#!/usr/bin/bash


DOMAIN="casperlefantom.net"
SERIAL="50"  # crtversion

SERVERHOST=""
CLIENTHOST="$SERVERHOST sd-126263.dbjabber sd-128718.nfs sd-128718.bosh sd-128718.ws sd-128718.matrix sd-128718.dbcirrus sd-128718.dblinks sd-128718.redis"
SERVICELIST="manchester.nfs blackbird.ejabberd blackbird.dbjabber blackbird.dbcirrus blackbird.dblinks blackbird.postfix blackbird.dovecot blackbird.murmur blackbird.ws blackbird.bosh blackbird.matrix blackbird.redis sd-94125.postfix sd-94125.dovecot sd-126263.ejabberd sd-126263.nfs sd-126263.murmur sd-126263.ws sd-126263.bosh sd-126263.redis blackbird.nfs"

JABBERHOST="blackbird.ejabberd sd-126263.ejabberd"

SERVERCONFDIR="$HOME/park-admin/playbooks-ansible/openssl/config-server/"
CLIENTCONFDIR="$HOME/park-admin/playbooks-ansible/openssl/config-client/"

CERTDIR="$HOME/park-admin/playbooks-ansible/roles/imserver/files/certs/"
KEYDIR=$CERTDIR
CSRDIR=$CERTDIR
CADIR="$HOME/park-admin/playbooks-ansible/roles/imserver/files/certs/../.CA-2"

read -s -p "Password Root CA: " rootcapasswd

export MONCAPASSWD=$rootcapasswd

# pour la génération de certificats client
for i in $CLIENTHOST
do
    # vérifie si le fichier existe
    if [ -f $KEYDIR/$i.$SERIAL.key ]
    then
        echo "Error: existing file $i.$SERIAL.key"
        exit 1
    else
        # gen certificat client
        openssl req -new -config $CLIENTCONFDIR/$i.cnf -newkey rsa:4096 -keyout $KEYDIR/$i.$SERIAL.key -out $CSRDIR/$i.$SERIAL.csr
    fi
done


# pour la génération de certificats serveur
##for i in $SERVERHOST
##do
##    openssl req -new -config $SERVERCONFDIR/$DOMAIN-openssl.cnf -newkey rsa:4096 -keyout $KEYDIR/$DOMAIN.$i.$SERIAL.key -out $CSRDIR/$DOMAIN.$i.$SERIAL.csr
##done


# pour la génération de certificats serveur pour chaque service
for i in $SERVICELIST
do
    # vérifie si le fichier existe
    if [ -f $KEYDIR/$DOMAIN.$i.$SERIAL.key ]
    then
        echo "Error: existing file $DOMAIN.$i.$SERIAL.key"
        exit 1
    else
        # gen certificat serveur pour chaque service
        openssl req -new -config $SERVERCONFDIR/$DOMAIN.$i-openssl.cnf -newkey rsa:4096 -keyout $KEYDIR/$DOMAIN.$i.$SERIAL.key -out $CSRDIR/$DOMAIN.$i.$SERIAL.csr
    fi
done



# pour la signature de clés publique
pushd $CADIR >/dev/null

if [[ "$?" -eq "0" ]]
then
    for i in $SERVERHOST
    do
        openssl ca -batch -passin env:MONCAPASSWD -config openssl-server.cnf -in $CSRDIR/$DOMAIN.$i.$SERIAL.csr -out $CERTDIR/$DOMAIN.$i.$SERIAL.crt
    done

    for i in $CLIENTHOST
    do
        openssl ca -batch -passin env:MONCAPASSWD -config openssl-client.cnf -in $CSRDIR/$i.$SERIAL.csr -out $CERTDIR/$i.$SERIAL.crt
    done

    for i in $SERVICELIST
    do
        openssl ca -batch -passin env:MONCAPASSWD -config openssl-server.cnf -in $CSRDIR/$DOMAIN.$i.$SERIAL.csr -out $CERTDIR/$DOMAIN.$i.$SERIAL.crt
    done
    popd >/dev/null
else
    echo "CA inaccessible !"
fi

MONCAPASSWD=""


# afficher fingerprint de la clé publique pour le service jabber
for j in $JABBERHOST
do
    echo "$j:"
    openssl pkey -in $CERTDIR/$DOMAIN.$j.$SERIAL.key -pubout -outform DER | openssl dgst -sha256 -hex -c | awk '{ print toupper ($2) }'
done