local-cert

#!/bin/bash

source $(dirname "${BASH_SOURCE[0]}")/.abash/abash.sh

NAME=$(arg name local)
ORG=$(arg org $NAME)
CERT_NAME=$(arg cert-name $NAME)

if [ -e $CERT_NAME.key -a -e $CERT_NAME.cer ]; then
  warn "Key and certificate already exist ($CERT_NAME)"
  exit 1
fi

if [ -e $NAME-ca.key -a -e $NAME-ca.cer ]; then
  warn 'Reusing existing CA key and certificate'
else
  inform 'Creating CA key and certificate'

  CA_CONFIG_FILE="
    [req]
    prompt = no
    distinguished_name = dn
    x509_extensions = v3_ca

    [dn]
    O = $ORG
    CN = $ORG CA

    [v3_ca]
    basicConstraints = critical,CA:TRUE
  "

  openssl req -new -x509 \
    -days 3650 \
    -newkey ec -nodes \
    -pkeyopt ec_paramgen_curve:secp384r1 \
    -keyout $NAME-ca.key \
    -out $NAME-ca.cer \
    -config <( echo -e "$CA_CONFIG_FILE" )
fi

inform "Creating key and certificate ($CERT_NAME)"

CERT_CONFIG_FILE="
  [req]
  prompt = no
  req_extensions = san
  x509_extensions = san
  distinguished_name = dn

  [dn]
  O = $ORG
  CN = $ORG

  [san]
  subjectAltName = @alt_names

  [alt_names]
"

DNS=1

IFS=,

add_dns_to_cert_config() {
  echo "$1"
  CERT_CONFIG_FILE+="  DNS.$DNS = $1"$'\n'
  let DNS+=1
}

for ALT_NAME in $(arg fqdn:D); do
  add_dns_to_cert_config $ALT_NAME
done

for ALT_NAME in $(arg domains); do
  [[ "$ALT_NAME" != *.* ]] && ALT_NAME+=".$NAME"
  add_dns_to_cert_config $ALT_NAME
done

openssl req \
  -newkey ec -nodes \
  -pkeyopt ec_paramgen_curve:secp384r1 \
  -keyout $CERT_NAME.key \
  -out $CERT_NAME.csr \
  -config <( echo -e "$CERT_CONFIG_FILE" )

openssl x509 -req \
  -days 3650 \
  -CA $NAME-ca.cer \
  -CAkey $NAME-ca.key \
  -CAcreateserial \
  -in $CERT_NAME.csr \
  -out $CERT_NAME.cer \
  -extensions san \
  -extfile <( echo -e "$CERT_CONFIG_FILE" )

inform 'Creating bundle'

cat $CERT_NAME.cer > $CERT_NAME-bundle.cer
cat $NAME-ca.cer >> $CERT_NAME-bundle.cer