#!/bin/bash
#
# Create Debian Edu CA key and certificate as well as
# multi-purpose server (web, mail, cups) key and certificate.
#

set -e

# usage
if [ "$1" = "-h" ] || [ "$1" = "--help" ] ; then
cat <<EOF

Usage information:
Call $0 with param '--force-overwrite' to generate new keys
and certificates.
Used configuration files: /usr/share-debian-edu-config/*.cnf

EOF
    exit 0
fi

TMP=$(mktemp -d)
SSL_CA_CONF="/usr/share/debian-edu-config/sslCA.cnf"
V3_CA_CONF="/usr/share/debian-edu-config/v3CA.cnf"
SSL_CONF="/usr/share/debian-edu-config/ssl.cnf"
V3_CONF="/usr/share/debian-edu-config/v3.cnf"
CERT_DIR="/etc/ssl/certs"
KEY_DIR="/etc/ssl/private"
CA_CERT="$CERT_DIR/Debian-Edu_rootCA.crt"
CA_KEY="$KEY_DIR/Debian-Edu_rootCA.key"
SERVER_CERT="$CERT_DIR/debian-edu-server.crt"
SERVER_KEY="$KEY_DIR/debian-edu-server.key"

generate() {
    # Generate Debian Edu root CA private key.
    openssl genrsa -out $CA_KEY 2048
    # Request rootCA certificate.
    openssl req -x509 -new -nodes -key $CA_KEY -days 3650 -out $CA_CERT -config $SSL_CA_CONF
    # Request web server key.
    openssl req -new -nodes -out $TMP/server.csr -newkey rsa:2048 -keyout $SERVER_KEY -config $SSL_CA_CONF
    # Request web server certificate.
    openssl x509 -req -in $TMP/server.csr -CA $CA_CERT -CAkey $CA_KEY -CAcreateserial -out $SERVER_CERT -days 3650 -extfile $V3_CONF
    # Adjust owner and rights.
    chown root.ssl-cert /etc/ssl/private/Debian-Edu_rootCA.key
    chown root.ssl-cert /etc/ssl/private/debian-edu-server.key
    chmod 644 /etc/ssl/certs/debian-edu-server.crt
    chmod 644 /etc/ssl/certs/Debian-Edu_rootCA.crt
    chmod 640 /etc/ssl/private/debian-edu-server.key
    chmod 640 /etc/ssl/private/Debian-Edu_rootCA.key
    logger -t create-debian-edu-certs "rootCA and server certs generated"
    # Enable Debian-exim to read key file.
    usermod -a -G ssl-cert Debian-exim
    # On a plain main server xrdp isn't installed by default.
    if id xrdp 1>/dev/null 2>&1 ; then
        usermod -a -G ssl-cert xrdp
    fi
    # Add local trust for the created certificates.
    /usr/sbin/update-ca-certificates
    # Update dbm and sql certificate and key databases in homedirs.
    /usr/share/debian-edu-config/tools/update-cert-dbs
}

if [ "$1" = "--force-overwrite" ] ; then
    generate
    service apache2 reload
    service exim4 reload
    service dovecot reload
else
    if [ ! -f $CA_CERT ] || [ ! -f $CA_KEY ]; then
        generate
    else
        echo "Certificates and keys already exist, nothing to do!"
        echo "Call $0 with param '--force-overwrite' if new ones should be generated."
    fi
fi
