#!/bin/bash

HOST="${1}"
CONF="${2:-danet_client.conf}"
CA="${3:-ca}"
CACERT="${CA}.cert"
CAKEY="${CA}.key"

TMPDIR="$(mktemp -d)"

CLIENT_CERT=$(awk '/^cert /{print $2}' "$CONF");
CLIENT_KEY=$(awk '/^key /{print $2}' "$CONF");
SERVER_CACERT=$(awk '/^ca /{print $2}' "$CONF");

umask 0077;
    #  #>/dev/null 2>&1
cat -<<EOF |openssl req -nodes -new -keyout "${TMPDIR}/${HOST}".pem -out "${TMPDIR}/${HOST}".req -days 9000
.
.
.
.
.
$1
.

    
EOF

ORIGDIR=$(pwd);

(cd $TMPDIR;
    if [ ! -e database ]; then
	touch database database.attr
	cp /usr/lib/ssl/openssl.cnf config
	perl -pi -e 's/(database|serial)\s*=.+/$1=$1/' config
    # Use the epoch and the pid to make a unique serial (for this CA,
    # anyway)
    # We use perl's pack and unpack here because it can be hex, and
    # for some cockamamie reason, it needs to be an even number of
    # characters.
	perl -e 'print unpack(q(H*),pack(q(NN),time,$$)),qq(\n)' > serial
    fi;
    openssl ca -config "$TMPDIR"/config -policy policy_anything -keyfile "${ORIGDIR}"/"${CAKEY}" -cert "${ORIGDIR}"/"${CACERT}" \
	-out "$TMPDIR"/"${HOST}".cert -outdir "$TMPDIR" -notext -days $(( ( $(date -d 'Tuesday, 18 January 2038' +%s) - $(date +%s) ) / 60 / 60 /24 )) -batch -infiles "${HOST}".req; #> /dev/null 2>&1
    chmod a+r "${HOST}".cert
    rm -f "${HOST}".req
    mv "${HOST}".cert "${CLIENT_CERT}"
    mv "${HOST}".pem "${CLIENT_KEY}"
)

cp "${CONF}" "${TMPDIR}"/;
cp "${SERVER_CACERT}" "${TMPDIR}"/;

tar -zcf "${HOST}".tar.gz -C "${TMPDIR}" \
    "${CLIENT_CERT}" "${CONF}" \
    "${CLIENT_KEY}" "${SERVER_CACERT}"
rm -rf "${TMPDIR}"

cp ../ccd/__template__ ../ccd/"${HOST}";
chmod 0644 ../ccd/"${HOST}";
HOST="${HOST}" perl -pi -e 's/HOSTNAME/$ENV{HOST}/g' ../ccd/"${HOST}";