#!/bin/bash

set -e

rm -rf --one-file-system ca certs

mkdir -p ca/root-ca/private ca/root-ca/db crl certs
chmod 700 ca/root-ca/private

cp /dev/null ca/root-ca/db/root-ca.db
cp /dev/null ca/root-ca/db/root-ca.db.attr
echo 01 > ca/root-ca/db/root-ca.crt.srl
echo 01 > ca/root-ca/db/root-ca.crl.srl

CA=root-ca openssl req -new \
    -config etc/ca.conf \
    -out ca/root-ca.csr \
    -keyout ca/root-ca/private/root-ca.key

CA=root-ca openssl ca -batch -name root_ca -selfsign \
    -config etc/ca.conf \
    -in ca/root-ca.csr \
    -out ca/root-ca.crt \
    -extensions root_ca_ext

mkdir -p ca/signing-ca/private ca/signing-ca/db crl certs
chmod 700 ca/signing-ca/private

cp /dev/null ca/signing-ca/db/signing-ca.db
cp /dev/null ca/signing-ca/db/signing-ca.db.attr
echo 01 > ca/signing-ca/db/signing-ca.crt.srl
echo 01 > ca/signing-ca/db/signing-ca.crl.srl

CA=signing-ca openssl req -new \
    -config etc/ca.conf \
    -out ca/signing-ca.csr \
    -keyout ca/signing-ca/private/signing-ca.key

CA=root-ca openssl ca -batch -name root_ca \
    -config etc/ca.conf \
    -in ca/signing-ca.csr \
    -out ca/signing-ca.crt \
    -extensions signing_ca_ext

SAN=DNS:test.local \
CN=test.local \
openssl req -new \
    -config etc/server.conf \
    -out /tmp/nginx.csr \
    -keyout /tmp/nginx.key

CA=signing-ca openssl ca -batch -name signing_ca \
    -config etc/ca.conf \
    -in /tmp/nginx.csr \
    -out /tmp/nginx.crt \
    -extensions server_ext

cat /tmp/nginx.crt ca/signing-ca.crt ca/root-ca.crt > /tmp/nginx.chain

sudo systemctl restart nginx

curl -Ss https://test.local --cacert ca/root-ca.crt

exit 0

openssl ca \
    -config etc/ca.conf \
    -revoke ca/signing-ca/01.pem \
    -crl_reason superseded