#!/bin/sh

#
# This is a self documenting shell script.  It is intended that you read
#  this file before executing it.
#
# This script should be run in /etc/httpd/conf/ssl.archive/<DOMAIN>/<YEAR>,
#  so that we can keep an archival copy of all certificates, and related
#  files.
# Once finished, the certificate should be placed in /etc/httpd/conf/ssl.crt,
#  and the private key (unencrypted) should be in /etc/httpd/conf/ssl.key
#
# All of the files in /etc/httpd/conf/ssl.* should be mode 0400, and owned
#  by root.  Apache will read them as root, before it drops root permissions.
# The original keys should also be mode 0400 and owned by root.
#

PATH=$PATH:/usr/local/ssl/bin

#
# Give the domain name as the first argument to this script.
#
DOMAIN=$1
if [ -z "$DOMAIN" ]; then
	echo "No domain given"
	echo "Use: generate_ssl_cert <domain_name> [<organization>] [<email>] [<savepath>]"
	exit 1
fi

#
# If you wish to have an organization's name attached to this certificate,
#  then it should be the second argument to this script.
# Because SSL does not require this field, no default is given.  However,
#  Thawte may require an organization's name to be attached to a certificate,
#  so this script SHOULD be called as:
#  ./Generate_SSL_Certificate <domain_name> "<organization>"
#
ORG=$2
if [ -z "$ORG" ]; then
	ORG="."
	echo "No organization name given, using \".\""
fi
EMAIL=$3
if [ -z "$EMAIL" ]; then
	EMAIL="`whoami`@`hostname`"
	echo "No email address given, using ${EMAIL}"
fi

#
# Path in which to store the cert-related files.
#
SAVEPATH=$4
if [ -z "$SAVEPATH" ]; then
	SAVEPATH="."
elif [ ! -d "$SAVEPATH" [; then
	echo "$SAVEPATH isn't a directory!"
	exit 1
fi
# Set umask here so that these files are readable only by the user that
#  created them.
umask 77

#
# Start by generating a private key for the domain
#
openssl genrsa 1024 > $SAVEPATH/${DOMAIN}.key

#
# The next step in generating a certificate is to generate a CSR, or
#  certificate request.  This can be given to a known certificate
#  authority to sign.
#
openssl req -new -key $SAVEPATH/${DOMAIN}.key -out $SAVEPATH/${DOMAIN}.csr <<EOF
US
Washington
Seattle
${ORG}
.
*.$DOMAIN
$EMAIL


EOF

#
# Finally, use the CSR (certificate request) and our own private key to
#  create a "self signed" certificate.  This certificate can be used
#  until a certificate signed by a known authority (eg Thawte) is
#  available.
#
openssl x509 -req -signkey $SAVEPATH/${DOMAIN}.key -days 3650 \
	-set_serial 01 \
	-in $SAVEPATH/${DOMAIN}.csr -out $SAVEPATH/${DOMAIN}.crt

# Ok, now for good measure we should make a pem file
cat $SAVEPATH/${DOMAIN}.key $SAVEPATH/${DOMAIN}.crt > $SAVEPATH/${DOMAIN}.pem






# Make a file that can be used by OSX to get rid of annoying messages about
#  self-signed certs.
#   http://www.macosxhints.com/article.php?story=20031023144031331
#
#  Grab certificate_name.der from the server, and then execute:
#  
#   % sudo cp /System/Library/Keychains/X509Anchors ~/Library/Keychains/X509Anchors
#   % cd ~/Library/Keychains
#   % certtool i certificate_name.der k=X509Anchors d
#  
#  Replace file names as necessary. The files should add with this message:
#  ...certificate successfully imported. Now, you need to copy the
#  X509Anchors back:
#  
#   % sudo cp ~/Library/Keychains/X509Anchors /System/Library/Keychains/
#
#  also maybe just try sudo certtool i certificate_name.crt v k=/System/Library/Keychains/x509Anchors
#
openssl x509 -in $SAVEPATH/${DOMAIN}.crt -inform pem \
            -out $SAVEPATH/${DOMAIN}.der -outform der

#
# You can also just import the crt directly:
#
#   http://docs.info.apple.com/article.html?artnum=25593
#
#
# We should now have the following files:
#  DOMAIN.key			The unencrypted private key used by apache
#  DOMAIN.csr			The certificate request used by Thawte
#  DOMAIN.crt			The certificate that we signed
#