#!/bin/bash

[ $# -lt 1 ] && echo	" nombre d arguement invalide  "$'\n'" 0 -> creation du certificat racine  "$'\n'" 1 + nom -> creation du certificat client  " && exit 1 

if [ $1 -eq 0 ]
then

echo "bonjour je vais cous crée les certificats"
mkdir -p certificats/certs certificats/crl certificats/keys certificats/private certificats/req certificats/client
touch certificats/conf.cnf
echo 00 > certificats/crlnumber

echo 'HOME			= .' >  certificats/conf.cnf
echo 'oid_section		= new_oids' >>  certificats/conf.cnf
echo 'openssl_conf = default_conf' >>  certificats/conf.cnf
echo '[ new_oids ]' >>  certificats/conf.cnf
echo 'tsa_policy1 = 1.2.3.4.1' >>  certificats/conf.cnf
echo 'tsa_policy2 = 1.2.3.4.5.6' >>  certificats/conf.cnf
echo 'tsa_policy3 = 1.2.3.4.5.7' >>  certificats/conf.cnf
echo '[ ca ]' >>  certificats/conf.cnf
echo 'default_ca	= CA_default		# The default ca section' >>  certificats/conf.cnf
echo '[ CA_default ]' >>  certificats/conf.cnf
echo 'dir		= ./certificats		# T Where everything is kept' >>  certificats/conf.cnf
echo 'certs		= $dir/certs		# A Where the issued certs are kept' >>  certificats/conf.cnf
echo 'crl_dir		= $dir/crl		# N Where the issued crl are kept' >>  certificats/conf.cnf
echo 'database	= $dir/index.txt	# G database index file.' >>  certificats/conf.cnf
echo 'unique_subject	= no			# U Set to 'no' to allow creation of' >>  certificats/conf.cnf
echo 'new_certs_dir	= $dir/certs		# Y default place for new certs.' >>  certificats/conf.cnf
echo 'certificate	= $dir/certs/CA.crt 	# . The CA certificate' >>  certificats/conf.cnf
echo 'serial		= $dir/serial 		# S The current serial number' >>  certificats/conf.cnf
echo 'crlnumber	= $dir/crlnumber	# C the current crl number' >>  certificats/conf.cnf
echo 'crl		= $dir/crl.pem 		# H The current CRL' >>  certificats/conf.cnf
echo 'private_key	= $dir/private/CA_RSA.key # N The private key' >>  certificats/conf.cnf
echo 'x509_extensions	= usr_cert		# E The extensions to add to the cert' >>  certificats/conf.cnf
echo 'name_opt 	= ca_default		# L Subject Name options' >>  certificats/conf.cnf
echo 'cert_opt 	= ca_default		# L Certificate field options' >>  certificats/conf.cnf
echo 'default_days	= 1461			# B how long to certify for' >>  certificats/conf.cnf
echo 'default_crl_days= 30			# A how long before next CRL' >>  certificats/conf.cnf
echo 'default_md	= default		# C use public key default MD' >>  certificats/conf.cnf
echo 'preserve	= no			# H keep passed DN ordering' >>  certificats/conf.cnf
echo 'policy		= policy_match' >>  certificats/conf.cnf
echo '[ policy_match ]' >>  certificats/conf.cnf
echo 'countryName		= match' >>  certificats/conf.cnf
echo 'stateOrProvinceName	= match' >>  certificats/conf.cnf
echo 'organizationName	= match' >>  certificats/conf.cnf
echo 'organizationalUnitName	= optional' >>  certificats/conf.cnf
echo 'commonName		= supplied' >>  certificats/conf.cnf
echo 'emailAddress		= optional' >>  certificats/conf.cnf
echo '[ policy_anything ]' >>  certificats/conf.cnf
echo 'countryName		= supplied' >>  certificats/conf.cnf
echo 'stateOrProvinceName	= optional' >>  certificats/conf.cnf
echo 'localityName		= supplied' >>  certificats/conf.cnf
echo 'organizationName	= match' >>  certificats/conf.cnf
echo 'organizationalUnitName	= optional' >>  certificats/conf.cnf
echo 'commonName		= supplied' >>  certificats/conf.cnf
echo 'emailAddress		= supplied' >>  certificats/conf.cnf
echo '[ req ]' >>  certificats/conf.cnf
echo 'default_bits		= 2048' >>  certificats/conf.cnf
echo 'default_keyfile 	= privkey.pem' >>  certificats/conf.cnf
echo 'distinguished_name	= req_distinguished_name' >>  certificats/conf.cnf
echo 'attributes		= req_attributes' >>  certificats/conf.cnf
echo 'x509_extensions	= v3_ca	# The extensions to add to the self signed cert' >>  certificats/conf.cnf
echo 'string_mask = utf8only' >>  certificats/conf.cnf
echo '[ req_distinguished_name ]' >>  certificats/conf.cnf
echo 'countryName			= Country Name (2 letter code)' >>  certificats/conf.cnf
echo 'countryName_default		= FR' >>  certificats/conf.cnf
echo 'countryName_min			= 2' >>  certificats/conf.cnf
echo 'countryName_max			= 2' >>  certificats/conf.cnf
echo 'stateOrProvinceName		= State or Province Name (full name)' >>  certificats/conf.cnf
echo 'stateOrProvinceName_default	= Somme' >>  certificats/conf.cnf
echo 'localityName			= Locality Name (eg, city)' >>  certificats/conf.cnf
echo 'localityName_default		= Amiens' >>  certificats/conf.cnf
