#! /bin/sh

export PATH=/var/tmp/openssl-SNAP-20070223/apps:$PATH
umask 022

days=$(( 365 * 10 + 3 ))

if [ $# -ne 2 ]; then
    echo "Usage: rsa|dsa|ecdsa bits" 2>&1; exit 1
fi

# Clean the slate! Generate new CA keys, new CA database, ...
#
rm -rf myCA; mkdir myCA
cp openssl.cnf myCA/ca.cnf

# New key and initial CA cert.
#
DGST=$(. ./newkey.sh myCA/cakey.pem "$@") || exit 1
cd myCA
echo "distinguished_name = ca_distinguished_name" >> ca.cnf
echo "default_md = $DGST" >> ca.cnf
openssl req -x509 -new -$DGST \
	-config ca.cnf \
	-key cakey.pem \
	-days $days \
	-extensions ca_cert \
	-out caboot.pem

# Initialize CA state:
#
mkdir newcerts
cp /dev/null index.txt
openssl x509 -in caboot.pem -noout -serial | sed -e 's/serial *= *//' > serial

# Final self-signed CA, and an incremented serial number
#
openssl ca -batch \
	-md $DGST \
	-config ca.cnf \
	-keyfile cakey.pem \
	-cert caboot.pem \
	-ss_cert caboot.pem \
	-extensions ca_cert \
	-days $days \
	-out cacert.pem

rm caboot.pem