#!/bin/bash
#
#  sign.sh -- Sign a SSL Certificate Request (CSR)
#  Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved. 
#
#  Very slightly modified by John Masinter <john@totalb.com> 2003
#

# NOTE: This is the basename for CA files
CANAME=ca-rsa

# print usage if needed
CSR=$1
if [ $# -ne 1 ]; then
    echo "Usage: sign.sh <whatever>.csr"; exit 1
fi

# check for input file
if [ ! -f $CSR ]; then
    echo "CSR not found: $CSR"; exit 1
fi

# format output file name
case $CSR in
   *.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
       * ) CERT="$CSR.crt" ;;
esac

# create temp dirs and files
if [ ! -d ca.db.certs ]; then
    mkdir ca.db.certs
fi

if [ ! -f ca.db.serial ]; then
    echo '01' >ca.db.serial
fi

if [ ! -f ca.db.index ]; then
    cp /dev/null ca.db.index
fi

#   create an own SSLeay config
cat >ca.config <<EOT
[ ca ]
default_ca              = CA_own
[ CA_own ]
dir                     = .
certs                   = \$dir
new_certs_dir           = \$dir/ca.db.certs
database                = \$dir/ca.db.index
serial                  = \$dir/ca.db.serial
RANDFILE                = \$dir/ca.db.rand
certificate             = \$dir/$CANAME.crt
private_key             = \$dir/$CANAME.key
default_days            = 1095
default_crl_days        = 30
default_md              = md5
preserve                = no
policy                  = policy_anything
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
EOT
# NOTE: Do NOT change any of the above generic values. They are SSLeay directives!

#  sign the certificate
echo "CA signing: $CSR -> $CERT:"
echo "openssl ca -config ca.config -out $CERT -infiles $CSR"
openssl ca -config ca.config -out $CERT -infiles $CSR

# did it work?
if [ $? -eq 0 ] ; then
   echo "CA verifying: $CERT <-> CA cert"
   echo "openssl verify -CAfile $CANAME.crt $CERT"
   openssl verify -CAfile $CANAME.crt $CERT
else
   echo "Error: Something went wrong. RC = $?"
fi

#  cleanup after SSLeay 
rm -f ca.config
rm -rf ca.db.* 

#  die gracefully
exit 0