#!/bin/bash
#############################################################
# Script name: createCA.sh
# Author: Gilles Mouchet (gilles.mouchet@gmail.com
# Version: v1beta 2026-04-05
# Description: Script to create a own CA
# License: CC BY-NC 4.0 (https://creativecommons.org/licenses/by-nc/4.0/)
#
# This script is provided "as is", WITHOUT ANY WARRANTY OF ANY KIND.
# Commercial use is strictly prohibited without prior authorization.
#
# Changelog
# [1.0.0] - 2026-04-05
#   Project initialization
#   - initialization by gilles.mouchet@gmail.com
#
############################################################
#
version=v1beta

############################################################
# FUNCTIONS
############################################################
#-----------------------------------------------------------
# Display usage
usage() {
    cat << EOF
Usage: ./$(basename "$0") -n <commonName>
Template script
Options:
    -n, --common-name - CA common name [mandatory]
    -h, --help        - show this help 
    -v, --version     - show script version

Examples:
  Show this help
    ./$(basename "$0") -n "GMOLab CA"
EOF
}

#-----------------------------------------------------------
clean_string() {
  echo "$1" | \
    # translite special chars to closest ASCII (e.g., 'é' -> 'e')
    iconv -f utf-8 -t ascii//TRANSLIT | \
    # convert to lowercase
    tr '[:upper:]' '[:lower:]' | \
    # replace any non-alphanumeric character with an underscore
    sed -E 's/[^a-z0-9]+/_/g' | \
    # replace multiple underscores into one
    sed -E 's/(_)+/_/g' | \
    # remove underscores at the beginning or end
    sed -E 's/^_|_$//g'
}
############################################################
# MAIN
############################################################

# var for config file
progName=`echo $0 | sed -e 's|.*/||g' | cut -f1 -d.`
confDir=/etc/own-pki
cfgFile=${confDir}/own-pki.conf

# check if conf file or passphrase file exist
if [ ! -f $cfgFile ]; then
	echo "$progName not installed correctly. Please run install.sh script"
	exit 1
fi

# read config file
. $cfgFile

# check if param exist
if [ -z "$1" ]; then
    usage
    exit 1
fi

# read cli parameters
while [[ "$#" -gt 0 ]]; do
    case "$1" in
        -n|--name)
            # check if param $2 exist
            if [ -z "$2" ]; then
                usage
                exit
            else
               commonName="$2"
            fi
        shift 2
        ;;    
        version|-v|--version)
            cat << EOF
$(basename "$0") $version (c) 1990 - $(date +%Y) by Gilles Mouchet

This script is provided "as is", WITHOUT ANY WARRANTY OF ANY KIND.
Non-Commercial Use License – See LICENSE for details

EOF
            exit
        ;;
        *|help|-h|--help) 
            usage
            exit
        ;;
   esac
done

# clean variable commonName
caName=$(clean_string "${commonName}")

# summary
cat << EOF

Summary
----------------------------------------------------------------------------
Certificats files destination: $certPath
CA private file name (key): $certPath/$caName.key
CA public file name (crt): $certPath/$caName.crt

Country name: $countryName
State or province name: $stateOrProvinceName
Locality name: $localityName
Organization name: $organizationName
Organizational unit name: $organizationalUnitName
Common name: $commonName
Email address: $emailAddress

IMPORTANT
You will be asked for a password. Choose a STRONG PASSWORD
and KEEP IT SECURE.

You will be asked for it when creating certificates.

EOF

read -p "Are you OK (y/N)? " answer
if [[  "$answer" != "y" &&  "$answer" != "Y" ]]; then
    exit 1
fi

# create destination path
if [ ! -d "$certPath" ]; then
    echo "create $certPath"
    mkdir $certPath
fi

# check if CA files exist
if [ -f "$certPath/$caName.key" ]; then
    echo -e "\n$certPath/$caName.key already exists!\n"
    read -p "Are you sure you want to delete it? (y/N)? " answer
    if [[  "$answer" != "y" &&  "$answer" != "Y" ]]; then
        exit 1
    fi
fi

# config ca-conf file
sed -e "s|%COUNTRY_NAME%|$countryName|" \
    -e "s|%STATE_OF_PROVINCE_NAME%|$stateOrProvinceName|" \
    -e "s|%LOCALITY_NAME%|$localityName|" \
    -e "s|%ORGANIZITION_NAME%|$organizationName|" \
    -e "s|%ORGANiZATION_UNIT_NAME%|$organizationalUnitName|" \
    -e "s|%COMMON_NAME%|$commonName|" \
    -e "s|%EMAIL_ADDRESS%|$emailAddress|" < ca-config.tmpl > $certPath/ca-config 

# create ca
 
openssl req -new -x509 -extensions v3_ca -days 1825 -newkey rsa:4096 \
        -keyout $certPath/$caName.key \
        -out $certPath/$caName.crt \
        -config $certPath/ca-config \
        -batch
if [ "$?" == "0" ]; then
    echo "CA created successfully"
    echo "!! Keep your password safe !!"
fi