#!/bin/sh
# $Id$
# helper script for creating ssl certificates

if [ $# -lt 3 ]; then
    echo "usage: $0 <pkg name> <num installed> <service> <bundle> <group>" 1>&2
    exit 1
fi

pkg=$1		# name of the package
num=$2		# number of packages installed
srv=$3		# name of the service
bundle=$4	# bundle mode
group=$5	# group with read access on key

if [ $num = 1 ]; then
    # default values
    host=$(hostname)
    KEY_LENGTH=1024
    CERT_DAYS=365
    EMAIL_ADDRESS=root@$host
    COMMON_NAME=$host
    ORGANISATIONAL_UNIT_NAME="default $srv cert for $host"

    # source configuration
    if [ -f /etc/sysconfig/ssl ]; then
	. /etc/sysconfig/ssl
    fi

    conffile=/tmp/$$
    keyfile=/etc/pki/tls/private/$pkg.pem
    if [ "$bundle" == true ]; then
	certfile=$keyfile
    else
	certfile=/etc/pki/tls/certs/$pkg.pem
    fi

    # create a temporary configuration file
    cat > $conffile <<EOF
default_bits            = $KEY_LENGTH
encrypt_key             = no
prompt                  = no
distinguished_name      = req_dn
req_extensions          = req_ext

[ req_dn ] 
commonName              = $COMMON_NAME
organizationalUnitName  = $ORGANISATIONAL_UNIT_NAME
emailAddress            = $EMAIL_ADDRESS

[ req_ext ]
basicConstraints        = CA:FALSE
EOF
    
    # generate certificates
    openssl req -new -x509 -days $CERT_DAYS \
        -config $conffile \
        -keyout $keyfile \
        -out $certfile >/dev/null 2>&1

    # enforce strict perms on key
    if [ -n "$group" ]; then
	chmod 640 $keyfile
	chgrp $group $keyfile
    else
	chmod 600 $keyfile
    fi
fi
