#! /bin/sh
DEST=${DEST-/opt/xkms/openssl}
CONF=${DEST}/xkms.conf
REQCONF=${DEST}/req.conf
ME=`basename $0`

if [ ! -f ${CONF} ] ; then
    echo ${ME}: ${CONF} not found. 2>&1
    exit 1
fi
if [ ! -f ${REQCONF} ] ; then
    echo ${ME}: ${REQCONF} not found. 2>&1
    exit 1
fi

##  Make a root keypair and a cert request
echo ''
echo '**'
echo '**  GENERATING ROOT KEYPAIR'
echo '**'
openssl req -config ${REQCONF} -newkey rsa:2048 \
        -out ${DEST}/root-ca/certreq.pem -keyout ${DEST}/root-ca/key.pem

##  Self-sign the request, make text version of public key.
echo ''
echo '**'
echo '**  SELF-SIGNING THE ROOT KEY'
echo '**'
openssl x509 -req -signkey ${DEST}/root-ca/key.pem \
        -extensions ca_cert -sha1 -days 1500 \
        -in ${DEST}/root-ca/certreq.pem -out temp.pem
openssl x509 -text -in temp.pem -out ${DEST}/root-ca/cert.pem
rm -f temp.pem

##  Make a Level-1 CA keypair and a cert request
echo ''
echo '**'
echo '**  GENERATING A LEVEL-1 CA KEYPAIR'
echo '**'
openssl req -config ${REQCONF} -newkey rsa:1024 \
        -out ${DEST}/level1-ca/certreq.pem -keyout ${DEST}/level1-ca/key.pem

##  Have the ROOT CA sign the Level1 CA
echo ''
echo '**'
echo '**  HAVING THE ROOT SIGN the LEVEL-1 CA'
echo '**'
openssl ca -config ${CONF} -name root_ca \
        -noemailDN -out ${DEST}/level1-ca/cert.pem -infiles ${DEST}/level1-ca/certreq.pem

echo ''
echo '**'
echo '**  DONE WITH THE ROOT, PLEASE TAKE THE KEY OFF-LINE...'
echo '**  ... NOW!'
echo '**'