#!/bin/sh

# Take the correct binary to create the certificates
CERTTOOL=$(command -v gnutls-certtool 2>/dev/null || command -v certtool 2>/dev/null)
if [ -z "$CERTTOOL" ]
then
  echo "ERROR: No certtool found" >&2
  exit 1
fi

. ./vars

NAME=client
if [ $# -gt 0 ]
then
  NAME=$1
fi

if ! [ -f ${NAME}.key.pem ]
then
  # Create a client key.
  $CERTTOOL \
    --generate-privkey \
    --sec-param $SEC_PARAM \
    --outfile ${NAME}.key.pem
fi

chmod 600 ${NAME}.key.pem

if ! [ -f ${NAME}.template ]
then
  # Sign a client cert with the key.
  cat <<EOF >${NAME}.template
organization = $ORGANIZATION
cn = $CN
expiration_days = $EXPIRATION_DAYS
tls_www_client
encryption_key
signing_key
EOF
fi

if ! [ -f ${NAME}.cert.pem ] || [ ${NAME}.template -nt ${NAME}.cert.pem ]
then
  $CERTTOOL \
    --generate-certificate \
    --load-privkey ${NAME}.key.pem \
    --load-ca-certificate ca.cert.pem \
    --load-ca-privkey ca.key.pem \
    --template ${NAME}.template \
    --outfile ${NAME}.cert.pem
fi

chmod 600 ${NAME}.cert.pem