#!/usr/bin/env bash

export PASSPHRASE=$(head -c 500 /dev/urandom | tr -dc a-z0-9A-Z | head -c 128; echo)
TMP_FILE_NAME=$(head -c 40 /dev/urandom | tr -dc a-z0-9A-Z | head -c 8; echo)

CERT_DIR='/docs/sde/saml2'

# Certificate details; replace items in angle brackets with your own info
subj="
C=CA
ST=ON
O=SD Elements
localityName=Toronto
organizationalUnitName=SD Elements
emailAddress=support@sdelements.com
"

# Generate the server private key
openssl genrsa -des3 -out "${TMP_FILE_NAME}".key -passout env:PASSPHRASE 2048

# Generate the CSR
openssl req -new -batch -subj "$(echo -n "$subj" | tr "\n" "/")" -key "${TMP_FILE_NAME}".key -out "${TMP_FILE_NAME}".csr -passin env:PASSPHRASE -verbose
cp "${TMP_FILE_NAME}".key "${TMP_FILE_NAME}".key.org

# Strip the password
openssl rsa -in "${TMP_FILE_NAME}".key.org -out "${TMP_FILE_NAME}".key -passin env:PASSPHRASE
rm "${TMP_FILE_NAME}".key.org

# Generate the cert (good for 10 years)
openssl x509 -req -days 3650 -in "${TMP_FILE_NAME}".csr -signkey "${TMP_FILE_NAME}".key -out "${TMP_FILE_NAME}".crt
rm "${TMP_FILE_NAME}".csr

mv "${CERT_DIR}"/server.crt server.crt.old
mv "${CERT_DIR}"/server.key server.key.old

if [ -f "${CERT_DIR}"/server.key.org ] ; then
    rm "${CERT_DIR}"/server.key.org
fi

if [ -f "${CERT_DIR}"/server.key.csr ] ; then
	rm "${CERT_DIR}"/server.key.csr
fi

mv "${TMP_FILE_NAME}".crt "${CERT_DIR}"/server.crt
mv "${TMP_FILE_NAME}".key "${CERT_DIR}"/server.key