#!/bin/sh
###########################################################################
##  Copyright (C) Wizardry and Steamworks 2018 - License: GNU GPLv3      ##
##  Please see: http://www.gnu.org/licenses/gpl.html for legal details,  ##
##  rights of fair usage, the disclaimer and warranty conditions.        ##
###########################################################################
## Simple script to generate the required certificates for strongSwan in #3
## order to allow Windows 7 clients to connect.                          ##
##                                                                       ##
## Requirements:                                                         ##
##   * pki Simple public key infrastructure (PKI) management tool        ##
##     part of strongSwan                                                ##
##                                                                       ##
###########################################################################

###########################################################################
##                           CONFIGURATION                               ##
###########################################################################

# This is the externally and internally visibile fully qualified domain
# name to which the clients will connect to. It is imperative that DNS
# properly resolves this name to the strongSwan IP address!
SERVER_FQDN="vpn.example.com"

# An ISO Alpha-2 country code (two letter country code) of the server.
COUNTRY_CODE="US"

# The organization name.
ORGANIZATION="Wizardry and Steamworks"

# A short description of the server for the certificate authority.
COMMON_NAME="Wizardry and Steamworks"

# (y/n) - whether to install the certificate to /etc/ipsec.d/
PERFORM_INSTALL="n"

###########################################################################
##                              INTERNALS                                ##
###########################################################################

ipsec pki --gen --type rsa --size 4096 --outform pem > CA.key.pem
ipsec pki --self --flag serverAuth --in CA.key.pem --type rsa \
    --digest sha1 \
    --dn "C=$COUNTRY_CODE, O=$ORGANIZATION, CN=$COMMON_NAME" \
    --ca > CA.crt.der
ipsec pki --gen --type rsa --size 4096 \
    --outform pem > "$SERVER_FQDN".key.pem
ipsec pki --pub --in "$SERVER_FQDN".key.pem \
    --type rsa > "$SERVER_FQDN".csr
ipsec pki --issue --cacert CA.crt.der --cakey CA.key.pem --digest sha1 \
    --dn "C=$COUNTRY_CODE, O=$ORGANIZATION, CN=$SERVER_FQDN" \
    --san "$SERVER_FQDN" --flag serverAuth \
    --outform pem < "$SERVER_FQDN".csr > "$SERVER_FQDN".crt.pem 
openssl rsa -in "$SERVER_FQDN".key.pem -out "$SERVER_FQDN".key.der \
    -outform DER

if [ x"$PERFORM_INSTALL" = x"y" ]; then
    cp CA.crt.der /etc/ipsec.d/cacerts
    cp "$SERVER_FQDN".crt.pem /etc/ipsec.d/certs
    cp "$SERVER_FQDN".key.der /etc/ipsec.d/private
fi