#! /bin/sh
#*******************************************************************************
# Copyright 1991-2004 by ADIC, Inc.  All rights reserved.
# No part of this work may be reproduced or transmitted in any
# form or by any means, electronic or mechanical, including
# photocopying and recording, or by any information storage
# or retrieval system, except as may be expressly permitted by
# the 17 U.S.C. section 101, et. seq., or in writing by
# ADIC, Inc.
#*******************************************************************************
#
# Create a SSL Key and Certificate in pem format. Works with Apache 1.3.29 + 
# apache SSL path 1.55. Allows certificate and key to contain the below
# descriptive information. Places certificate and key in $OPENSSLHOME/cert
# and $OPENSSL_HOME/private respectively. Increments the CA serial number when
# creating a new key. Customized for busybox linux 'ash'
#*******************************************************************************
#  $Log: src/bin/mkkey  $
#  Revision 1.5 2005/01/05 10:05:21MST astoner 
#  add capability to pass in serial number
#  Revision 1.4 2004/11/11 09:07:26MST astoner 
#  add LD_LIBRARY_PATH for shared openssl
#  Revision 1.3 2004/11/10 12:12:21MST astoner 
#  misc
#  Revision 1.2 2004/11/10 12:07:50MST astoner 
#  misc changes
#  Revision 1.1 2004/11/08 13:57:59MST astoner 
#  Initial revision
#  Member added to project e:/mks/projects/predatorssl/predatorssl.pj
#
#*******************************************************************************

if [ ${#} -ne 9 ] ; then
   echo "${0} <SSL HOME> <country> <city> <state> <host name> <email> <company> <org. unit> <serial number>"

   exit 1
fi
OPENSSL_HOME="${1}"
export OPENSSL_CONF="${OPENSSL_HOME}/openssl.cnf"
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:${OPENSSL_HOME}/lib
COUNTRY="${2}"
CITY="${3}"
STATE="${4}"
HOST="${5}"
EMAIL="${6}"
COMPANY="${7}"
ORG_UNIT="${8}"
SERIAL_NUMBER="${9}"

#
# SSLCertificateKeyFile
#

SERVER_RSA_SECRET="library_private.pem"

#
# ADIC CA file names
#

ADIC_CA_CERT="ADIC_CA.pem"
ADIC_CA_KEY="ADIC_KEY.pem"

#
# SSLCertificateFile
#

SERVER_SIGNED_CERT="library_signed_cert.pem"
SERVER_CERT="library_unsigned_cert.pem"


KEY_HOME="${OPENSSL_HOME}/private"
CERT_HOME="${OPENSSL_HOME}/certs"
SERIAL_HOME="${OPENSSL_HOME}/serial"
SERIAL_FILE="${OPENSSL_HOME}/serial/certSerial"

if [ ! -d "${KEY_HOME}" ] ; then
  mkdir -p "${KEY_HOME}"
fi

if [ ! -d "${CERT_HOME}" ] ; then
  mkdir -p "${CERT_HOME}"
fi


if ! echo "${SERIAL_NUMBER}" > "${SERIAL_FILE}"
then
  echo "Error: cannot create ${SERIAL_FILE}"
  exit 1
fi


if [ ! -f "${CERT_HOME}/${ADIC_CA_CERT}" -o ! -f "${KEY_HOME}/${ADIC_CA_KEY}" ] ; then
  echo "Error: must create certs/private using mkca"
  exit 1
fi

#
# Create a private server key 
#
${OPENSSL_HOME}/bin/openssl genrsa -rand ${0} -out "${KEY_HOME}/${SERVER_RSA_SECRET}" 1024 

chmod 400 "${KEY_HOME}/${SERVER_RSA_SECRET}"

${OPENSSL_HOME}/bin/openssl req -new -key "${KEY_HOME}/${SERVER_RSA_SECRET}"  \
           -out "${CERT_HOME}/${SERVER_CERT}" <<EOF
${COUNTRY}
${STATE}
${CITY}
${COMPANY}
${ORG_UNIT}
${HOST}
${EMAIL}


EOF

#
# Sign certificate with our CA key/cert
#
${OPENSSL_HOME}/bin/openssl x509 -req -passin pass:password -days 7300 -in "${CERT_HOME}/${SERVER_CERT}" \
    -CA "${CERT_HOME}/${ADIC_CA_CERT}" -CAkey "${KEY_HOME}/${ADIC_CA_KEY}" \
    -CAserial "${SERIAL_FILE}" -out "${CERT_HOME}/${SERVER_SIGNED_CERT}"


#
# Don't need the unsigned library cert, so remove
#

rm -f ${CERT_HOME}/${SERVER_CERT}

#
# Apache httpsd.conf entries:
#
#SSLCertificateFile: <path>/library_signed_cert.pem
#SSLCertificateKeyFile: <path>/library_private.pem

