#!/bin/bash
# Script to generate modern self-signed certificates for Nginx Proxy Manager with OpenSSL v3 extensions

# Prompt for domain
read -p "Enter the domain for the certificates (e.g., example.com): " DOMAIN
if [ -z "$DOMAIN" ]; then
    echo "Error: Domain not provided."
    exit 1
fi

# Define CERTS_DIR without trailing slash
CERTS_DIR="/opt/files/certs"
mkdir -p "$CERTS_DIR"

# Create OpenSSL configuration files
cat > "${CERTS_DIR}/openssl_root_ca.cnf" <<EOF
[ req ]
default_bits        = 4096
distinguished_name  = req_distinguished_name
prompt              = no
string_mask         = utf8only
x509_extensions     = v3_ca

[ req_distinguished_name ]
CN = $DOMAIN Root CA

[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, keyCertSign, cRLSign
EOF

cat > "${CERTS_DIR}/openssl_intermediate_ca.cnf" <<EOF
[ req ]
default_bits        = 4096
distinguished_name  = req_distinguished_name
prompt              = no
string_mask         = utf8only
x509_extensions     = v3_ca

[ req_distinguished_name ]
CN = $DOMAIN Intermediate CA

[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, keyCertSign, cRLSign
EOF

cat > "${CERTS_DIR}/openssl_wildcard.cnf" <<EOF
[ req ]
default_bits        = 4096
distinguished_name  = req_distinguished_name
prompt              = no
string_mask         = utf8only
req_extensions      = v3_req

[ req_distinguished_name ]
CN = *.$DOMAIN

[ v3_req ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = $DOMAIN
DNS.2 = *.$DOMAIN
EOF

# Function to generate root CA
generate_root_ca() {
    echo "Generating Root CA..."
    openssl genrsa -out "${CERTS_DIR}/rootCA.key" 4096
    openssl req -x509 -new -nodes -key "${CERTS_DIR}/rootCA.key" \
        -sha256 -days 3650 -out "${CERTS_DIR}/rootCA.crt" \
        -config "${CERTS_DIR}/openssl_root_ca.cnf" -extensions v3_ca
}

# Function to generate intermediate CA
generate_intermediate_ca() {
    echo "Generating Intermediate CA..."
    openssl genrsa -out "${CERTS_DIR}/intermediateCA.key" 4096
    openssl req -new -key "${CERTS_DIR}/intermediateCA.key" \
        -out "${CERTS_DIR}/intermediateCA.csr" \
        -config "${CERTS_DIR}/openssl_intermediate_ca.cnf"
    openssl x509 -req -in "${CERTS_DIR}/intermediateCA.csr" \
        -CA "${CERTS_DIR}/rootCA.crt" -CAkey "${CERTS_DIR}/rootCA.key" \
        -CAcreateserial -out "${CERTS_DIR}/intermediateCA.crt" \
        -days 3650 -sha256 -extfile "${CERTS_DIR}/openssl_intermediate_ca.cnf" \
        -extensions v3_ca
}

# Function to generate wildcard certificate
generate_wildcard_cert() {
    echo "Generating Wildcard Certificate..."
    openssl genrsa -out "${CERTS_DIR}/wildcard.key" 4096
    openssl req -new -key "${CERTS_DIR}/wildcard.key" \
        -out "${CERTS_DIR}/wildcard.csr" \
        -config "${CERTS_DIR}/openssl_wildcard.cnf"
    openssl x509 -req -in "${CERTS_DIR}/wildcard.csr" \
        -CA "${CERTS_DIR}/intermediateCA.crt" -CAkey "${CERTS_DIR}/intermediateCA.key" \
        -CAcreateserial -out "${CERTS_DIR}/wildcard.crt" \
        -days 3650 -sha256 -extfile "${CERTS_DIR}/openssl_wildcard.cnf" \
        -extensions v3_req
}

# Function to export certificates for cross-platform compatibility
export_certs() {
    echo "Exporting certificates for cross-platform compatibility..."
    # Export root CA to .pfx (Windows)
    openssl pkcs12 -export -out "${CERTS_DIR}/rootCA.pfx" \
        -inkey "${CERTS_DIR}/rootCA.key" -in "${CERTS_DIR}/rootCA.crt" -passout pass:
    # Export intermediate CA to .pfx (Windows)
    openssl pkcs12 -export -out "${CERTS_DIR}/intermediateCA.pfx" \
        -inkey "${CERTS_DIR}/intermediateCA.key" -in "${CERTS_DIR}/intermediateCA.crt" -passout pass:
    # Export wildcard cert to .pfx (Windows)
    openssl pkcs12 -export -out "${CERTS_DIR}/wildcard.pfx" \
        -inkey "${CERTS_DIR}/wildcard.key" -in "${CERTS_DIR}/wildcard.crt" -passout pass:
    # Export root CA to .p12 (Cross-platform)
    openssl pkcs12 -export -out "${CERTS_DIR}/rootCA.p12" \
        -inkey "${CERTS_DIR}/rootCA.key" -in "${CERTS_DIR}/rootCA.crt" -passout pass:
    # Export intermediate CA to .p12 (Cross-platform)
    openssl pkcs12 -export -out "${CERTS_DIR}/intermediateCA.p12" \
        -inkey "${CERTS_DIR}/intermediateCA.key" -in "${CERTS_DIR}/intermediateCA.crt" -passout pass:
    # Export wildcard cert to .p12 (Cross-platform)
    openssl pkcs12 -export -out "${CERTS_DIR}/wildcard.p12" \
        -inkey "${CERTS_DIR}/wildcard.key" -in "${CERTS_DIR}/wildcard.crt" -passout pass:
}

# Main script execution
generate_root_ca
generate_intermediate_ca
generate_wildcard_cert
export_certs

echo "Certificates generated and saved in ${CERTS_DIR}:"
echo "- Root CA: rootCA.crt, rootCA.key, rootCA.pfx, rootCA.p12"
echo "- Intermediate CA: intermediateCA.crt, intermediateCA.key, intermediateCA.pfx, intermediateCA.p12"
echo "- Wildcard: wildcard.crt, wildcard.key, wildcard.pfx, wildcard.p12"