#!/bin/bash

# Create the Root Certification Authority's Root Certificate

CERTNAME="HOME_INTERNAL_ROOT"
COMMON_NAME="HOME.INTERNAL ROOT"

## --

openssl=/usr/local/opt/openssl/bin/openssl   # homebrew on macOS

OPENSSL_CONF="$CERTNAME.cfg"
export COMMON_NAME OPENSSL_CONF

## --

cat >$OPENSSL_CONF << 'EOF'

[ req ]
default_bits           = 4095
default_md             = sha256
prompt                 = no
encrypt_key            = no
utf8                   = yes
string_mask            = utf8only
distinguished_name     = req_distinguished_name
req_extensions         = v3_req
x509_extensions        = v3_req

[ req_distinguished_name ]
commonName             = ${ENV::COMMON_NAME}

[ v3_req ]
basicConstraints       = critical, CA:true, pathlen:0
authorityKeyIdentifier = keyid:always, issuer
keyUsage               = digitalSignature, cRLSign, keyCertSign
subjectKeyIdentifier   = hash

authorityKeyIdentifier = keyid:always,issuer

EOF

$openssl req -new -x509 -days 3650 -keyout "$CERTNAME.key" -out "$CERTNAME.crt"

rm "$OPENSSL_CONF"