#!/bin/bash -e

usage() {
  echo "usage: $0 COMMON_NAME [OUT]"
  echo
  echo "  COMMON_NAME   the domain name the certificate is valid for, eg. example.com"
  echo "  OUT           path to output directory generated files will be placed in"
  echo
}

if [ -z "$1" ]; then
  usage
  exit 1
fi

CMD="$(realpath "$0")"
DIR="$(dirname "${CMD}")"

CN="$1"
OUT="$(realpath "${2:-.}")"

# shellcheck source=scripts/ssl-common.sh
source "${DIR}/ssl-common.sh"

ROOT_CRT="${ROOT_PKI}"'/issued/*.'"${CN}"'.crt'
ROOT_KEY="${ROOT_PKI}"'/private/*.'"${CN}"'.key'

if [ ! -f $ROOT_CRT ] || [ ! -f $ROOT_KEY ]; then
  rm -f $ROOT_CRT $ROOT_KEY
  # generate default CSR and sign (root + wildcard)
  "$easyrsa_bin" --pki-dir="${ROOT_PKI}" --days="${CRT_EXPIRY_DAYS}" --subject-alt-name="DNS:*.${CN}" build-server-full "*.${CN}" nopass 2>/dev/null

  # update indexes and generate CRLs
  "$easyrsa_bin" --pki-dir="${ROOT_PKI}" update-db 2>/dev/null
  "$easyrsa_bin" --pki-dir="${ROOT_PKI}" gen-crl 2>/dev/null
fi;