#!/bin/bash

set -e

# === 0. Preguntar por el hostname real ===
read -rp "🖥️  Introduce el nombre DNS real del servidor (ej: opengnsys-server.local.es): " REAL_HOSTNAME

if [[ -z "$REAL_HOSTNAME" ]]; then
    echo "❌ El nombre del host no puede estar vacío"
    exit 1
fi

BASE_DIR="mtls-certs"
mkdir -p "$BASE_DIR/ca"

# === 1. Crear CA si no existe ===
if [ ! -f "$BASE_DIR/ca/ca.crt" ]; then 
    openssl genrsa -out "$BASE_DIR/ca/ca.key" 4096
    openssl req -x509 -new -nodes -key "$BASE_DIR/ca/ca.key" -sha256 -days 3650 \
        -out "$BASE_DIR/ca/ca.crt" \
        -subj "/C=ES/ST=Madrid/L=Madrid/O=Opengnsys/OU=CA/CN=opengnsys-ca"
fi 

# === 2. Servicios y puertos ===
declare -A services=(
    ["ogcore"]=8443
    ["ogrepo"]=8006
    ["ogboot"]=8081
    ["ogdhcp"]=8082
    ["ogagent"]=8000
)

# === 3. Crear certificados por servicio ===
for service in "${!services[@]}"; do
    port="${services[$service]}"
    echo "🔧 Generando certificado para $service (puerto $port)..."

    read -rp "🌐 Introduce la IP del servicio $service: " SERVICE_IP
    if [[ -z "$SERVICE_IP" ]]; then
        echo "❌ La IP no puede estar vacía"
        exit 1
    fi

    DIR="$BASE_DIR/$service"
    mkdir -p "$DIR"

    openssl genrsa -out "$DIR/$service.key" 2048

    openssl req -new -key "$DIR/$service.key" -out "$DIR/$service.csr" \
        -subj "/C=ES/ST=Madrid/L=Madrid/O=Opengnsys/OU=$service/CN=$service.local"

    # Archivo de extensión para SAN
    cat > "$DIR/$service.ext" <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = $service.local
DNS.2 = $REAL_HOSTNAME
IP.1 = $SERVICE_IP
EOF

    openssl x509 -req -in "$DIR/$service.csr" -CA "$BASE_DIR/ca/ca.crt" \
        -CAkey "$BASE_DIR/ca/ca.key" -CAcreateserial \
        -out "$DIR/$service.crt" -days 825 -sha256 -extfile "$DIR/$service.ext"

    rm "$DIR/$service.csr"
done

echo "✅ Certificados generados en ./$BASE_DIR con hostname real: $REAL_HOSTNAME"

# === 4. Crear certificado de cliente para navegador ===
CLIENT_DIR="$BASE_DIR/cliente"
mkdir -p "$CLIENT_DIR"

echo "🔐 Generando certificado de cliente para navegador..."

openssl genrsa -out "$CLIENT_DIR/cliente.key" 2048

openssl req -new -key "$CLIENT_DIR/cliente.key" \
    -subj "/C=ES/ST=Madrid/L=Madrid/O=Opengnsys/OU=clientes/CN=cliente-navegador" \
    -out "$CLIENT_DIR/cliente.csr"

cat > "$CLIENT_DIR/cliente.ext" <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
EOF

openssl x509 -req -in "$CLIENT_DIR/cliente.csr" -CA "$BASE_DIR/ca/ca.crt" \
    -CAkey "$BASE_DIR/ca/ca.key" -CAcreateserial \
    -out "$CLIENT_DIR/cliente.crt" -days 825 -sha256 -extfile "$CLIENT_DIR/cliente.ext"

# Crear archivo .p12 para navegador
openssl pkcs12 -export \
    -inkey "$CLIENT_DIR/cliente.key" \
    -in "$CLIENT_DIR/cliente.crt" \
    -certfile "$BASE_DIR/ca/ca.crt" \
    -out "$CLIENT_DIR/cliente-navegador.p12" \
    -name "Certificado Cliente Navegador"

rm "$CLIENT_DIR/cliente.csr" "$CLIENT_DIR/cliente.ext"

echo "✅ Certificado de cliente para navegador creado en:"
echo "   $CLIENT_DIR/cliente-navegador.p12"