#!/bin/sh -e

# === FIRST DRAFT ===

#
# this script creates the root (CA) certificate and
# server cert for PostgreSQL.  The OpenSSL applications
# must be in the path.
#

if [ $PG_HOME"." = "." ]
then
  /bin/echo You must define \$PG_HOME before running this program.
  exit 0
fi

#
# generate DSA parameters file used for keys, if one does
# not already exist.
#
if [ ! -f $PG_HOME/dsa1024.pem -o -z $PG_HOME/dsa1024.pem ]
then
  openssl dsaparam -out $PG_HOME/dsa1024.pem 1024
fi

#
# generate CA directory tree and contents, if it does not already
# exist.
#
if [ ! -d $PG_HOME/CA ]
then
  /bin/mkdir $PG_HOME/CA;
fi
if [ ! -d $PG_HOME/CA/certs ]
then
  /bin/mkdir $PG_HOME/CA/certs
fi
if [ ! -d $PG_HOME/CA/crl ]
then
  /bin/mkdir $PG_HOME/CA/crl
fi
if [ ! -d $PG_HOME/CA/newcerts ]
then
  /bin/mkdir $PG_HOME/CA/newcerts
fi
if [ ! -d $PG_HOME/CA/private ]
then
  /bin/mkdir $PG_HOME/CA/private
  /bin/chmod 0700 $PG_HOME/CA/private
fi
if [ ! -f $PG_HOME/CA/index.txt ]
then
  /usr/bin/touch $PG_HOME/CA/index.txt
fi
if [ ! -f $PG_HOME/CA/serial ]
then
  /bin/echo 01 > $PG_HOME/CA/serial
fi

#
# generate root key, if one does not already exist.
#
if [ ! -f $PG_HOME/CA/private/cakey.pem -o -z $PG_HOME/CA/private/cakey.pem ]
then
  openssl gendsa -out $PG_HOME/CA/private/cakey.pem $PG_HOME/dsa1024.pem
  /bin/chmod 0700 $PG_HOME/CA/private/cakey.pem
fi

#
# generate self-signed root certificate, if one does not already exist
#
if [ ! -f $PG_HOME/CA/cacert.pem -o -z $PG_HOME/CA/cacert.pem ]
then
  /bin/echo "Creating the CA root certificate...."
  /bin/echo "The common name should be something like 'PostgreSQL Root Cert'"
  /bin/echo ""
  openssl req -new -x509 -out $PG_HOME/CA/cacert.pem \
	-key $PG_HOME/CA/private/cakey.pem \
	-config $PG_HOME/openssl.conf
  /bin/link -s 
fi

#
# generate server key, if one does not already exist.
#
if [ ! -f $PG_HOME/server.key -o -z $PG_HOME/server.key ]
then
  openssl gendsa -out $PG_HOME/server.key $PG_HOME/dsa1024.pem
  /bin/chmod 0700 $PG_HOME/CA/private/cakey.pem
fi

#
# generate server certificate, if one does not already exist.
#
if [ ! -f $PG_HOME/server.crt -o -z $PG_HOME/server.crt ]
then
  /bin/echo "Creating the PostgreSQL server certificate...."
  /bin/echo "The common name must be the fully qualified domain name of server!"
  /bin/echo ""
  openssl req -new -x509 -out $PG_HOME/server.self \
	-key $PG_HOME/server.key \
	-config $PG_HOME/openssl.conf
  if [ -f $PG_HOME/server.self ]
  then
    openssl ca -out $PG_HOME/server.crt -config $PG_HOME/openssl.conf \
	-ss_cert $PG_HOME/server.self
    /bin/rm -f $PG_HOME/server.self
  fi
fi