#!/bin/sh

# Directory of your certification authority
CA_DIR=$HOME/CA

# Working directory
KEYSTORE_DIR=$HOME/keystore
# Directory where server cacerts.jks and keystore.jks will be created
SERVER_KEYS_DIR=$KEYSTORE_DIR/server
# Directory where client cacerts.jks and keystore.jks will be created
CLIENT_KEYS_DIR=$KEYSTORE_DIR/client

# CA certificate parameters
NUMBITS=1024
CA_DNAME=/C=LT/O=Company/OU=IT/CN=my_CA_name
CA_VALID=7300
CA_PASS="changeit_CA"

# Server certificate parameters
SERVER_PASS="changeit_WS_server"

S1AS_ALIAS="s1as"
S1AS_DNAME="C=LT, O=Company, OU=IT, CN=my.server.com"
S1AS_VALID=7300

WS_SERVER_ALIAS="xws-security-server"
WS_SERVER_DNAME="C=LT, O=Company, OU=IT, CN=my.server.com"
WS_SERVER_VALID=7300

# Client certificate parameters
CLIENT_PASS="changeit_WS_client"

WS_CLIENT_ALIAS="xws-security-client"
WS_CLIENT_DNAME="C=LT, O=Company, OU=IT, CN=WS_client"
WS_CLIENT_VALID=7300


if [ ! -d $CA_DIR ] ; then
    echo "Can not find CA directory at $CA_DIR"
    exit 1
fi

if [ ! -d $KEYSTORE_DIR ] ; then
    # There is no directory for keystores - creating.
    mkdir $KEYSTORE_DIR
fi

# Clearing all files in keystore directory
rm -fr $KEYSTORE_DIR/*

# Test do we have CA private key - is CA initialized
if [ ! -f $CA_DIR/private/cakey.pem ] ; then
    # Creating keys for CA
    openssl req -config $CA_DIR/openssl.cnf -newkey rsa:$NUMBITS -subj $CA_DNAME -multivalue-rdn -days $CA_VALID -keyout $CA_DIR/private/cakey.pem -out $CA_DIR/req/careq.pem -passout pass:$CA_PASS
    # Saving request copy
    cp $CA_DIR/req/careq.pem $CA_DIR/req/01.pem
    # Self signing CA certificate
     openssl ca -config $CA_DIR/openssl.cnf -batch -passin pass:$CA_PASS -days $CA_VALID -out $CA_DIR/newcerts/cacert.pem -keyfile $CA_DIR/private/cakey.pem -selfsign -extensions v3_ca -infiles $CA_DIR/req/careq.pem
    # Converting from PEM to DER format
    openssl x509 -inform PEM -outform DER -in $CA_DIR/newcerts/cacert.pem -out $CA_DIR/newcerts/cacert.der
    # Keeping copy of all forms
    cp $CA_DIR/newcerts/cacert.der $CA_DIR/newcerts/01.der
fi

# Getting copy of CA certificate
cp $CA_DIR/newcerts/01.der $KEYSTORE_DIR/

# Creating directory for server keystores
mkdir $SERVER_KEYS_DIR

# Creating certificate store for server (by importing CA certificate)
keytool -importcert -noprompt -alias ca -file $KEYSTORE_DIR/01.der -keystore $SERVER_KEYS_DIR/cacerts.jks -storepass $SERVER_PASS
# Creating key store for server (by importing CA certificate)
keytool -importcert -noprompt -alias ca -file $KEYSTORE_DIR/01.der -keystore $SERVER_KEYS_DIR/keystore.jks -storepass $SERVER_PASS

# Generating key pair for application server (s1as)
keytool -genkeypair -alias $S1AS_ALIAS -keyalg RSA -dname "$S1AS_DNAME" -validity $S1AS_VALID -keystore $SERVER_KEYS_DIR/keystore.jks -storepass $SERVER_PASS -keypass $SERVER_PASS
# Generating request to sign application server (s1as) certificate
keytool -certreq -alias $S1AS_ALIAS -file $KEYSTORE_DIR/$S1AS_ALIAS.req -keystore $SERVER_KEYS_DIR/keystore.jks -storepass $SERVER_PASS
# Signing application server certificate (s1as)
openssl ca -config $CA_DIR/openssl.cnf -batch -passin pass:$CA_PASS -days $S1AS_VALID -extensions v3_req -infiles $KEYSTORE_DIR/$S1AS_ALIAS.req
# Getting certificate serial ID
SERIAL_ID=`cat $CA_DIR/serial.old | tr -d '\n'`
# Converting from PEM to DER format
openssl x509 -inform PEM -outform DER -in $CA_DIR/newcerts/$SERIAL_ID.pem -out $CA_DIR/newcerts/$SERIAL_ID.der
# Getting copy of application server certificate
cp $CA_DIR/newcerts/$SERIAL_ID.der $KEYSTORE_DIR/
# Saving request copy in CA
cp $KEYSTORE_DIR/$S1AS_ALIAS.req $CA_DIR/req/$SERIAL_ID.req
# Importing signed application server certificate (s1as)
keytool -importcert -alias $S1AS_ALIAS -file $KEYSTORE_DIR/$SERIAL_ID.der -keystore $SERVER_KEYS_DIR/keystore.jks -storepass $SERVER_PASS

