# #!/bin/sh

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./cert/identity-svc-server.key -out ./cert/identity-svc-server.cert \
    -addext "subjectAltName = DNS:identity-svc"
# ^^ GENERATE CERT FOR BACKEND SERVICE (on client side - in traefik - we dont need DNS domain... for now...)


# if [ -z "$SERVICE" ]; then echo "set SERVICE var"; exit 1; fi
# if [ -z "$CA_ROOT" ]; then echo "set CA_ROOT var"; exit 1; fi
# if [ -z "$DOMAIN" ]; then echo "set DOMAIN var"; exit 1; fi

# PASSWORD=V3ryS3cr3tP4ssw0rd

# # sample for registry server (with api-gateway-svc as a client) but using FDN...
# # keytool -genkey -alias api-registry-svc -dname cn=$DOMAIN -validity 365 -keystore tmp/api-registry-svc.p12 -keyalg RSA -keysize 2048 -storepass $PASSWORD -ext "SAN:c=DNS:registry.egommerce.local,IP:127.0.0.1"
# # keytool -genkey -alias myClientCertificate -dname cn=$DOMAIN -validity 365 -keystore tmp/myClientCertificate.p12 -keyalg RSA -keysize 2048 -storepass $PASSWORD -ext "SAN:c=DNS:registry.egommerce.local,IP:127.0.0.1"

# # keytool -export -alias myClientCertificate -file tmp/myClientCertificate.crt -keystore tmp/myClientCertificate.p12 -storepass $PASSWORD
# # keytool -export -alias api-registry-svc -file tmp/api-registry-svc.crt -keystore tmp/api-registry-svc.p12 -storepass $PASSWORD

# # keytool -import -alias myClientCertificate -file tmp/myClientCertificate.crt -keystore tmp/api-registry-svc.p12 -storepass $PASSWORD # aka myCertificate.p12

# # echo "Done."
# # exit 0

# if [ -d "$SERVICE" ]; then
#     echo "$SERVICE directory exists... Quitting."
#     exit 1;
# fi

# if [ ! -f "$SERVICE" ]; then
#     mkdir -p $SERVICE
# fi

# echo  "===================================================================="
# echo  "Fake third-party chain generated. Now generating keystore.p12 ..."
# echo  "===================================================================="

# # generate private keys (for server)
# keytool -genkeypair -alias $SERVICE -dname cn=$DOMAIN -validity 365 -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -keypass $PASSWORD -storepass $PASSWORD

# # generate a certificate for server signed by ca (root -> ca -> server)
# keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -certreq -alias $SERVICE \
# | keytool -storetype PKCS12 -keystore "$CA_ROOT/ca.p12" -storepass $PASSWORD -gencert -alias ca -ext ku:c=dig,keyEnc -ext "SAN:c=DNS:$DOMAIN,IP:127.0.0.1" -ext eku=sa,ca -rfc > "$SERVICE/$SERVICE.pem"

# # import server cert chain into ${SERVICE}.p12
# keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -importcert -trustcacerts -noprompt -alias root -file "$CA_ROOT/root.pem"
# keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -importcert -alias ca -file "$CA_ROOT/ca.pem"
# keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -importcert -alias $SERVICE -file "$SERVICE/$SERVICE.pem"


# # DEPRECATED - duplicated above section...
# # echo "================================================="
# # echo "Keystore generated. Now generating truststore ..."
# # echo "================================================="

# # import server cert chain into my-truststore.p12
# # keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -importcert -trustcacerts -noprompt -alias root -file "$CA_ROOT/root.pem"
# # keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -importcert -alias ca -file "$CA_ROOT/ca.pem"
# # keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -importcert -alias $SERVICE -file "$SERVICE/$SERVICE.pem"