#!/bin/sh
#
# mkcert-lan.sh
#
# Script to generate a self-signed certificate for a LAN server.
#
# Usage: copy this script to an appropriate place on the system like
# /usr/local/sbin. Edit it to your needs and run it as root.
#
# The script creates a 'certs' system group. Certificates and keyfiles are
# owned by root:certs. Make sure you add the relevant system users to the
# 'certs' group, so they can access the files.
#
# Niki Kovacs <info@microlinux.fr>

HCMD=/bin/hostname
HOST=$($HCMD --fqdn)
TIME=3650
SSLDIR="/etc/ssl"
CRTDIR="$SSLDIR/mycerts"
KEYDIR="$SSLDIR/private"
CNFFILE="$CRTDIR/$HOST.cnf"
KEYFILE="$KEYDIR/$HOST.key"
CSRFILE="$CRTDIR/$HOST.csr"
CRTFILE="$CRTDIR/$HOST.crt"

# Testing
# rm -f $CNFFILE $KEYFILE $CSRFILE $CRTFILE

# Create certs group 
if ! grep -q "^certs:" /etc/group ; then
  groupadd -g 240 certs
  echo 
  echo ":: Added certs group."
  echo 
  sleep 3
fi

for DIRECTORY in $CRTDIR $KEYDIR; do
  if [ ! -d $DIRECTORY ]; then
    echo 
    echo ":: Creating directory $DIRECTORY."
    echo 
    mkdir -p $DIRECTORY
  fi
done

for FILE in $CNFFILE $KEYFILE $CSRFILE $CRTFILE; do
  if [ -f $FILE ]; then
    echo 
    echo ":: $FILE already exists, won't overwrite."
    echo 
    exit 1
  fi
done

cat > $CNFFILE << EOF
[req]
distinguished_name          = req_distinguished_name
string_mask                 = nombstr
req_extensions              = v3_req

[req_distinguished_name]
organizationName            = Organization Name (company)
emailAddress                = Email Address
emailAddress_max            = 40
localityName                = Locality Name
stateOrProvinceName         = State or Province Name
countryName                 = Country Name (2 letter code)
countryName_min             = 2
countryName_max             = 2
commonName                  = Common Name
commonName_max              = 64
organizationName_default    = Microlinux
emailAddress_default        = info@microlinux.fr
localityName_default        = Montpezat
stateOrProvinceName_default = Gard
countryName_default         = FR
commonName_default          = $HOST

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = $HOST
DNS.2 = subdomain1.$HOST
DNS.3 = subdomain2.$HOST
DNS.4 = subdomain3.$HOST
EOF

# Generate private key
openssl genrsa \
  -out $KEYFILE \
  4096 

# Generate Certificate Signing Request
openssl req \
  -new \
  -sha256 \
  -out $CSRFILE \
  -key $KEYFILE \
  -config $CNFFILE

# Self-sign and generate Certificate
openssl x509 \
  -req \
  -sha256 \
  -days $TIME \
  -in $CSRFILE \
  -signkey $KEYFILE \
  -out $CRTFILE \
  -extensions v3_req \
  -extfile $CNFFILE

# Set permissions
chown root:certs $KEYFILE $CRTFILE
chmod 0640 $KEYFILE $CRTFILE

# Create a symlink in /etc/ssl/certs
pushd $SSLDIR/certs
  rm -f $HOST.crt
  ln -s ../mycerts/$HOST.crt .
popd

echo 

exit 0