#!/bin/sh

# Sudoers
#--------

/usr/sbin/addsudo /usr/bin/openssl app-certificate-manager-core

# Generate temporary system certificates
#---------------------------------------
#
# We need to generate certificates for daemons.  An administrator may
# later create their own CA and system certificates, but this process
# will do in the interim.

KEY=/etc/pki/CA/bootstrap.key
CRT=/etc/pki/CA/bootstrap.crt
SSLCONF=/etc/pki/CA/openssl.cnf

if ( [ ! -s "$KEY" ] || [ ! -s $CRT ] ); then
    # Determine our hostname
    if [ -f /etc/hostname ]; then
        HOSTNAME=`cat /etc/hostname`
    elif [ -f /etc/sysconfig/network ]; then
        HOSTNAME=`grep "HOSTNAME=" /etc/sysconfig/network | sed 's/HOSTNAME=//g' | sed 's/"//g'`
    fi

    if [ -z "$HOSTNAME" ]; then
        HOSTNAME="server.lan"
    fi

    umask 77

    sed -e "s/^CN .*/CN = $HOSTNAME/" $SSLCONF > /var/tmp/openssl.cnf.$$

    # Generate keys
    logger -p local6.notice -t installer "app-certificate-manager-core - creating bootstrap key"
    /usr/bin/openssl genrsa -out $KEY 2048 2>/dev/null

    logger -p local6.notice -t installer "app-certificate-manager-core - creating bootstrap certificate"
    /usr/bin/openssl req -new -key $KEY -x509 -out $CRT -config /var/tmp/openssl.cnf.$$ \
            -days 3000 -set_serial `date "+%s"` 2>/dev/null

    # Fix file permissions and ownership
    chown root.root $KEY $CRT /var/tmp/openssl.cnf.$$
    chmod 640 $KEY $CRT
    rm -f /var/tmp/openssl.cnf.$$
fi

# Update master slave config
#---------------------------

/usr/clearos/apps/certificate_manager/deploy/master-slave

# Remove experimental default certificate
#----------------------------------------

if [ -e /etc/clearos/certificate_manager.d/_default_.crt ]; then
    rm -f /etc/clearos/certificate_manager.d/_default_.crt
fi

if [ -e /etc/clearos/certificate_manager.d/_default_.key ]; then
    rm -f /etc/clearos/certificate_manager.d/_default_.key
fi
