#!/bin/bash

# Select either ECC or RSA. Unfortunately ECC is not fully supported by Thunderbird
#type="ECC"
type="RSA"

# Adjust your email addresses here
emailAddress[1]="whatever@gmx.net"
emailAddress[2]="whatever@gmail.com"
emailAddress[3]="whatever@whatever.info"

#######################################################################
confDir="conf/"
outDir="out/"
tmpDir="tmp/"

if [ ! -d "$confDir" ] ; then
    echo "$confDir must be existent and must contain the config file"
fi

if [ ! -d "$tmpDir" ] ; then
    echo "Creating $tmpDir"
    mkdir ${tmpDir}
fi

if [ ! -d "$outDir" ] ; then
    echo "Creating $outDir"
    mkdir ${outDir}
fi

rm -f ${outDir}*

# Create Root CA
echo "=== Creating Root CA ==="

if [ $type = "ECC" ] ; then
    openssl ecparam -outform PEM -out ${outDir}keys_root.pem -genkey -name prime192v1
else
    openssl genrsa -out ${outDir}keys_root.pem 2048
fi

openssl req -new -subj "/CN=Whatever Root-CA ${subca}/emailAddress=whatever@gmail.com" -key ${outDir}keys_root.pem -out ${tmpDir}csr.pem

openssl x509 -days 3650 -extfile ${confDir}1.conf -extensions v3_ca -req -in ${tmpDir}csr.pem -signkey ${outDir}keys_root.pem -out ${outDir}cert_root.crt 

# Create Sub CA

for subca in  1 2 
do
    echo "   === Generating Sub CA ==="

    if [ $type = "ECC" ] ; then
        openssl ecparam -outform PEM -out ${outDir}keys_subca${subca}.pem -genkey -name prime192v1
    else
        openssl genrsa -out ${outDir}keys_subca${subca}.pem 2048 
    fi

    openssl req -new -subj "/CN=Whatever Sub-CA ${subca}/emailAddress=whatever@gmail.com" -key ${outDir}keys_subca${subca}.pem -out ${tmpDir}csr.pem

    openssl x509 -days 3650 -extfile ${confDir}1.conf -extensions v3_ca -req -in ${tmpDir}csr.pem -CA ${outDir}cert_root.crt -CAkey ${outDir}keys_root.pem -out ${outDir}cert_subca${subca}.crt -CAcreateserial
    
    for user in 1 2 3
    do
        echo "      === Generating user cert ${user} for sub-CA ${subca}===" 
        
        # Create User Certs
        if [ $type = "ECC" ] ; then
            openssl ecparam -outform PEM -out ${outDir}keys_subca${subca}_user${user}.pem -genkey -name prime192v1
        else
            openssl genrsa -out ${outDir}keys_subca${subca}_user${user}.pem 1024
        fi

        openssl req -new -subj "/CN=User Certificate ${subca}.${user} for ${emailAddress[${user}]} /emailAddress=${emailAddress[${user}]}" -key ${outDir}keys_subca${subca}_user${user}.pem -out ${tmpDir}csr.pem 

        openssl x509 -days 3650 -req -in ${tmpDir}csr.pem -extfile ${confDir}1.conf -extensions v3_usr -CA ${outDir}cert_subca${subca}.crt -CAkey ${outDir}keys_subca${subca}.pem -out ${outDir}cert_subca${subca}_user${user}.crt -CAcreateserial

        openssl pkcs12 -export -in ${outDir}cert_subca${subca}_user${user}.crt -out ${outDir}subca${subca}_user${user}.p12 -nodes -inkey ${outDir}keys_subca${subca}_user${user}.pem -name "User Certificate ${subca}.${user} for ${emailAddress[${user}]}" -certfile ${outDir}cert_subca${subca}.crt -passout pass:5678
        
    done

done