#!/usr/bin/env bash

# 环境检测
echo "openssl 环境检测中..."
openssl version
echo "请自行确认openssl版本, 如果为libressl的话(MacOS), 签发的CA证书无法在部分手机上安装..."
echo "推荐使用openssl 1.1.1或3.x版"
echo ""

read -p "输入要签证书的根域名: " domain
read -p "输入要签证的三级子域1(可选,默认为cdn): " third1
read -p "输入要签证的三级子域2(可选,默认为m): " third2
read -p "要保存的证书的名字: " cert_name

if [ "$domain" = "" ]; then
  exit 0;
fi

if [ "$third1" = "" ]; then
 third1="cdn"
fi

if [ "$third2" = "" ]; then
 third2="m"
fi

if [ "$cert_name" = "" ]; then
  cert_name=$domain;
fi


if [ ! -e ca/my_ca.key ]; then
  mkdir ca
  openssl genrsa -out ca/my_ca.key
fi

# 签10年的根证书
if [ ! -e ca/my_ca.pem ]; then
  openssl req -x509 -new -subj "/C=CN/ST=GuangDong/L=GuangZhou/O=bytedo/OU=IT/CN=Self Sign CA" -nodes -key ca/my_ca.key -sha256 -days 3650 -out ca/my_ca.pem
fi


openssl genrsa -out "$cert_name.key"

openssl req -new -subj "/C=CN/ST=GuangDong/L=GuangZhou/O=bytedo/OU=IT/CN=$domain/CN=*.$domain/CN=*.$third1.$domain/CN=*.$third2.$domain" -key "$cert_name.key" -out "$cert_name.csr"

echo """
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = $domain
DNS.2 = *.$domain
DNS.3 = *.$third1.$domain
DNS.4 = *.$third2.$domain
""" > "$cert_name.ext"

# 签2年的证书, 新版macos不支持超过2年的证书
openssl x509 -req -in "$cert_name.csr" -CA ca/my_ca.pem -CAkey ca/my_ca.key -CAcreateserial -out "$cert_name.crt" -days 720 -sha256 -extfile "$cert_name.ext"

rm "$cert_name.ext"
rm "$cert_name.csr"

echo ""
echo ""
echo ""
# nginx 使用示例
echo "nginx 使用示例"
echo "server {"
echo "    ..."
echo "    listen 443 ssl http2;"
echo "    ssl_certificate     /etc/nginx/ssl/$cert_name.crt;"
echo "    ssl_certificate_key /etc/nginx/ssl/$cert_name.key;"
echo "}"

echo "最后浏览器导入根证书 ca/my_ca.pem 即可"