#!/bin/sh

# Generate a Terena eScience Server CA compliant CSR.

if [ $# -lt 1 ]; then
    echo "Usage: $0 hostname [ hostname ... ]" >&2
    exit 1
fi

generatedcsrs=

until [ $# -eq 0 ]; do

    # hostname to use in the request
    hostname=$1
    shift
    
    # generate each request in its own subdirectory
    if [ ! -d "$hostname" ]; then
	mkdir "$hostname"
    fi
    
    # be mindful of existing files; reuse the newkey.pem file if it
    # exists, otherwise openssl will generate it.
    key="$hostname/newkey.pem"
    if [ -r "$key" ]; then
	# reuse it
	usekey="-key $key"
    else
	# let openssl generate it
	usekey=""
    fi

    # don't overwrite existing requests
    csr="$hostname/newrequest.csr"
    if [ -f "$csr" ]; then
	echo "ERROR: $csr already exists, not generating a new request" >&2
	continue
    fi

    # at this point, we're definitely going to create a new request
    # we need to generate an openssl cnf file specific to the request.
    
    cat > "$hostname/newrequest.cnf" <<EOF
[ req ]
default_bits            = 2048
default_keyfile         = $hostname/newkey.pem
distinguished_name      = req_distinguished_name
req_extensions          = v3_ext
prompt                  = no

[ req_distinguished_name ]
 0.C = NL
 1.O = Stichting FOM
 2.OU = Nikhef
 CN = $hostname

[ v3_ext ]

 subjectAltName = DNS:$hostname

EOF

    openssl req -nodes -new -out "$csr" -text $usekey -config "$hostname/newrequest.cnf"
    if [ $? -eq 0 ]; then
	generatedcsrs="$generatedcsrs
$csr"
    else
	echo "ERR: openssl req failed." >&2
	echo "Failed command: 'openssl req -nodes -new -out $csr -text $usekey -config $hostname/newrequest.cnf'"
	continue
    fi
	
done


echo "Done. Generated CSRs:$generatedcsrs"