echo '0.organizationName		= Organization Name (eg, company)' >>  certificats/conf.cnf
echo '0.organizationName_default	= ISRI' >>  certificats/conf.cnf
echo 'organizationalUnitName		= Organizational Unit Name (eg, section)' >>  certificats/conf.cnf
echo 'organizationalUnitName_default	= M1' >>  certificats/conf.cnf
echo 'commonName			= Common Name (e.g. server FQDN or YOUR name)' >>  certificats/conf.cnf
echo 'commonName_default		= 127.0.0.1 ' >>  certificats/conf.cnf
echo 'commonName_max			= 64' >>  certificats/conf.cnf
echo 'emailAddress			= Email Address' >>  certificats/conf.cnf
echo 'emailAddress_default		= tanguy.schnellbach@domotrix.fr' >>  certificats/conf.cnf
echo 'emailAddress_max		= 64' >>  certificats/conf.cnf
echo '[ req_attributes ]' >>  certificats/conf.cnf
echo 'challengePassword		= A challenge password' >>  certificats/conf.cnf
echo 'challengePassword_min		= 4' >>  certificats/conf.cnf
echo 'challengePassword_max		= 20' >>  certificats/conf.cnf
echo 'unstructuredName		= An optional company name' >>  certificats/conf.cnf
echo '[ usr_cert ]' >>  certificats/conf.cnf
echo 'basicConstraints=CA:FALSE' >>  certificats/conf.cnf
echo 'nsComment			= "OpenSSL Generated Certificate"' >>  certificats/conf.cnf
echo 'subjectKeyIdentifier=hash' >>  certificats/conf.cnf
echo 'authorityKeyIdentifier=keyid,issuer' >>  certificats/conf.cnf
echo '[ v3_req ]' >>  certificats/conf.cnf
echo 'basicConstraints = CA:FALSE' >>  certificats/conf.cnf
echo 'keyUsage = nonRepudiation, digitalSignature, keyEncipherment' >>  certificats/conf.cnf
echo '[ v3_ca ]' >>  certificats/conf.cnf
echo 'subjectKeyIdentifier=hash' >>  certificats/conf.cnf
echo 'authorityKeyIdentifier=keyid:always,issuer' >>  certificats/conf.cnf
echo 'basicConstraints = critical,CA:true' >>  certificats/conf.cnf
echo '[ crl_ext ]' >>  certificats/conf.cnf
echo 'authorityKeyIdentifier=keyid:always' >>  certificats/conf.cnf
echo '[ proxy_cert_ext ]' >>  certificats/conf.cnf
echo 'basicConstraints=CA:FALSE' >>  certificats/conf.cnf
echo 'nsComment			= "OpenSSL Generated Certificate"' >>  certificats/conf.cnf
echo 'subjectKeyIdentifier=hash' >>  certificats/conf.cnf
echo 'authorityKeyIdentifier=keyid,issuer' >>  certificats/conf.cnf
echo 'proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo' >>  certificats/conf.cnf
echo '[ tsa ]' >>  certificats/conf.cnf
echo 'default_tsa = tsa_config1	# the default TSA section' >>  certificats/conf.cnf
echo '[ tsa_config1 ]' >>  certificats/conf.cnf
echo 'dir		= ./demoCA		# TSA root directory' >>  certificats/conf.cnf
echo 'serial		= $dir/tsaserial	# The current serial number (mandatory)' >>  certificats/conf.cnf
echo 'crypto_device	= builtin		# OpenSSL engine to use for signing' >>  certificats/conf.cnf
echo 'signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate' >>  certificats/conf.cnf
echo 'certs		= $dir/cacert.pem	# Certificate chain to include in reply' >>  certificats/conf.cnf
echo 'signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)' >>  certificats/conf.cnf
echo 'signer_digest  = sha256			# Signing digest to use. (Optional)' >>  certificats/conf.cnf
echo 'default_policy	= tsa_policy1		# Policy if request did not specify it' >>  certificats/conf.cnf
echo 'other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)' >>  certificats/conf.cnf
echo 'digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)' >>  certificats/conf.cnf
echo 'accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)' >>  certificats/conf.cnf
echo 'clock_precision_digits  = 0	# number of digits after dot. (optional)' >>  certificats/conf.cnf
echo 'ordering		= yes	# Is ordering defined for timestamps?' >>  certificats/conf.cnf
echo 'tsa_name		= yes	# Must the TSA name be included in the reply?' >>  certificats/conf.cnf
echo 'ess_cert_id_chain	= no	# Must the ESS cert id chain be included?' >>  certificats/conf.cnf
echo 'ess_cert_id_alg		= sha1	# algorithm to compute certificate' >>  certificats/conf.cnf
echo '[default_conf]' >>  certificats/conf.cnf
echo 'ssl_conf = ssl_sect' >>  certificats/conf.cnf
echo '[ssl_sect]' >>  certificats/conf.cnf
echo 'system_default = system_default_sect' >>  certificats/conf.cnf
echo '[system_default_sect]' >>  certificats/conf.cnf
echo 'MinProtocol = TLSv1.2' >>  certificats/conf.cnf
echo 'CipherString = DEFAULT@SECLEVEL=2' >>  certificats/conf.cnf
echo '[ server_cert ]' >>  certificats/conf.cnf
echo 'crlDistributionPoints = URI:http://path/certificats/crl/list_revok.crl' >>  certificats/conf.cnf

