#! /usr/bin/env sh

# Take the correct binary to create the certificates
CERTTOOL=$(command -v gnutls-certtool 2>/dev/null || command -v certtool 2>/dev/null)
if [ -z "$CERTTOOL" ]; then
    echo "ERROR: No certtool found" >&2
    exit 1
fi

NAME=client
if [ $# -gt 0 ]; then
    NAME="$1"
fi

# Create a client key.
$CERTTOOL \
    --generate-privkey \
    --sec-param "$SEC_PARAM" \
    --key-type "$KEY_TYPE" \
    --outfile "$NAME".key.pem

chmod 600 "$NAME".key.pem

# Sign a client cert with the key.
cat <<EOF >"$NAME".template
dns_name = "$NAME"
dns_name = "$SAN"
expiration_days = $EXPIRATION_DAYS
organization = $ORGANIZATION
encryption_key
signing_key
EOF

$CERTTOOL \
    --generate-certificate \
    --load-privkey "$NAME".key.pem \
    --load-ca-certificate ca.cert.pem \
    --load-ca-privkey ca.key.pem \
    --template "$NAME".template \
    --outfile "$NAME".cert.pem

chmod 600 "$NAME".cert.pem

# vim: ft=sh