#!/bin/sh
#
# /usr/local/sbin/localmksslcerts
# Copyright 2001-2002 Jonas Smedegaard <dr@jones.dk>
#
# $Id: localmksslcerts,v 1.8 2003-01-04 02:24:43 jonas Exp $
#
# Generate certificates for mail (and other) servers
# Based on uw-imapd-ssl post-install script
#
# TODO: Check if /etc/ssl/{certs,private}/cacert.pem exists and instead
# create /etc/ssl/{certs,private}/<fqdn>.pem and symlink to hash of
# certificate and each of /etc/ssl/{certs,private}/<service>.pem using
# commands similar to these:
#
# openssl genrsa -out new.key
# openssl req -new -key new.key -out new.csr
# openssl x509 -req -days 365 -in new.csr -CA /etc/ssl/certs/cacert.pem -CAkey /etc/ssl/private/cacert.pem -CAcreateserial -out new.crt
# ln -s new.crt `openssl x509 -hash -noout -in new.crt`.0
# rm new.csr
#
# TODO: Use getopts

prg=$(basename $0)
copyright="(C) 2001-2002 Jonas Smedegaard <dr@jones.dk>"

usage() {
echo "$prg, $copyright

Usage: $prg [--fqdn <FQDN>] [...] --daemon <daemon> [...] [--force]
   or: $prg <daemon> [<daemon>...] [-f]

Options:
      --fqdn    Fully Qualified Domain Name for this host.
      --cn      Country Name (2 letter code)
      --state   State or Province Name (full name)
      --loc     Locality Name (eg, city)
      --org     Organisation/company
      --ou      Organisational unit/department
      --daemon  Daemon(s) in need for a certificate
                (separate certificate is generated for each daemon)
      --issuer  Email address of the person responsible for the certificate
  -f, --force   Force overwriting existing certificate
  -h, --help    This help text

If issuer is not given, \"postmaster@<localdomain>\" is used."
exit 1
}

# Set some defaults
CWD=`pwd`
PATH=$PATH:/usr/bin/ssl
DAYS2EXPIRE=365

fqdn=''
cn=''
state=''
loc=''
org=''
ou=''
daemon=''
daemons=''
issuer=''
force=''
args=''
while [ $# -gt 0 ]; do
	doubleshift=''
	case $1 in
		--fqdn)		fqdn="$2"; doubleshift=1;;
		--cn)		cn="$2"; doubleshift=1;;
		--state)	state="$2"; doubleshift=1;;
		--loc)		loc="$2"; doubleshift=1;;
		--org)		org="$2"; doubleshift=1;;
		--ou)		ou="$2"; doubleshift=1;;
		--daemon)	daemons="$daemons$2 "; doubleshift=1;;
		--issuer)	issuer="$2"; doubleshift=1;;
		--force|-f)	force=1;;
		-*)		usage;;
		*)		args="$args$1 ";;
	esac
	if [ -n "$doubleshift" ];then
		if [ $# -gt 1 ]; then
			shift
		else
			echo "Missing parameter for option \"$1\"!"
			usage
		fi
	fi
	shift
done
set -- $args

if [ -z "$issuer" ]; then
	DOMAINNAME=`hostname -d`
	ISSUER="postmaster@$DOMAINNAME"
fi

if [ -z "$fqdn" ]; then
    if [ $# -gt 0 ]; then
	fqdn=`hostname -f`
    else
	echo "Too few parameters!"
	usage
    fi
fi

for val in org ou; do
	if eval [ -z "\$$val" ]; then
		eval $val=$fqdn
	fi
done

for val in cn state loc; do
	if eval [ -z "\$$val" ]; then
		eval $val="."
	fi
done

cd /etc/ssl/certs
for daemon in $daemons $@; do
	if [ -f $daemon.pem ]; then
		if [ -n $force ]; then
			rm -f `openssl x509 -noout -hash < $daemon.pem`.0
			rm -f $daemon.pem
		else
			echo "You already have /etc/ssl/certs/$daemon.pem - exiting...!"
			exit 1
		fi
	fi
	echo -n "Generating $daemon certificate..."
	openssl req -new -x509 -nodes -out $daemon.pem -keyout $daemon.pem -days $DAYS2EXPIRE > /dev/null 2>&1 <<+
$cn
$state
$loc
$org
$ou
$fqdn
$issuer
+
	ln -sf $daemon.pem `openssl x509 -noout -hash < $daemon.pem`.0
	echo "Done!"

	chown root.root /etc/ssl/certs/$daemon.pem
	chmod 0640 /etc/ssl/certs/$daemon.pem
done

cd $CWD