+#!/bin/sh
+
+HOST="${1}"
+CONF="${2:-danet_client.conf}"
+CA="${3:-ca}"
+CACERT="${CA}.cert"
+CAKEY="${CA}.key"
+
+TMPDIR="$(mktemp -d)"
+
+CLIENT_CERT=$(awk '/^cert /{print $2}' "$CONF");
+CLIENT_KEY=$(awk '/^key /{print $2}' "$CONF");
+SERVER_CACERT=$(awk '/^ca /{print $2}' "$CONF");
+
+umask 0077;
+ # #>/dev/null 2>&1
+cat -<<EOF |openssl req -nodes -new -keyout "${TMPDIR}/${HOST}".pem -out "${TMPDIR}/${HOST}".req -days 9000
+.
+.
+.
+.
+.
+$1
+.
+
+
+EOF
+
+(cd $TMPDIR;
+ if [ ! -e database ]; then
+ touch database database.attr
+ cp /usr/lib/ssl/openssl.cnf config
+ perl -pi -e 's/(database|serial)\s*=.+/$1=$1/' config
+ # Use the epoch and the pid to make a unique serial (for this CA,
+ # anyway)
+ # We use perl's pack and unpack here because it can be hex, and
+ # for some cockamamie reason, it needs to be an even number of
+ # characters.
+ perl -e 'print unpack(q(H*),pack(q(NN),time,$$)),qq(\n)' > serial
+ fi;
+)
+openssl ca -config "$TMPDIR"/config -policy policy_anything -keyfile "${CAKEY}" -cert "${CACERT}" \
+ -out "$TMPDIR"/"${HOST}".cert -outdir "$TMPDIR" -notext -days 9000 -batch -infiles "${HOST}".req; #> /dev/null 2>&1
+(
+ cd "${TMPDIR}"
+ chmod a+r "${HOST}".cert
+ rm -f "${HOST}".req
+ ln -sf "${HOST}".cert "${CLIENT_CERT}"
+ ln -sf "${HOST}".pem "${CLIENT_KEY}"
+)
+cp "${CLIENT_CONF}" "${TMPDIR}"/;
+
+tar -zcf "${HOST}".tar.gz -C "${TMPDIR}" \
+ "${HOST}".cert "${HOST}".pem "${CLIENT_CERT}" "${CLIENT_CONF}" \
+ "${CLIENT_KEY}" "${SERVER_CACERT}"
+rm -rf "${TMPDIR}"