#! /bin/sh

set -e
certroot=$(cd ${0%/*}/..; pwd)
cd "$certroot"
umask 022

## Archive any existing CA.
if [ -f ca.cert ]; then
  mkdir -p archive
  if [ -f archive/state/serial ]; then
    next=$(cat archive/state/serial)
  else
    mkdir -p archive/state
    next=1
  fi
  mkdir archive/"$next"
  mv ca.cert certs crls index private state archive/"$next"/
  expr "$next" + 1 >archive/state/serial.new
  mv archive/state/serial.new archive/state/serial
fi

## Clear out the old CA completely.
rm -rf certs index private tmp state
rm -f ca.cert distorted.crl

## Build a new one.
mkdir -m750 private
mkdir -m775 certs crls index index/byhash index/byserial state tmp
chown root:ca certs crls index index/byhash index/byserial private state tmp
touch state/db
echo 01 >state/serial
echo 01 >state/crlnumber

## Set the CA subject name.  It won't fit on one line, and there's no
## good way of continuing it.  Have fun parsing the sed.
subject=$(sed -n 's:^:/:;1h;2,$H;${x;s/\n//g;p;}' <<EOF
C=GB
ST=Cambridgeshire
O=distorted.org.uk
OU=Certificate Authority
CN=distorted.org.uk top-level CA
emailAddress=ca@distorted.org.uk
EOF
)

## Build the new CA key and certificate.
umask 027
openssl req -new -config openssl.conf -x509 -days 3650 \
	-out ca.cert -keyout private/ca.key \
	-subj "$subject"
chown root:ca private/ca.key
chmod 644 ca.cert