#!/bin/sh -e
# cert.command
# By Chris Pepper, 2006-2008
# Usage: cert.command name | cert.command
# Example: cert.command www.reppep.com.20071108

# CA host (if network accessible -- not necessarily a good idea)
CAHOST=ca.reppep.com
# CA path
CAPATH=/Volumes/ca.reppep.com
# CA certificate
CACERT=$CAPATH/ca.reppep.com.20070616.crt
# Cert repository:
CERTDIR=$CAPATH/certs


if [[ $# = 0 ]]
 then
  echo -n "Please enter the new certificate name (e.g., www.rockefeller.edu.20071108): "
  read CERT
  CERT=$CERTDIR/$CERT
 else
  CERT=$CERTDIR/$1
fi


if [[ ! -r $CACERT ]]
 then
  echo "$0: ERROR: root cert ($CACERT) not readable"
  exit 1
fi


# Create & protect key; create CSR
openssl genrsa -out $CERT.key
openssl req -new -key $CERT.key -out $CERT.csr
chmod go-rwx $CERTDIR/*.key

# Sign it!
openssl ca -in $CERT.csr -out $CERT.crt

# Append CA cert to the new signed cert, to facilitate installation of the CA cert.
echo >> $CERT.crt
echo >> $CERT.crt
cat $CACERT >> $CERT.crt

echo "Your files are in $CERTDIR:"
ls -lt $CERTDIR/ | head -4 | tail -3


# Think carefully before enabling the section below. For a medium to high security CA, the files should not be on a network accessible computer. If you are running a low-security CA, however, the lines below can make usage more convenient.
#
# FIXME! This should be a conditional on CAHOST being non-blank.
# 
# # Facilitate extraction of certs from $CAHOST, if accessible:
# echo
# echo "To download the cert, first cd to a safe place on your workstation. Then fetch the cert, key, & CSR from $CAHOST:"
# echo "scp root@$CAHOST:$CERTDIR/$CERT.crt root@$CAHOST:$CERTDIR/$CERT.key root@$CAHOST:$CERTDIR/$CERT.csr ./"