#!/bin/bash
# 
# makersa.sh - make a RSA key and self-signed certificate for apache
#
# Author: John Masinter, john@totalb.com, 22-Dec-2003, 09-Jan-2005
#
# For addtl docs, see: http://www.modssl.org/docs/2.8/ssl_faq.html#ToC28 
# Disclaimer: This software is released "As is", without any warranty 
#             expressed nor implied, under the GPL-2 liscense.
#

SEP="======================================================================"
STEP=1

# all new files should be owned by root and "rw----", r/w root only!
umask 077

#----------------------------------------------------------------------
# wipe all files?
printf "Wipe all existing RSA keys and make new ones? [y/n]: "
read ans
if [ $ans == "y" ] ; then
   printf "\nRemoving all existing RSA keys.\n"
   echo "rm server-rsa* ca-rsa*"
   rm server-rsa* ca-rsa*
fi

#----------------------------------------------------------------------
KEY=server-rsa.key
printf "$SEP\nStep $STEP: create a private RSA server key.\n" ; STEP=$((STEP+1))
if [ -f $KEY ] ; then
   printf "RSA private server key '$KEY' already exists. Skipping.\n"
else
   printf "Creating an RSA private server key '$KEY'...\n"
   CMD="openssl genrsa -des3 -out $KEY 2048"
   echo "$CMD"
   $CMD
   if [ $? -ne 0 ] ; then printf "Failure: $? \n" ; exit 1 ; fi
   # show details
   CMD="openssl rsa -noout -text -in $KEY"
   printf "To see the details server key, do this: $CMD\n"
fi

#----------------------------------------------------------------------
CSR=server-rsa.csr
printf "$SEP\nStep $STEP: create a signing request for RSA server key.\n" ; STEP=$((STEP+1))
printf "\n***NOTE: COMMON NAME is the FQDN of server, e.g. www.totalb.com\n"
if [ -f $CSR ] ; then
   printf "Certificate Signing Request '$CSR' already exists. Skipping.\n"
else
   printf "Creating an Certificate Signing Req '$CSR'...\n"
   CMD="openssl req -new -key $KEY -out $CSR"
   echo "$CMD"
   $CMD
   if [ $? -ne 0 ] ; then printf "Failure: $? \n" ; exit 1 ; fi
   # show details
   CMD="openssl req -noout -text -in $CSR"
   printf "To see the details of csr, do this: $CSR\n"
fi

#----------------------------------------------------------------------
CAKEY=ca-rsa.key
printf "$SEP\nStep $STEP: create a private key for our CA.\n" ; STEP=$((STEP+1))
printf "\n***NOTE: This key info must be different from the server key info!\n"
if [ -f $CAKEY ] ; then
   printf "RSA private key '$CAKEY' for our CA already exists. Skipping.\n"
else
   printf "Creating an RAS private key '$CAKEY' for our CA...\n"
   CMD="openssl genrsa -des3 -out $CAKEY 2048"
   echo "$CMD"
   $CMD
   if [ $? -ne 0 ] ; then printf "Failure: $? \n" ; exit 1 ; fi
   # show details
   CMD="openssl rsa -noout -text -in $CAKEY"
   printf "To see the details of your new key, do this: $CMD\n"
fi

#----------------------------------------------------------------------
CACRT=ca-rsa.crt
printf "$SEP\nStep $STEP: create a self-signed certificate for our CA.\n" ; STEP=$((STEP+1))
if [ -f $CACRT ] ; then
   printf "Self signed CA cert '$CACRT' already exists. Skipping.\n"
else
   printf "Creating an 3 year self signed CA cert '$CACRT'...\n"
   CMD="openssl req -new -x509 -days 1095 -key $CAKEY -out $CACRT"
   echo "$CMD"
   $CMD
   if [ $? -ne 0 ] ; then printf "Failure: $? \n" ; exit 1 ; fi
   # show details
   printf "To see the details of your new key, do this:\n"
   CMD="openssl x509 -noout -text -in $CACRT"
   echo "$CMD"
fi

#----------------------------------------------------------------------
# input CSR output CRT
CRT=server-rsa.crt
printf "$SEP\nStep $STEP: create a self-signed certificate for our server.\n" ; STEP=$((STEP+1))
if [ -f $CRT ] ; then
   printf "Self signed server cert '$CRT' already exists. Skipping.\n"
else
   printf "Creating an self signed server cert '$CRT'...\n"
   CMD="./sign.sh $CSR"
   echo "$CMD"
   $CMD
   if [ $? -ne 0 ] ; then printf "Failure: $? \n" ; exit 1 ; fi
fi

#----------------------------------------------------------------------
# this is needed so apache will start-up without typing in pass phrase
CLR=server-rsa.key.clr
ORG=server-rsa.key.org
printf "$SEP\nStep $STEP: create unencrypted server key.\n" ; STEP=$((STEP+1))
if [ -f $CLR ] ; then
   printf "Unencrypted server key '$CLR' already exists. Skipping.\n"
else
   printf "Creating an unencrypted server key '$CLR'...\n"
   # make copy of original key as .org
   CMD="mv $KEY $ORG"
   echo "$CMD"
   $CMD
   if [ $? -ne 0 ] ; then printf "Failure: $? \n" ; exit 1 ; fi
   # unencrypt into .clr
   CMD="openssl rsa -in $ORG -out $CLR"
   echo "$CMD"
   $CMD
   if [ $? -ne 0 ] ; then printf "Failure: $? \n" ; exit 1 ; fi
   # chmod
   #CMD="chmod 400 $CLR"
   #echo "$CMD"
   #$CMD
   #if [ $? -ne 0 ] ; then printf "Failure: $? \n" ; exit 1 ; fi
   # link to key name
   CMD="ln -s $CLR $KEY"
   echo "$CMD"
   $CMD
   if [ $? -ne 0 ] ; then printf "Failure: $? \n" ; exit 1 ; fi
fi

#----------------------------------------------------------------------
printf "\n\n*** NOTE: Make sure all files are rw---- (e.g. ug-rwx)\n\n"
exit 0