#!/bin/sh


while getopts ":ht:d:n:s:" opt; do
  case $opt in
    h)
      echo "Usage:  -t rsa|ec -n <name> -d <days>"
      exit 0
      ;;
    t)
      if [[ $OPTARG =~ ^rsa:([0-9]+) ]]; then
        NEWKEY_OPT="-newkey rsa:${BASH_REMATCH[1]} -sha256"
      elif [[ $OPTARG =~ ^ec:([0-9]+) ]]; then
        BITS=${BASH_REMATCH[1]}
        if [[ $BITS -eq 256 ]]; then
          CURVE=prime256v1
          SHA=sha256
        elif [[ $BITS -eq 384 ]]; then
          CURVE=secp384r1
          SHA=sha384
        elif [[ $BITS -eq 512 ]]; then
          CURVE=secp521r1
          SHA=sha512
        else
          echo "Invalid ec bits: ec:$BITS" >&2
          exit 1
        fi
        NEWKEY_OPT="-newkey ec -pkeyopt ec_paramgen_curve:${CURVE} -${SHA}"
      else 
        echo "Invalid option: -t $OPTARG" >&2
        exit 1
      fi
      ;;
    d)
      DAYS_OPT="-days $OPTARG"
      ;;
    n)
      NAME_OPT=(-keyout "$OPTARG".key -out "$OPTARG".crt)
      ;;
    s)
      SUBJECT_OPT=(-subj "/C=CN/CN=Root CA/O=$OPTARG")
      ;;
    \?)
      echo "Invalid option: -$OPTARG" >&2
      exit 1
      ;;
  esac
done

openssl req -x509 -batch $NEWKEY_OPT $DAYS_OPT "${NAME_OPT[@]}" "${SUBJECT_OPT[@]}" -addext "keyUsage=critical,keyCertSign,cRLSign"
#    -addext "subjectKeyIdentifier=hash" \
#    -addext "authorityKeyIdentifier=keyid:always,issuer" \
#    -addext "basicConstraints=critical,CA:true" \