#!/bin/csh -f
# CERTIFY
# This creates or revalidates an SSL certificate

cd /usr/local/prox

if (! -e /www/cert.pem) then
#
# New installation
#
    echo ' '
    echo -n 'Would you like to install secure HTTP for the Web-based UI? [y] '
    set confirm = $<
    if (x"$confirm" =~ x[nN]*) then
	echo ' '
	echo 'Ok, password-protected HTTP only on port 8080'
	echo ' '
	exit 0
    endif
    echo ' '
#
# Step one - create the new local name, the key and certificate request
#
    awk 'BEGIN {srand()} /^commonName_default/ {$0 = $1 " " $2 " " "iMimic Networking, Inc. " rand()} {print $0}' /etc/ssl/openssl.cnf > openssl_local.cnf
    
    openssl req -config /usr/local/prox/openssl_local.cnf -new -passout "pass:`/usr/local/prox/generatecookie`" > cert.csr

#
# Step two - remove the passphrase from the key
#
    openssl rsa -in privkey.pem -out /www/key.pem -passin "pass:`/usr/local/prox/generatecookie`"
    chmod 600 privkey.pem
#
# Give user a chance to confirm
#
    echo -n 'Would you like to re-do the secure HTTP installation? [n] '
    set confirm = $<
    if (x"$confirm" =~ x[yY]*) then
	rm -f *.csr *.pem /www/*.csr /www/*.pem openssl_local.cnf
	exec $0 $*
    endif
    echo ' '
    echo 'Ok, installing certificate...'
    echo ' '
#
# Have the certificate re-validate itself every 3 months
#
    echo '# Revalidate SSL certificate periodically' >> /etc/crontab
    echo '10 0 1 */3 * root /usr/local/prox/CERTIFY' >> /etc/crontab
endif

#
# Final step - convert the certificate request into a signed certificate
#

openssl x509 -in cert.csr -out /www/cert.pem -req -signkey /www/key.pem -days 365 -extfile openssl_local.cnf >& /dev/null