#!/bin/bash

rm -rf CA
mkdir CA
cd CA

cat >openssl.cnf <<EOF
[ca]
default_ca = CA_default

[CA_default]
dir                    = $PWD
EOF

cat >>openssl.cnf <<'EOF'
certs                  = $dir/certs
new_certs_dir          = $dir/newcerts
database               = $dir/index.txt
serial                 = $dir/serial
default_md             = sha256
policy                 = policy_loose
copy_extensions        = copy

private_key            = $dir/private/ca.key.pem
certificate            = $dir/certs/ca.crt.pem

[policy_loose]
countryName            = optional
stateOrProvinceName    = optional
localityName           = optional
organizationName       = optional
organizationalUnitName = optional
commonName             = supplied
emailAddress           = optional

[req]
default_bits           = 2048
distinguished_name     = req_distinguished_name
default_md             = sha256

[req_distinguished_name]
countryName            = Country Name (2 letter code)
EOF

mkdir certs csr newcerts private; chmod 0700 private; touch index.txt; echo 1000 >serial

function gen_cert() {
    ITEM="$1"
    PRIVKEY_PASS="$2"
    CA_PASS_FILE="$3"

    FILE_PRIVKEY_PASS="./$ITEM-pass"
    KEY_FILE="private/$ITEM.key.pem"
    KEY_NOPASS_FILE="private/$ITEM.key.nopass.pem"
    SUBJ="/C=ES/ST=Madrid/L=Madrid/CN=$ITEM"
    ADDEXT="subjectAltName=DNS:$ITEM"
    CSR="csr/$ITEM.csr.pem"
    CERT_FILE="certs/$ITEM.crt.pem"

    touch "$FILE_PRIVKEY_PASS"
    chmod 0600 "$FILE_PRIVKEY_PASS"
    echo "$PRIVKEY_PASS" >"$FILE_PRIVKEY_PASS"

    openssl genrsa -aes256 -out "$KEY_FILE" -passout file:"$FILE_PRIVKEY_PASS" 2048
    openssl rsa -in "$KEY_FILE" -passin file:"$FILE_PRIVKEY_PASS" -out "$KEY_NOPASS_FILE" >/dev/null 2>&1
    openssl req -config openssl.cnf -key "$KEY_FILE" -passin file:"$FILE_PRIVKEY_PASS" -new -sha256 -subj "$SUBJ" -addext "$ADDEXT" -out "$CSR"
    openssl ca -config openssl.cnf -batch -passin file:"$CA_PASS_FILE" -days 375 -notext -md sha256 -in "$CSR" -out "$CERT_FILE" >/dev/null 2>&1
}


## gen CA
CA_PASS=CorrectHorseBatteryStapleCA
CA_PASS_FILE=./ca-pass
touch "$CA_PASS_FILE"
chmod 0600 "$CA_PASS_FILE"
echo "$CA_PASS" >"$CA_PASS_FILE"
openssl genrsa -aes256 -out private/ca.key.pem -passout file:"$CA_PASS_FILE" 4096
#openssl rsa -in private/ca.key.pem -passin file:"$CA_PASS_FILE" -out private/ca.key.nopass.pem >/dev/null 2>&1
openssl req -config openssl.cnf -key private/ca.key.pem -passin file:"$CA_PASS_FILE" -new -x509 -days 7300 -sha256 -subj '/C=ES/ST=Madrid/L=Madrid/CN=ca.mytld' -out certs/ca.crt.pem


## todos estos en oglog
gen_cert oglog-os.mytld   CorrectHorseBatteryStapleOglogOS   "$CA_PASS_FILE"
gen_cert oglog-osdb.mytld CorrectHorseBatteryStapleOglogOS   "$CA_PASS_FILE"
gen_cert oglog-jrem.mytld CorrectHorseBatteryStapleOglogJRem "$CA_PASS_FILE"
gen_cert oglog-jb.mytld   CorrectHorseBatteryStapleOglogJB   "$CA_PASS_FILE"
gen_cert oglog-prom.mytld CorrectHorseBatteryStapleOglogProm "$CA_PASS_FILE"
gen_cert oglog-graf.mytld CorrectHorseBatteryStapleOglogGraf "$CA_PASS_FILE"

## esto podria ser ogcore, ogboot...
gen_cert ogserver.mytld   CorrectHorseBatteryStapleOgserver  "$CA_PASS_FILE"

## filebeat del agente
gen_cert ogagent-fb.mytld CorrectHorseBatteryStapleOgagentFB "$CA_PASS_FILE"

cd ..