    cp "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.ca.crt" "/usr/local/share/ca-certificates/"
    update-ca-certificates
  fi
  # View CSR
  openssl req -text -noout -in "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.csr"
  # Validate with .key and .csr
  echo
  echo "\"${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.crt\" Hash:"
  openssl x509 -noout -modulus -in "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.crt" | openssl md5
  echo
fi

# Detect if the key and csr are compatible
echo "\"${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.key\" Hash:"
openssl rsa -noout -modulus -in "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.key" | openssl md5
echo
echo "\"${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.csr\" Hash:"
openssl req -noout -modulus -in "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.csr" | openssl md5