#!/bin/sh

ID=$1

#echo Create keys and certificates for your IKE peers.  This step as well
#echo as the next one, needs to be done for every peer.  Furthermore the
#echo last step will need to be done once for each ID you want the peer to
#echo have.  The \${ID} below symbolizes that ID, and should be changed
#echo for each invocation.  You will be asked for a DN for each run too.
#echo See to encode the ID in the common name too, so it gets unique.

openssl genrsa -out tmp/${ID}.key 1024
openssl req -new -key tmp/${ID}.key \
        -out tmp/${ID}.csr

#echo Now take these certificate signing requests to your CA and process
#echo them like below.  You have to add some extensions to the certificate
#echo in order to make it usable for isakmpd, which is why you will need
#echo to run certpatch(8). Replace \${ID} with the IP-address which
#echo isakmpd will be using for identity.

echo "Presenting the Certificate to the CA for signing..."

openssl x509 -req -days 365 -in tmp/${ID}.csr -CA isakmpd/ca/ca.crt \
        -CAkey ssl/private/ca.key -CAcreateserial \
        -out tmp/${ID}.crt

echo "Patching certificate to work with isakmpd..."

certpatch -t fqdn -i ${ID} -k ssl/private/ca.key \
        tmp/${ID}.crt isakmpd/certs/${ID}.crt

openssl pkcs12 -export -in isakmpd/certs/${ID}.crt -inkey tmp/${ID}.key -certfile isakmpd/ca/ca.crt -name ${ID} -out client/${ID}.p12

echo 'Put the certificate (the file ending in .crt) in isakmpd/certs/'
echo ' on the VPN server, and the client certs, found in 'certs' on the IKE peers.'