#!/bin/sh
OPENSSL_PATH="/usr/bin" #default install path
#OPENSSL_PATH="/usr/local/ssl/bin" #workaround for dual openssl install

DAYS=$((10*365))
LEVELS=1
DN="/C=US/ST=Illinois/L=Chicago/O=Safemobile/OU=PKI"
CERTS_PATH=certs
CHAIN="$CERTS_PATH/chain.crt"

# OPENSSL_CNF="/etc/pki/tls/openssl.cnf"
OPENSSL_CNF="/etc/ssl/openssl.cnf"

mkdir -p $CERTS_PATH

#generate root key pair
$OPENSSL_PATH/openssl genrsa -out "$CERTS_PATH/root-key.pem" 4096

#generate root self-signed cert
$OPENSSL_PATH/openssl req -new -x509 -days $DAYS -key "$CERTS_PATH/root-key.pem" -subj "$DN/CN=Root" -out "$CERTS_PATH/root-cert.pem"
cat "$CERTS_PATH/root-cert.pem" > $CHAIN


for i in `seq 1 $LEVELS`; do
    echo "Level $i"
    if [ "$i" -eq 1 ]; then
        SIGNER_CERT="$CERTS_PATH/root-cert.pem"
        SIGNER_KEY="$CERTS_PATH/root-key.pem"
    else
        SIGNER_CERT="$CERTS_PATH/ca$((i-1))-cert.pem"
        SIGNER_KEY="$CERTS_PATH/ca$((i-1))-key.pem"
    fi

    #generate key pair
    $OPENSSL_PATH/openssl genrsa -out "$CERTS_PATH/ca$i-key.pem" 4096

    #generate signing request
    $OPENSSL_PATH/openssl req -new -key "$CERTS_PATH/ca$i-key.pem" -subj "$DN/CN=Level$i" -out "$CERTS_PATH/ca$i-csr.pem"

echo "-------------"
echo ">>>>>>>>>>>>>>>>>"$SIGNER_CERT
echo ">>>>>>>>>>>>>>>>>"$SIGNER_KEY

    #sign new cert
    $OPENSSL_PATH/openssl x509 -req -days $DAYS -in "$CERTS_PATH/ca$i-csr.pem" -CA $SIGNER_CERT -CAkey $SIGNER_KEY \
            -set_serial $i -out "$CERTS_PATH/ca$i-cert.pem" -extfile $OPENSSL_CNF -extensions v3_ca
    cat "$CERTS_PATH/ca$i-cert.pem" >> $CHAIN
echo "-------------"

done