#! /bin/sh

set -e
certroot=$(cd ${0%/*}/..; pwd)
. "$certroot"/lib/func.sh
runas_ca "$@"

## Parse the command line.
case "$#" in
  3) ;;
  *) echo >&2 "Usage: $0 TAG PROFILE FILE"; exit 1 ;;
esac
tag=$1 profile=$2 file=$3

## Make sure we're not overwriting anything.  Put sequence numbers
## into labels to prevent bad things from happening.
if [ -f "$certroot"/certs/"$tag".cert ]; then
  echo >&2 "$0: certificate $tag already exists"
  exit 1
fi

## Make a temporary copy of the certificate.  This prevents a race, and
## more importantly lets us change directory.
cp "$file" "$certroot"/tmp/"$tag".req
cd "$certroot"

## Make the certificate.
openssl ca -config openssl.conf -extensions $profile-extensions \
	-in tmp/"$tag".req -out tmp/"$tag".cert

## Install a hash link the benefit of OpenSSL's `verify' command and
## similar, and install the completed request and certificate in the
## archive.
mv tmp/"$tag".req tmp/"$tag".cert certs/
linkserial certs/"$tag".cert
linkhash certs/"$tag".cert
rm tmp/*.pem

## Output the certificate.
openssl x509 -in certs/"$tag".cert