touch certificats/index.txt
touch certificats/index.txt.attr
echo -n 00 > certificats/serial 

openssl genrsa -out certificats/private/CA_RSA.key 4096

openssl pkey -in certificats/private/CA_RSA.key -pubout -out certificats/keys/CA_RSA-pub.key

openssl req -x509 -sha256 -days 1460 -key certificats/private/CA_RSA.key  -config certificats/conf.cnf -out certificats/certs/CA.crt

else
[ $# -lt 2 ] && echo "$DATE nombre d arguement invalide  "$'\n'\
                "0 -> creation du certificat racine "$'\n'\ 
                "1 + nom -> creation du certificat client " && exit 1

	openssl genrsa -out certificats/client/CA_RSA-$2.key 2048 
	openssl pkey -in certificats/client/CA_RSA-$2.key -pubout -out certificats/client/CA_RSA-$2-pub.key
	openssl req -new -key certificats/client/CA_RSA-$2.key -out certificats/req/$2.csr -config certificats/conf.cnf
	openssl ca -in certificats/req/$2.csr -out certificats/certs/$2.crt -config certificats/conf.cnf

	#creation du certificat client
	sudo openssl pkcs12 -export -in certificats/certs/$2.crt -inkey certificats/client/CA_RSA-$2.key -out $2.pfx
fi