#! /bin/sh
DEST=${DEST-/opt/xkms/openssl}
CONF=${DEST}/xkms.conf
REQCONF=${DEST}/req.conf
ME=`basename $0`

##  Basic sanity check
if [ ! -d ${DEST} ] ; then
    echo ${ME}: ${DEST} not found. 2>&1
    exit 1
fi
if [ ! -f ${CONF} ] ; then
    echo ${ME}: ${CONF} not found. 2>&1
    exit 1
fi
if [ -f ${DEST}/root-ca/key.pem ] ; then
    echo ${ME}:  Warning ${DEST}/root-ca/key.pem still present! 2>&1
fi

#  Make an XKMS Service keypair and cert request
echo ''
echo '**'
echo '**  CREATING XKMS SERVICE KEYPAIR'
echo '**'
openssl req -config ${REQCONF} -newkey rsa:1024 \
        -out ${DEST}/xkms-ca/certreq.pem -keyout ${DEST}/xkms-ca/key.pem

##  Have the Level-1 CA sign the XKMS Service cert
echo ''
echo '**'
echo '**  HAVING THE LEVEL1 CA SIGN THE XKMS CERTIFICATE'
echo '**'
openssl ca -config ${CONF} -name level1_ca \
        -out ${DEST}/xkms-ca/cert.pem -infiles ${DEST}/xkms-ca/certreq.pem

##  Make an SSL keypair and cert request
echo ''
echo '**'
echo '**  CREATING SSL KEYPAIR'
echo '**'
openssl req -config ${REQCONF} -newkey rsa:1024 \
        -out ${DEST}/ssl/certreq.pem -keyout ${DEST}/ssl/key.pem

echo ''
echo '**'
echo '**  STRIPPING PASSWORD FROM SSL KEY'
echo '**'
openssl rsa -inform pem <${DEST}/ssl/key.pem >${DEST}/ssl/plainkey.pem


##  Have the Level-1 CA sign the SSL cert
echo ''
echo '**'
echo '**  HAVING THE LEVEL1 CA SIGN THE SSL CERTIFICATE'
echo '**'
openssl ca -config ${CONF} -name level1_ca -extensions ssl_cert \
        -out ${DEST}/ssl/cert.pem -infiles ${DEST}/ssl/certreq.pem

echo ''
echo '**'
echo '**  DONE'
echo '**'