#!/bin/sh -e

servername="myserver.domain.net"
shortname="myserver"
contact="postmaster@maildomain.net"
base=/etc/mail
cnf=$base/CA/openssl.cnf
sign="sha256"
encrypt="-newkey rsa:2048"
days="7300"
pass="pass:1234" # CA private key passphrase
origopensslcnf=/etc/ssl/openssl.cnf
diff=$(dirname $(realpath $(basename $0)))/openssl.cnf.diff

cd /etc/mail
if [ -d CA ]; then
  cd CA
else
  mkdir -p CA certs
  cp $origopensslcnf $cnf
  cd CA
  patch < $diff
fi

mkdir -p certs crl newcerts private
if [ ! -s serial ]; then
  echo "01" > serial
  touch index.txt
fi

answers() {
  cat <<EOF
RU
Unknown region
Unknown city
Private person
Undefined Department
$servername
$contact
EOF
}

answers | openssl req -passout $pass -new -x509 \
    -$sign $encrypt -keyout private/cakey.pem   \
    -out cacert.pem -days $days -config $cnf 2>/dev/null

answers | openssl req -nodes -new -x509 -$sign $encrypt -keyout $shortname.pem \
    -out $shortname.pem -days $days -config $cnf 2>/dev/null

fgrep -q -- '-----END CERTIFICATE-----' $shortname.pem || exit 1

trap "rm -f request-$$.pem" EXIT
openssl x509 -x509toreq -in $shortname.pem -$sign \
    -signkey $shortname.pem -out request-$$.pem
printf "y\ny\n" | openssl ca -passin $pass -config $cnf -days $days -md $sign \
    -policy policy_anything -out $shortname-cert.pem -infiles request-$$.pem

openssl rsa -in $shortname.pem -out $shortname-key.pem 2>/dev/null

cd /etc/mail/certs
ln -f ../CA/cacert.pem .
ln -f ../CA/$shortname-cert.pem .
ln -f ../CA/$shortname-key.pem .
chown root *
chmod 0400 *
ln -sf cacert.pem `openssl x509 -noout -hash < cacert.pem`.0