# TODO: Replace with your actual domain
export DOMAIN=mydomain.com

# Create the directory structure
mkdir -p  ca/{certs,crl,newcerts,private,csr}
cd ca

# Create the index and serial files
touch index.txt
echo 1000 > serial

# Create the OpenSSL configuration file
curl http:{{ site.url}}files/tls/config/raw.txt \
  > openssl.cnf

# Set the domain environment variables
export SAN=DNS.1:${DOMAIN},DNS.2:*.${DOMAIN}

# Create the certificate authority private key
openssl genrsa -aes256 -out private/ca.key.pem 4096

# Create the certificate authority public certificate
openssl req -config openssl.cnf -key private/ca.key.pem -new -x509 \
  -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem

# Create the wildcard domain private key
openssl genrsa -out private/wildcard.${DOMAIN}.key 2048

# Create the wildcard certificate signing request
openssl req -config openssl.cnf -new -sha256 -extensions san_env \
  -key private/wildcard.${DOMAIN}.key \
  -out csr/wildcard.${DOMAIN}.csr.pem

# Sign the wildcard certificate
openssl ca -config openssl.cnf -notext -md sha256 \
  -extensions server_cert -extensions san_env \
  -in csr/wildcard.${DOMAIN}.csr.pem \
  -out certs/wildcard.${DOMAIN}.pem