# Generating key pair for WS server
keytool -genkeypair -alias $WS_SERVER_ALIAS -keyalg RSA -dname "$WS_SERVER_DNAME" -validity $WS_SERVER_VALID -keystore $SERVER_KEYS_DIR/keystore.jks -storepass $SERVER_PASS -keypass $SERVER_PASS
# Generating request to sign WS server certificate
keytool -certreq -alias $WS_SERVER_ALIAS -file $KEYSTORE_DIR/$WS_SERVER_ALIAS.req -keystore $SERVER_KEYS_DIR/keystore.jks -storepass $SERVER_PASS
# Signing WS server certificate
openssl ca -config $CA_DIR/openssl.cnf -batch -passin pass:$CA_PASS -days $WS_SERVER_VALID -extensions v3_req -infiles $KEYSTORE_DIR/$WS_SERVER_ALIAS.req
# Getting certificate serial ID
SERIAL_ID=`cat $CA_DIR/serial.old | tr -d '\n'`
# Converting from PEM to DER format
openssl x509 -inform PEM -outform DER -in $CA_DIR/newcerts/$SERIAL_ID.pem -out $CA_DIR/newcerts/$SERIAL_ID.der
# Getting copy of WS server certificate
cp $CA_DIR/newcerts/$SERIAL_ID.der $KEYSTORE_DIR/
# Saving request copy in CA
cp $KEYSTORE_DIR/$WS_SERVER_ALIAS.req $CA_DIR/req/$SERIAL_ID.req
# Importing signed WS server certificate
keytool -importcert -alias $WS_SERVER_ALIAS -file $KEYSTORE_DIR/$SERIAL_ID.der -keystore $SERVER_KEYS_DIR/keystore.jks -storepass $SERVER_PASS


# Creating directory for client keystores
mkdir $CLIENT_KEYS_DIR

# Creating certificate store for client (by importing CA certificate)
keytool -importcert -noprompt -alias ca -file $KEYSTORE_DIR/01.der -keystore $CLIENT_KEYS_DIR/cacerts.jks -storepass $CLIENT_PASS
# Creating key store for client (by importing CA certificate)
keytool -importcert -noprompt -alias ca -file $KEYSTORE_DIR/01.der -keystore $CLIENT_KEYS_DIR/keystore.jks -storepass $CLIENT_PASS

# Generating key pair for WS client
keytool -genkeypair -alias $WS_CLIENT_ALIAS -keyalg RSA -dname "$WS_CLIENT_DNAME" -validity $WS_CLIENT_VALID -keystore $CLIENT_KEYS_DIR/keystore.jks -storepass $CLIENT_PASS -keypass $CLIENT_PASS
# Generating request to sign WS server certificate
keytool -certreq -alias $WS_CLIENT_ALIAS -file $KEYSTORE_DIR/$WS_CLIENT_ALIAS.req -keystore $CLIENT_KEYS_DIR/keystore.jks -storepass $CLIENT_PASS
# Signing WS server certificate
openssl ca -config $CA_DIR/openssl.cnf -batch -passin pass:$CA_PASS -days $WS_CLIENT_VALID -extensions v3_req -infiles $KEYSTORE_DIR/$WS_CLIENT_ALIAS.req
# Getting certificate serial ID
SERIAL_ID=`cat $CA_DIR/serial.old | tr -d '\n'`
# Converting from PEM to DER format
openssl x509 -inform PEM -outform DER -in $CA_DIR/newcerts/$SERIAL_ID.pem -out $CA_DIR/newcerts/$SERIAL_ID.der
# Getting copy of WS server certificate
cp $CA_DIR/newcerts/$SERIAL_ID.der $KEYSTORE_DIR/
# Saving request copy in CA
cp $KEYSTORE_DIR/$WS_CLIENT_ALIAS.req $CA_DIR/req/$SERIAL_ID.req
# Importing signed WS server certificate
keytool -importcert -alias $WS_CLIENT_ALIAS -file $KEYSTORE_DIR/$SERIAL_ID.der -keystore $CLIENT_KEYS_DIR/keystore.jks -storepass $CLIENT_PASS

# Exchanging certificates between server and client

# Exporting application server certificate (s1as)
keytool -exportcert -alias $S1AS_ALIAS -file $KEYSTORE_DIR/$S1AS_ALIAS.cer -keystore $SERVER_KEYS_DIR/keystore.jks -storepass $SERVER_PASS
# Exporting WS server certificate
keytool -exportcert -alias $WS_SERVER_ALIAS -file $KEYSTORE_DIR/$WS_SERVER_ALIAS.cer -keystore $SERVER_KEYS_DIR/keystore.jks -storepass $SERVER_PASS
# Exporting WS client certificate
keytool -exportcert -alias $WS_CLIENT_ALIAS -file $KEYSTORE_DIR/$WS_CLIENT_ALIAS.cer -keystore $CLIENT_KEYS_DIR/keystore.jks -storepass $CLIENT_PASS

# Importing WS client certificate
keytool -importcert -alias $WS_CLIENT_ALIAS -file $KEYSTORE_DIR/$WS_CLIENT_ALIAS.cer -keystore $SERVER_KEYS_DIR/cacerts.jks -storepass $SERVER_PASS
# Importing application server certificate (s1as)
keytool -importcert -alias $S1AS_ALIAS -file $KEYSTORE_DIR/$S1AS_ALIAS.cer -keystore $CLIENT_KEYS_DIR/cacerts.jks -storepass $CLIENT_PASS
# Importing WS server certificate
keytool -importcert -alias $WS_SERVER_ALIAS -file $KEYSTORE_DIR/$WS_SERVER_ALIAS.cer -keystore $CLIENT_KEYS_DIR/cacerts.jks -storepass $CLIENT_PASS