#!/bin/bash

if [[ $(id -u) -ne 0 ]]; then
  echo "Error: this script must be run with sudo!"
  exit
fi

if [[ ! -a /usr/local/ssl ]]; then
  echo "Creating /usr/local/ssl"
  mkdir /usr/local/ssl
fi

if [[ ! -d /usr/local/ssl ]]; then
  echo "Error: /usr/local/ssl exists but is not a directory!!!"
  exit
fi

if [ "$(ls -A /usr/local/ssl)" ]; then
  echo "Warning: directory /usr/local/ssl is not empty!"
  echo -n "Empty directory and start all over with new certificates? [n]/y?"
  read answer
  case $answer in
  y|Y) rm -rf /usr/local/ssl/*;;
  *)   exit;;
  esac
fi

echo "Generating CA root private key"
openssl genrsa -des3 -out /usr/local/ssl/servercakey.pem 1024 

echo "Create CA public certificate"
openssl req -new -x509 -key /usr/local/ssl/servercakey.pem -out /usr/local/ssl/caroot.crt

echo "Creating web server private key:"
openssl genrsa -out /usr/local/ssl/webserver.key

echo "Create web server certificate request"
openssl req -new -out /usr/local/ssl/webserverrequest.txt -key /usr/local/ssl/webserver.key

echo "Sign web server certificate"
openssl x509 -req -in /usr/local/ssl/webserverrequest.txt -days 3650 -sha1 -CAcreateserial -CA /usr/local/ssl/caroot.crt -CAkey /usr/local/ssl/servercakey.pem -out /usr/local/ssl/webserver.crt

echo "Creating web client private key"
openssl genrsa -out /usr/local/ssl/webclient.key

echo "Creating web client certificate request"
openssl req -new -out /usr/local/ssl/webclientrequest.txt -key /usr/local/ssl/webclient.key

echo "Sign web client certificate"
openssl x509 -req -in /usr/local/ssl/webclientrequest.txt -days 3650 -sha1 -CAcreateserial -CA /usr/local/ssl/caroot.crt -CAkey /usr/local/ssl/servercakey.pem -out /usr/local/ssl/webclient.crt

echo "Creating web client PKCS12 file"
openssl pkcs12 -export -in /usr/local/ssl/webclient.crt -inkey /usr/local/ssl/webclient.key -out /usr/local/ssl/webclient.p12
 
echo "Files on /usr/local/ssl:"
find /usr/local/ssl -type f -exec file {} \;