#!/bin/sh

# Take the correct binary to create the certificates
CERTTOOL=$(command -v gnutls-certtool 2>/dev/null || command -v certtool 2>/dev/null)
if [ -z "$CERTTOOL" ]
then
  echo "ERROR: No certtool found" >&2
  exit 1
fi

. ./vars

NAME=client
if [ $# -gt 0 ]
then
  NAME=$1
fi

if ! [ -f "$NAME".key.pem ]
then
  # Create a client key.
  $CERTTOOL \
    --generate-privkey \
    --sec-param $SEC_PARAM \
    --outfile "$NAME".key.pem
fi

chmod 600 "$NAME".key.pem

if ! [ -f "$NAME".template ]
then
  # Sign a client cert with the key.
  cat <<EOF >"$NAME".template
organization = $ORGANIZATION
cn = $CN
expiration_days = $EXPIRATION_DAYS
tls_www_client
encryption_key
signing_key
EOF
fi

if ! [ -f "$NAME".cert.pem ]
then
  $CERTTOOL \
    --generate-certificate \
    --load-privkey "$NAME".key.pem \
    --load-ca-certificate ca.cert.pem \
    --load-ca-privkey ca.key.pem \
    --template "$NAME".template \
    --outfile "$NAME".cert.pem
fi

chmod 600 "$NAME".cert.pem