#!/bin/sh

HOST="${1}"
CONF="${2:-danet_client.conf}"
CA="${3:-ca}"
CACERT="${CA}.cert"
CAKEY="${CA}.key"

TMPDIR="$(mktemp -d)"

CLIENT_CERT=$(awk '/^cert /{print $2}' "$CONF");
CLIENT_KEY=$(awk '/^key /{print $2}' "$CONF");
SERVER_CACERT=$(awk '/^ca /{print $2}' "$CONF");

umask 0077;
    #  #>/dev/null 2>&1
cat -<<EOF |openssl req -nodes -new -keyout "${TMPDIR}/${HOST}".pem -out "${TMPDIR}/${HOST}".req -days 9000
.
.
.
.
.
$1
.

    
EOF

(cd $TMPDIR;
    if [ ! -e database ]; then
	touch database database.attr
	cp /usr/lib/ssl/openssl.cnf config
	perl -pi -e 's/(database|serial)\s*=.+/$1=$1/' config
    # Use the epoch and the pid to make a unique serial (for this CA,
    # anyway)
    # We use perl's pack and unpack here because it can be hex, and
    # for some cockamamie reason, it needs to be an even number of
    # characters.
	perl -e 'print unpack(q(H*),pack(q(NN),time,$$)),qq(\n)' > serial
    fi;
)
openssl ca -config "$TMPDIR"/config -policy policy_anything -keyfile "${CAKEY}" -cert "${CACERT}" \
    -out "$TMPDIR"/"${HOST}".cert -outdir "$TMPDIR" -notext -days 9000 -batch -infiles "${HOST}".req; #> /dev/null 2>&1
(
    cd "${TMPDIR}"
    chmod a+r "${HOST}".cert
    rm -f "${HOST}".req
    ln -sf "${HOST}".cert "${CLIENT_CERT}"
    ln -sf "${HOST}".pem "${CLIENT_KEY}"
)
cp "${CLIENT_CONF}" "${TMPDIR}"/;

tar -zcf "${HOST}".tar.gz -C "${TMPDIR}" \
    "${HOST}".cert "${HOST}".pem "${CLIENT_CERT}" "${CLIENT_CONF}" \
    "${CLIENT_KEY}" "${SERVER_CACERT}"
rm -rf "${TMPDIR}"