#! /usr/bin/env sh

# Take the correct binary to create the certificates
CERTTOOL=$(command -v gnutls-certtool 2>/dev/null || command -v certtool 2>/dev/null)
if [ -z "$CERTTOOL" ]; then
    echo "ERROR: No certtool found" >&2
    exit 1
fi

# Create a CA key.
$CERTTOOL \
    --generate-privkey \
    --sec-param "$SEC_PARAM" \
    --key-type "$KEY_TYPE" \
    --outfile ca.key.pem

chmod 600 ca.key.pem

# Sign a CA cert.
cat <<EOF >ca.template
country = $COUNTRY
dns_name = "$SAN"
expiration_days = $EXPIRATION_DAYS
organization = $ORGANIZATION
ca
EOF
#state = $STATE
#locality = $LOCALITY

$CERTTOOL \
    --generate-self-signed \
    --load-privkey ca.key.pem \
    --template ca.template \
    --outfile ca.cert.pem

chmod 600 ca.cert.pem

# vim: ft=sh