# X509v3 certificate extension, cf. x509v3_config(5ssl)

x509_check() {
    local cert="$1" ext out
    out="$(mktemp --tmpdir)"
    ext="basicConstraints,subjectAltName,keyUsage,extendedKeyUsage,tlsfeature"
    openssl x509 -noout -subject -ext "$ext" -nameopt compat <"$cert" >"$out"
    diff --unified --color=auto -b --label="a/${cert#/}" --label="b/${cert#/}" -- - "$out"
}

# default settings (the ACME server adds a subjectAltName with the Common Name)
openssl genpkey -algorithm RSA -out /etc/lacme/test1.key
commonName="$(head -c10 /dev/urandom | base32 -w0 | tr "[A-Z]" "[a-z]").$DOMAINNAME"
cat >"/etc/lacme/lacme-certs.conf.d/test1.conf" <<- EOF
	[test1]
	certificate-key = /etc/lacme/test1.key
	certificate-chain = /etc/lacme/test1.crt
	subject = /CN=$commonName
EOF

lacme newOrder test1
test /etc/lacme/test1.crt -nt /etc/lacme/test1.key
x509_check /etc/lacme/test1.crt <<-EOF
	subject=/CN=$commonName
	X509v3 Key Usage: critical
	    Digital Signature, Key Encipherment
	X509v3 Extended Key Usage:
	    TLS Web Server Authentication, TLS Web Client Authentication
	X509v3 Basic Constraints: critical
	    CA:FALSE
	X509v3 Subject Alternative Name:
	    DNS:$commonName
EOF

# subjectAltName
openssl genpkey -algorithm RSA -out /etc/lacme/test2.key
commonName="$(head -c10 /dev/urandom | base32 -w0 | tr "[A-Z]" "[a-z]").$DOMAINNAME"
subjectAltName=""
for i in $(seq 1 8); do
    subjectAltName="${subjectAltName:+"$subjectAltName "}$(head -c10 /dev/urandom | base32 -w0 | tr "[A-Z]" "[a-z]").$DOMAINNAME"
done
cat >"/etc/lacme/lacme-certs.conf.d/test2.conf" <<- EOF
	[test2]
	certificate-key = /etc/lacme/test2.key
	certificate-chain = /etc/lacme/test2.crt
	subject = /CN=$commonName
	subjectAltName = DNS:$(echo "$subjectAltName" | sed -r "s/ /, DNS:/g")
EOF

lacme newOrder test2
test /etc/lacme/test2.crt -nt /etc/lacme/test2.key
x509_check /etc/lacme/test2.crt <<-EOF
	subject=/CN=$commonName
	X509v3 Key Usage: critical
	    Digital Signature, Key Encipherment
	X509v3 Extended Key Usage:
	    TLS Web Server Authentication, TLS Web Client Authentication
	X509v3 Basic Constraints: critical
	    CA:FALSE
	X509v3 Subject Alternative Name:
	    DNS:$(echo "$commonName" "$subjectAltName" | tr " " "\\n" | sort -u | paste -sd" " | sed -r "s/ /, DNS:/g")
EOF

# tlsfeature
openssl genpkey -algorithm RSA -out /etc/lacme/test3.key
commonName="$(head -c10 /dev/urandom | base32 -w0 | tr "[A-Z]" "[a-z]").$DOMAINNAME"
cat >"/etc/lacme/lacme-certs.conf.d/test3.conf" <<- EOF
	[test3]
	certificate-key = /etc/lacme/test3.key
	certificate-chain = /etc/lacme/test3.crt
	subject = /CN=$commonName
	tlsfeature = status_request
EOF

lacme newOrder test3
test /etc/lacme/test3.crt -nt /etc/lacme/test3.key
x509_check /etc/lacme/test3.crt <<-EOF
	subject=/CN=$commonName
	X509v3 Key Usage: critical
	    Digital Signature, Key Encipherment
	X509v3 Extended Key Usage:
	    TLS Web Server Authentication, TLS Web Client Authentication
	X509v3 Basic Constraints: critical
	    CA:FALSE
	X509v3 Subject Alternative Name:
	    DNS:$commonName
	TLS Feature:
	    status_request
EOF

# vim: set filetype=sh :