#!/bin/bash

# usage
# ./enroll_server_certificate.sh 192.168.122.59 ejbcara.testdomain.se ejbca-ra.ranamespace SuperAdmin.p12 foo123

if [ $# -ne 5 ]
    then
        echo 'usage: ./enroll_server_certificate.sh 192.168.122.59 ejbcara.testdomain.se ejbca-ra.ranamespace SuperAdmin.p12 foo123'
        exit 1
fi

EJBCA_HOST="$1"
PEER_SERVER_DNS="$2"
PEER_INTERNAL_SERVICE="$3"
ADMINP12="$4"
ADMINP12PASS="$5"

openssl req -nodes -newkey rsa:2048 -keyout "$PEER_SERVER_DNS.key" \
          -out enroll.csr -subj "/CN=$PEER_SERVER_DNS" \
          -addext "subjectAltName = DNS:$PEER_SERVER_DNS, DNS:$PEER_INTERNAL_SERVICE" 
#ls -l
REQ_CSR="$(while read line; do printf "%s" "$line"; done < enroll.csr)"
#echo $REQ_CSR

REQ_CSR="$(echo $REQ_CSR | sed "s|-----BEGIN CERTIFICATE REQUEST-----||g")"
REQ_CSR="$(echo $REQ_CSR | sed "s|-----END CERTIFICATE REQUEST-----||g")"
request_body="{
  \"certificate_request\": \"$REQ_CSR\",
  \"certificate_profile_name\": \"SERVER\",
  \"end_entity_profile_name\": \"EMPTY\",
  \"certificate_authority_name\": \"ManagementCA\",
  \"username\": \"$PEER_SERVER_DNS\",
  \"password\": \"foo123\",
  \"account_binding_id\": \"\",
  \"include_chain\": false
}"


echo $request_body

curl -X 'POST' -kvL \
  "https://$EJBCA_HOST/ejbca/ejbca-rest-api/v1/certificate/pkcs10enroll" \
  --cert-type P12 --cert "$ADMINP12:$ADMINP12PASS" \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -o enrolled.json \
  -d "$request_body"

cert_begin=$(awk -F 'certificate":"' '{print $2 ""}' enrolled.json)
echo $cert_begin
cert_end=$(awk -F '","serial_number"' '{print $1 ""}' <<<$cert_begin)
echo $cert_end

# printf '%s\n' 'first line' 'second line' 'third line' > file
enrolled_cert="-----BEGIN CERTIFICATE-----\n$cert_end\n-----END CERTIFICATE-----"
echo -en $enrolled_cert>enrolled_unformatted.pem

fold -w64 enrolled_unformatted.pem > "$PEER_SERVER_DNS.pem"

# sanity
openssl x509 -in "$PEER_SERVER_DNS.pem" -noout -text