#!/bin/bash
#
# all main functions to generate a PKI certificate chain
# 

#
# print text wrapped in a block
#
echo_block() {
  echo
  echo "***** ***** ***** *****"
  echo $1
  echo "***** ***** ***** *****"
}

# 
# Grab the latest serial # from the file, auto-increment
# 
get_serial() {
  SERIAL=`head SERIAL`
  if [[ -z $SERIAL ]]; then
    SERIAL=11111
    echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA"
  fi
}

# ***** ***** ***** ***** *****
# 
# CERTIFICATE AUTHORITY (CA)
# 
# ***** ***** ***** ***** *****
# This function will generate a CA Intermediate
# IN: UNIQ_ID_CA, SERIAL
#
generate_ca() {
  # params
  UNIQ_ID_CA=$1
  SERIAL=$2
  # encrypt the key
  #openssl genrsa -aes256 -out ca.keys.pem 4096
  #openssl genrsa -aes256 -password "pass:password" -out ca.keys.pem 4096 

  # key un-protected
  openssl genrsa -out "ca_${UNIQ_ID_CA}.keys.pem" 4096
  # 
  # Create Certificate   (valid for 10 years, after the entire chain of trust expires)
  openssl req -config $CA_CNF -new -x509 -sha256 -days 3650 -extensions v3_ca \
              -subj "/C=OO/O=ACME/CN=root.${UNIQ_ID_CA}" -set_serial ${SERIAL} \
              -key ca_${UNIQ_ID_CA}.keys.pem -out ca_${UNIQ_ID_CA}.crt.pem

  # verify certificate (output to text file for review)
  openssl x509 -noout -text -in ca_${UNIQ_ID_CA}.crt.pem > ca_${UNIQ_ID_CA}_cert.info.txt
}

#
# Create CA Intermediate
# 
# 
# This function will generate a CA Intermediate
# IN: UNIQ_ID_CA, SERIAL
#
generate_ca_i() {
  echo_block "Create CA Intermediate  (${UNIQ_ID_CA})"
  # params
  UNIQ_ID_CA=$1
  SERIAL=$2

  openssl genrsa -out "ca_i_${UNIQ_ID_CA}.keys.pem" 4096

  # Create Cert Signing Request (CSR)
  openssl req -config $CA_CNF -new -sha256 \
              -subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID_CA}" \
              -key "ca_i_${UNIQ_ID_CA}.keys.pem" -out "ca_i_${UNIQ_ID_CA}.csr.pem"

  # Create Certificate   (valid for ~2 years, after the entire chain of trust expires)
  # CA signs Intermediate
  openssl x509 -req -days 750 -extfile $CA_CNF -extensions v3_ca_i \
               -CA $FQ_CA_CERT -CAkey $FQ_CA_KEYS -set_serial ${SERIAL} \
               -in "ca_i_${UNIQ_ID_CA}.csr.pem" -out "ca_i_${UNIQ_ID_CA}.crt.pem"

  # Package the Certificate Authority Certificates for distro  (windoze needs this)
  openssl pkcs12 -export -password "pass:password" -inkey "ca_i_${UNIQ_ID_CA}.keys.pem" \
                 -name "CA Intermediate Mobile Provision" -certfile $FQ_CA_CERT \
                 -in "ca_i_${UNIQ_ID_CA}.crt.pem" -out "ca_i_${UNIQ_ID_CA}.p12"

  # verify certificate (output to text file for review)
  openssl x509 -noout -text -in "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_i_${UNIQ_ID_CA}.crt.info.txt"

  # create certifiate chain
  cat $FQ_CA_CERT "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_cert-chain_${UNIQ_ID_CA}.crts.pem"
}
#
# Generate a Server Certificate
# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
#
generate_server() {
  echo_block "Generate Server Certificates  (${UNIQ_ID})"
  # params
  UNIQ_ID=$1
  UNIQ_ID_CA=$2
  SERIAL=$3

  openssl genrsa -out "server_${UNIQ_ID}.keys.pem" 4096

  openssl req -new -config $FQ_S_CNF -key "server_${UNIQ_ID}.keys.pem" \
              -subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \
              -out "server_${UNIQ_ID}.csr.pem"

  # CA Intermediate signs Server
  openssl x509 -req -days 365 -extfile $FQ_S_CNF -extensions v3_server \
               -CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \
               -in "server_${UNIQ_ID}.csr.pem" -out "server_${UNIQ_ID}.crt.pem"

  # Package the Certificates
  openssl pkcs12 -export -password "pass:password" -inkey "server_${UNIQ_ID}.keys.pem" \
                 -name "Server ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CA}.crts.pem" -caname "server_${UNIQ_ID}@acme.xyz" \
                 -in "server_${UNIQ_ID}.crt.pem" -out "server_${UNIQ_ID}.p12"

  # verify certificate (output to text file for review)
  openssl x509 -noout -text -in "server_${UNIQ_ID}.crt.pem" > "server_${UNIQ_ID}.crt.info.txt" 
}
#
# Generate a Client Certificate
# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
#
generate_client() {
  echo_block "Generate Client Certificates  (${UNIQ_ID})"
  # params
  UNIQ_ID=$1
  UNIQ_ID_CA=$2
  SERIAL=$3

  openssl genrsa -out "client_${UNIQ_ID}.keys.pem" 4096

  openssl req -new -key "client_${UNIQ_ID}.keys.pem" \
              -subj "/C=OO/O=ACME/OU=ACME Standard/CN=client_${UNIQ_ID}" \
              -out "client_${UNIQ_ID}.csr.pem"
  # CA Intermediate signs Client
  openssl x509 -req -days 365 \
               -CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \
               -in "client_${UNIQ_ID}.csr.pem" -out "client_${UNIQ_ID}.crt.pem"

  # Package the Certificates
  openssl pkcs12 -export -password "pass:password" -inkey "client_${UNIQ_ID}.keys.pem" \
                 -name "Client ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CA}.crts.pem" -caname "client_${UNIQ_ID}@acme.xyz" \
                 -in "client_${UNIQ_ID}.crt.pem" -out "client_${UNIQ_ID}.p12"

  # verify certificate (output to text file for review)
  openssl x509 -noout -text -in "client_${UNIQ_ID}.crt.pem" > "client_${UNIQ_ID}.info.txt"
}

#
# give some info if someone tries to execute this
echo_block "this script file has only helper functions"