#!/bin/sh
# $Id$
# helper script for creating ssl certificates

while [ $# -gt 0 ]; do
    case $1 in
	   -g) group=$2; shift 2;;
	   -b) bundle="true"; shift;;
	    *) args=( ${args[@]:-} $1 ); shift;;
      esac
done

pkg=${args[0]}	# name of the package
num=${args[1]}	# number of packages installed
srv=${args[2]}	# name of the service

if [ -z "$pkg" ] || [ -z "$num" ] || [ -z "$srv" ]; then
    echo "usage: $0 [-g <group>] [-b] <pkg name> <num installed> <service>" 1>&2
    exit 1
fi

if [ ! -f "/etc/pki/tls/private/$srv.pem" ]; then 
    # default values
    host=$(hostname)
    KEY_LENGTH=4096
    CERT_DAYS=365
    EMAIL_ADDRESS=root@$host
    COMMON_NAME=$host
    ORGANISATIONAL_UNIT_NAME="default $srv cert for $host"

    # source configuration
    if [ -f /etc/sysconfig/ssl ]; then
	. /etc/sysconfig/ssl
    fi

    conffile=/tmp/$$
    keyfile=/etc/pki/tls/private/$srv.pem
    if [ "$bundle" = "true" ]; then
	certfile=$keyfile
    else
	certfile=/etc/pki/tls/certs/$srv.pem
    fi

    # create a temporary configuration file
    cat > $conffile <<EOF
default_bits            = $KEY_LENGTH
encrypt_key             = no
prompt                  = no
distinguished_name      = req_dn
req_extensions          = req_ext

[ req_dn ] 
commonName              = $COMMON_NAME
organizationalUnitName  = $ORGANISATIONAL_UNIT_NAME
emailAddress            = $EMAIL_ADDRESS

[ req_ext ]
basicConstraints        = CA:FALSE
EOF
    
    # generate certificates
    openssl req -new -x509 -days "$CERT_DAYS" \
        -config "$conffile" \
        -keyout "$keyfile" \
        -out "$certfile" >/dev/null

    # enforce strict perms on key
    if [ -n "$group" ]; then
	chmod 640 "$keyfile"
	chgrp "$group" "$keyfile"
    else
	chmod 600 "$keyfile"
    fi
fi