#! /bin/sh -e

unset email unit key ext extra
config=/etc/ca/openssl.conf
good=t
while getopts e:u:k:x: opt; do
  case $opt in
    e) email=$OPTARG ;;
    u) unit=$OPTARG ;;
    k) key=$OPTARG ;;
    x) ext=$OPTARG ;;
    *) good=nil ;;
  esac
done
shift $(( $OPTIND - 1 ))

case $#,$good in
  2,t) ;;
  *) echo >&2 "usage: $0 [-e EMAIL] [-k KEY] [-u UNIT] [-x EXT] LABEL CN"; exit 1 ;;
esac
label=$1 cn=$2

if [ ! -d private ]; then
  mkdir -m700 private
fi

case ${ext+t} in
  t)
    { cat "$config"
      echo
      echo "[genx509-custom]"
      cat "$ext"; } >"tmp.$label.conf"
    config=tmp.$label.conf
    extra="$extra -reqexts genx509-custom"
    ;;
esac

name="/C=GB/ST=Cambridgeshire/L=Cambridge/O=distorted.org.uk"
name="$name/${unit+OU=$unit/}CN=$cn${email+/emailAddress=$email}"
case ${key+t} in
  t)
    openssl req -batch -config "$config" \
	-new -subj "$name" -text -out "$label.req.new" \
	-key "$key" $extra
    ;;
  *)
    openssl req -batch -config "$config" \
	-new -subj "$name" -text -out "$label.req.new" \
	-nodes -keyout "private/$label.key.new" $extra
    chmod 600 "private/$label.key.new"
    mv "private/$label.key.new" "private/$label.key"
    ;;
esac
rm -f "tmp.$label.conf"
mv "$label.req.new" "$label.req"
sha256sum "$label.req"