#! /usr/bin/tclsh8.5
### -*-tcl-*-
###
### Initialize a new certificate authority.
###
### (c) 2011 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

## Find the common utilities.
source [file join [file dirname $argv0] "../lib/func.tcl"]
cd $CERTROOT

## If there's already a database here, then give up.
if {[file exists "state/ca.db"]} {
  puts stderr \
      "$argv0: It looks like there's already a certificate authority here.

	If you want to clobber it, delete state/ca.db and run this
	program again."
  exit 1
}

## Otherwise, clear any existing stuff away.  Either we failed part way
## through a previous setup attempt, or the user has explicitly deleted the
## database in order to persuade us to do this.
file delete -force \
    "archive" "cert" "req" "state" "private" "crl" "tmp" "ca.cert"

## Set up the state directory.
make-directories 0775 "state" "archive"
make-file "state/serial" "01\n"
make-file "state/crlnumber" "01\n"
make-file "state/db" ""

## Initialize the database in a temporary file: we'll rename it into place as
## our last action.  This involves installing the tables and indices, and
## setting up the configured profiles.
sqlite db "state/ca.db.new"
db eval [sql create]
sync-profiles
db close
file attributes "state/ca.db.new" \
    -owner $C(ca-owner) -group $C(ca-group) \
    -permissions 0664

## Generate the private CA key.
make-directories 0750 "private"
set subject ""
foreach {attr value} $C(ca-name) { append subject "/$attr=$value" }
exec >@stdout 2>@stderr openssl req -config "etc/openssl.conf"  \
    -text -out "ca.cert" -keyout "private/ca.key" \
    -new -x509 -days $C(ca-period) \
    -subj $subject
file attributes "private/ca.key" \
    -owner $C(ca-owner) -group $C(ca-group) \
    -permissions 0640
file attributes "ca.cert" \
    -owner $C(ca-owner) -group $C(ca-group) \
    -permissions 0644

## Set up the directories for the actual certificates.  These are published
## by the web server.
make-directories 0775 "cert" "cert/by-seq" "cert/active"
make-directories 0775 "req" "req/by-id" "req/active"

## Make other directories.
make-directories 0775 "tmp"

## Finally, put the database in the right place.
file rename "state/ca.db.new" "state/ca.db"