#!/usr/bin/env bash
# Initialise a simple local root CA in /etc/ssl/myca
set -euo pipefail
MYCA_DIR="${MYCA_DIR:-/etc/ssl/myca}"
CN="${1:-/CN=Local Development Root CA}"
DAYS="${DAYS:-3650}"

install -d -m 755 "$MYCA_DIR" "$MYCA_DIR/certs" "$MYCA_DIR/csrs" "$MYCA_DIR/exts"
install -d -m 700 "$MYCA_DIR/private"

if [[ -e "$MYCA_DIR/myCA.key" || -e "$MYCA_DIR/myCA.pem" ]]; then
  echo "CA already exists in $MYCA_DIR" >&2
  exit 1
fi

openssl genrsa -out "$MYCA_DIR/myCA.key" 4096
chmod 600 "$MYCA_DIR/myCA.key"

openssl req -x509 -new -nodes -key "$MYCA_DIR/myCA.key" -sha256 -days "$DAYS" \
  -out "$MYCA_DIR/myCA.pem" -subj "$CN"

chmod 644 "$MYCA_DIR/myCA.pem"
echo "Root CA created: $MYCA_DIR/myCA.pem"
echo "Private key: $MYCA_DIR/myCA.key"