#!/bin/bash

# Script to generate self-signed certificates for Nginx Proxy Manager

# Prompt for domain
read -p "Enter the domain for the certificates (e.g., example.com): " DOMAIN

if [ -z "$DOMAIN" ]; then
    echo "Error: Domain not provided."
    exit 1
fi

CERTS_DIR="/opt/files/certs/"

# Create certs directory if it doesn't exist
mkdir -p "$CERTS_DIR"

# Function to generate root CA
generate_root_ca() {
    echo "Generating Root CA..."
    openssl genrsa -out "$CERTS_DIR/rootCA.key" 4096
    openssl req -x509 -new -nodes -key "$CERTS_DIR/rootCA.key" -sha256 -days 3650 -out "$CERTS_DIR/rootCA.crt" -subj "/CN=$DOMAIN Root CA"
}

# Function to generate intermediate CA
generate_intermediate_ca() {
    echo "Generating Intermediate CA..."
    openssl genrsa -out "$CERTS_DIR/intermediateCA.key" 4096
    openssl req -new -key "$CERTS_DIR/intermediateCA.key" -out "$CERTS_DIR/intermediateCA.csr" -subj "/CN=$DOMAIN Intermediate CA"
    openssl x509 -req -in "$CERTS_DIR/intermediateCA.csr" -CA "$CERTS_DIR/rootCA.crt" -CAkey "$CERTS_DIR/rootCA.key" -CAcreateserial -out "$CERTS_DIR/intermediateCA.crt" -days 3650 -sha256
}

# Function to generate wildcard certificate
generate_wildcard_cert() {
    echo "Generating Wildcard Certificate..."
    openssl genrsa -out "$CERTS_DIR/wildcard.key" 4096
    openssl req -new -key "$CERTS_DIR/wildcard.key" -out "$CERTS_DIR/wildcard.csr" -subj "/CN=*.$DOMAIN" -addext "subjectAltName = DNS:$DOMAIN,DNS:*.$DOMAIN"
    openssl x509 -req -in "$CERTS_DIR/wildcard.csr" -CA "$CERTS_DIR/intermediateCA.crt" -CAkey "$CERTS_DIR/intermediateCA.key" -CAcreateserial -out "$CERTS_DIR/wildcard.crt" -days 3650 -sha256
}

# Function to export certificates for cross-platform compatibility
export_certs() {
    echo "Exporting certificates for cross-platform compatibility..."

    # Export root CA to .pfx (Windows)
    openssl pkcs12 -export -out "$CERTS_DIR/rootCA.pfx" -inkey "$CERTS_DIR/rootCA.key" -in "$CERTS_DIR/rootCA.crt" -passout pass:

    # Export intermediate CA to .pfx (Windows)
    openssl pkcs12 -export -out "$CERTS_DIR/intermediateCA.pfx" -inkey "$CERTS_DIR/intermediateCA.key" -in "$CERTS_DIR/intermediateCA.crt" -passout pass:

    # Export wildcard cert to .pfx (Windows)
    openssl pkcs12 -export -out "$CERTS_DIR/wildcard.pfx" -inkey "$CERTS_DIR/wildcard.key" -in "$CERTS_DIR/wildcard.crt" -passout pass:

    # Export root CA to .p12 (Cross-platform)
    openssl pkcs12 -export -out "$CERTS_DIR/rootCA.p12" -inkey "$CERTS_DIR/rootCA.key" -in "$CERTS_DIR/rootCA.crt" -passout pass:

    # Export intermediate CA to .p12 (Cross-platform)
    openssl pkcs12 -export -out "$CERTS_DIR/intermediateCA.p12" -inkey "$CERTS_DIR/intermediateCA.key" -in "$CERTS_DIR/intermediateCA.crt" -passout pass:

    # Export wildcard cert to .p12 (Cross-platform)
    openssl pkcs12 -export -out "$CERTS_DIR/wildcard.p12" -inkey "$CERTS_DIR/wildcard.key" -in "$CERTS_DIR/wildcard.crt" -passout pass:
}

# Main script execution
generate_root_ca
generate_intermediate_ca
generate_wildcard_cert
export_certs

echo "Certificates generated and saved in $CERTS_DIR:"
echo "- Root CA: rootCA.crt, rootCA.key, rootCA.pfx, rootCA.p12"
echo "- Intermediate CA: intermediateCA.crt, intermediateCA.key, intermediateCA.pfx, intermediateCA.p12"
echo "- Wildcard: wildcard.crt, wildcard.key, wildcard.pfx, wildcard.p12"