#!/bin/bash

set -e

TESTDIR=/opt/test_ca

dnf -y install openssl

###############################################################################
# Setup local openssl CA
###############################################################################
mkdir $TESTDIR
pushd $TESTDIR

cat > ca.cnf <<EOF
[ ca ]
default_ca = CA_default

[ CA_default ]
dir              = .
database         = \$dir/index.txt
new_certs_dir    = \$dir/newcerts

certificate      = \$dir/rootCA.crt
serial           = \$dir/serial
private_key      = \$dir/rootCA.key
RANDFILE         = \$dir/rand

default_days     = 365
default_crl_hours = 1
default_md       = sha256

policy           = policy_any
email_in_dn      = no

name_opt         = ca_default
cert_opt         = ca_default
copy_extensions  = copy

[ usr_cert ]
authorityKeyIdentifier = keyid, issuer

[ v3_ca ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints       = CA:true
keyUsage               = critical, digitalSignature, cRLSign, keyCertSign

[ policy_any ]
organizationName       = supplied
organizationalUnitName = optional
commonName             = supplied
emailAddress           = optional

[ req ]
distinguished_name = req_distinguished_name
prompt             = no

[ req_distinguished_name ]
O  = Example
OU = Example Test
CN = Example Test CA
EOF

for dir in certs crl newcerts; do mkdir $dir; done
touch serial index.txt crlnumber index.txt.attr

#echo 01 > serial
openssl rand -hex 16 > serial

openssl genrsa -out rootCA.key 2048

openssl req -batch -config ca.cnf \
    -x509 -new -nodes -key rootCA.key -sha256 -days 10000 \
    -set_serial 0 -extensions v3_ca -out rootCA.crt

openssl ca -config ca.cnf -gencrl -out crl/root.crl

######################

dnf -y install ipa-server-dns ipa-server-trust-ad
dnf -y install bind-utils net-tools

echo "$(hostname -I|awk '{print $1}') ipa.smartcard.test" >> /etc/hosts
hostnamectl set-hostname ipa.smartcard.test

alias install-ipa="/usr/sbin/ipa-server-install --unattended \
      --realm=SMARTCARD.TEST \
      --domain=smartcard.test \
      --netbios-name=SMARTCARD \
      --ds-password=Secret123 \
      --admin-password=Secret123 \
      --setup-dns \
      --ip-address $(hostname -i) \
      --setup-adtrust \
      --auto-forwarders \
      --auto-reverse \
      --no-dnssec-validation \
      --no-host-dns \
      --no-ntp"

install-ipa --external-ca

openssl ca -config ca.cnf -extensions v3_ca -batch -notext -days 5000 -md sha256 -in /root/ipa.csr -out /root/ipa.crt

install-ipa --external-cert-file=/root/ipa.crt --external-cert=/opt/test_ca/rootCA.crt

echo Secret123|kinit admin
ipa-advise config-server-for-smart-card-auth > /tmp/sc_server.sh
sh -x /tmp/sc_server.sh /opt/test_ca/rootCA.crt /root/ipa.crt