#!/bin/sh
#
# $Id: httpscert 3746 2009-10-26 23:31:12Z gespinasse $
# new : generate new certificate
# read: read issuer in certificate and verify if it is the same as hostname

HOSTNAME=`/bin/hostname -f`

# See how we were called.
case "$1" in
    new)
        # set temporary random file
        export RANDFILE=/root/.rnd
        if [ ! -f /etc/httpd/server.key ]; then
            echo "Generating https server key."
            /usr/bin/openssl genrsa -rand \
            /boot/vmlinuz:/var/ipcop/ethernet/settings -out \
            /etc/httpd/server.key 1024
        fi
        echo "Generating CSR"
        /bin/cat /etc/certparams | sed "s/HOSTNAME/$HOSTNAME/" | /usr/bin/openssl \
            req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
        echo "Signing certificate"
        /usr/bin/openssl x509 -req -days 999999 -in \
            /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
            /etc/httpd/server.crt
        # unset and remove random file
        export -n RANDFILE
        rm -f /root/.rnd
        ;;
    read)
        if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then
            ISSUER=`openssl x509 -in /etc/httpd/server.crt -text -noout | grep Issuer | /usr/bin/cut -f2 -d '='`
            if [ "$ISSUER" != "$HOSTNAME" ]; then
                echo "Certificate issuer '$ISSUER' is not the same as the hostname'$HOSTNAME'"
                echo "Probably host or domain name has been changed in setup"
                echo "You could remake server certificate with '/usr/local/bin/httpscert new'"
                exit 1
            else
                echo "https certificate issuer match $HOSTNAME"
            fi
        else
            echo "Certificate not found"
            exit 1
        fi
        ;;
    *)
        /bin/echo "Usage: $0 {read|new}"
        exit 1
        ;;
esac
