#!/bin/sh

# This script makes a certificate authority cert and a host certificate and
# signs it with the created CA cert.  Then splits out host key and cert for
# STARTTLS in sendmail.  Copies and customizes openssl.cnf if needed.

if [ ! -e openssl.cnf ]; then
  echo "openssl.cnf file not found -- creating..."
  cp /etc/ssl/openssl.cnf .

  sed -i 's/^dir[ \t]*=.*/dir             = .\//' openssl.cnf
  sed -i 's/^database[ \t]*=.*/database        = \$dir\/index.txt/' openssl.cnf
  sed -i 's/^new_certs_dir[ \t]*=.*/new_certs_dir   = \$dir/' openssl.cnf
  sed -i 's/^certificate[ \t]*=.*/certificate     = \$dir\/ca\/ca.pem/' openssl.cnf
  sed -i 's/^serial[ \t]*=.*/serial          = \$dir\/serial/' openssl.cnf
  sed -i 's/^private_key[ \t]*=.*/private_key     = \$dir\/ca\/ca.key/' openssl.cnf
  echo "done."
fi

mkdir ca
echo "01" > serial
touch index.txt

openssl req -new -x509 -keyout ca/ca.key -out ca/ca.pem -days 400 -config openssl.cnf
openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -days 400 -config openssl.cnf
openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
openssl ca -config openssl.cnf -policy policy_anything -out newcert.pem -infiles tmp.pem

rm serial* index.txt* tmp.pem 01.pem

flag=0
while read line
do
  if [ "$line" = "-----BEGIN RSA PRIVATE KEY-----" ]; then flag=1; fi
  if [ $flag ]; then echo "$line"; fi
  if [ "$line" = "-----END RSA PRIVATE KEY-----" ]; then break; fi
done < newreq.pem > host.key

mv newcert.pem host.cert

chmod 400 host.key newreq.pem