#! /bin/bash
# @(#)(CAcert) $Id$
# make-webdb-csr - create new csr for webdb server, and optionally a new key

TMP=/tmp/openssl.cnf.$$
trap "rm -f ${TMP}" 0 1 2 3 15

DIR=/home/cacert/etc/ssl
KEY=${DIR}/private/cacert.key
CSR=${DIR}/private/cacert.csr
CRT=${DIR}/certs/cacert.crt
CNF=${TMP}

umask 077
mkdir -p ${DIR} ${DIR}/private ${DIR}/certs

echo -e "#1. Creating openssl config file in ${CNF}\n"
cat >${CNF} <<!
[ req ]
distinguished_name	= req_distinguished_name
prompt			= no
req_extensions		= v3_req

[ req_distinguished_name ]
countryName		= AU
stateOrProvinceName	= NSW
localityName		= Sydney
0.organizationName	= CAcert Inc.
commonName		= www.cacert.org
emailAddress		= support@cacert.org

[ v3_req ]
basicConstraints	= critical, CA:FALSE
keyUsage		= digitalSignature, keyEncipherment
extendedKeyUsage	= clientAuth, serverAuth
subjectAltName		= DNS:www.cacert.org, DNS:secure.cacert.org, DNS:wwwmail.cacert.org, DNS:cacert.org, DNS:www.cacert.net, DNS:cacert.net, DNS:www.cacert.com, DNS:cacert.com
!

if [ -f ${KEY} ]
then
	echo -e "#2. Creating csr in ${CSR},"
	echo -e "        from key in ${KEY}\n"
	/usr/bin/openssl req -config ${CNF} -new -key ${KEY} -out ${CSR}
else
	echo -e "#2. Creating csr in ${CSR},"
	echo -e "         and key in ${KEY}\n"
	/usr/bin/openssl req -config ${CNF} -nodes -newkey rsa:4096 \
						-keyout ${KEY} -out ${CSR}
fi

echo -e "#3. Displaying content of csr in ${CSR}\n"
/usr/bin/openssl req -in ${CSR} -noout -text

echo -e "\n#4. Please mail ${CSR} to the CAcert Certificate Manager, see"
echo -e "    https://wiki.cacert.org/SystemAdministration/Procedures/CertificateIssuing\n"

echo -e "\n#5. After receiving the certificate back, please store it in"
echo -e "    ${CRT},"
echo -e "    then restart the Apache2 server with /etc/init.d/apache2 restart"
echo -e "    and restart the Postfix server with /etc/init.d/postfix restart"

exit 0