#!/bin/sh


#
#  Edit the following variables for your organization.
#
COUNTRY="HR"
PROVINCE="grad"
CITY="grad"
ORGANIZATION="skraceni_naziv_institucije"
ORG_UNIT=""
PASSWORD="neki_password"
DOMAIN="realm_iz_AAI_sustava"
#####################################################

COMMON_NAME_CLIENT="CA Root key $DOMAIN"
PASSWORD_CLIENT=$PASSWORD

COMMON_NAME_SERVER="freeradius.$DOMAIN"
PASSWORD_SERVER=$PASSWORD

COMMON_NAME_ROOT="CA Root certificate $DOMAIN"
PASSWORD_ROOT=$PASSWORD

#
# System setings
#

ts="`date +'%s'`"

[ "$SSL" = "" ] && SSL=/usr
export SSL

if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi

REQ="$OPENSSL req"
CA="$OPENSSL ca"
VERIFY="$OPENSSL verify"
X509="$OPENSSL x509"
LIFETIME=3650

CATOP=./fRcerts
CAKEY=cakey.pem
CAREQ=careq.pem
CACERT=cacert

SKEY=server-key.pem
SREQ=server-req.pem
SCERT=server-cert

for i
do
case $i in
-\?|-h|-help)
    echo "usage: cert-admin -newca|-newserver|-verify" >&2
    exit 0
    ;;
-newca) 
    # if explicitly asked for or it doesn't exist then setup the directory
    # structure that Eric likes to manage things
    NEW="1"
    mv -f $CATOP $CATOP-$ts.bak

    mkdir $CATOP 
    mkdir $CATOP/certs
    mkdir $CATOP/crl
    mkdir $CATOP/newcerts
    mkdir $CATOP/private
    echo "00" > $CATOP/serial
    touch $CATOP/index.txt
    
    echo ""
    echo ">>> Creating CA root key and request"
    echo ""
    
    (echo $COUNTRY
     echo $PROVINCE
     echo $CITY
     echo $ORGANIZATION
     echo $ORG_UNIT
     echo $COMMON_NAME_ROOT
     echo ""
     echo $PASSWORD_ROOT
     echo ""
    ) | $REQ -passout pass:$PASSWORD_ROOT \
             -new \
             -keyout $CATOP/private/$CAKEY \
             -out $CATOP/$CAREQ 
        
    echo ""
    echo ""       
    echo ">>> Self sign request and include certificate"
    echo ""

    (echo $PASSWORD
    ) | $CA -config openssl.cnf \
            -out $CATOP/$CACERT.pem \
            -key $PASSWORD_ROOT \
            -passin pass:$PASSWORD_ROOT \
            -days $LIFETIME \
            -batch \
            -keyfile $CATOP/private/$CAKEY \
            -selfsign \
            -extensions v3_ca \
            -policy policy_anything \
            -infiles $CATOP/$CAREQ

    echo ""
    echo ""       
    echo ">>> Self sign CA root certificate DER format create"
    echo ""

    $X509 -in $CATOP/$CACERT.pem -out $CATOP/$CACERT.der -outform DER

    RET=$?
    ;;
-newserver)
    if [ -f $CATOP/private/$CAKEY ]; then
    
        echo ""
        echo ">>> Create server key and request for certificate"
        echo ""
    
    
        (echo $COUNTRY
         echo $PROVINCE
         echo $CITY
         echo $ORGANIZATION
         echo $ORG_UNIT
         echo $COMMON_NAME_SERVER
         echo ""
         echo $PASSWORD_SERVER
         echo ""
        ) | $REQ -passout pass:$PASSWORD_SERVER \
                 -new \
                 -keyout $CATOP/private/$SKEY \
                 -out  $CATOP/$SREQ \
                 -days $LIFETIME

     
        echo ""
        echo ">>> Sign server certificate"
        echo ""
    
        (echo $PASSWORD
        ) | $CA -config openssl.cnf \
                -out $CATOP/$SCERT.pem \
                -key $PASSWORD_ROOT \
                -passin pass:$PASSWORD_ROOT \
                -batch \
                -extensions xpserver_ext \
                -extfile xpextensions \
                -policy policy_anything \
                -infiles $CATOP/$SREQ


      RET=$?
    fi
    ;;
*)
    echo "Unknown arg $i"
    echo "use: cert-admin -h"
    exit 1
    ;;
esac
done
exit $RET
