#!/bin/bash
set -e

# Check if client name and password are provided
if [ $# -lt 2 ]; then
    echo "Usage: $0 <client-name> <p12-password>"
    echo "Example: $0 john.doe mySecurePassword123"
    exit 1
fi

CLIENT_NAME="$1"
P12_PASSWORD="$2"

# Check if CA exists
if [ ! -f "certificates/ca/ca.crt" ] || [ ! -f "certificates/ca/ca.key" ]; then
    echo "Error: CA not found. Please run setup-ca.sh first."
    exit 1
fi

echo "=== Creating Client Certificate ==="
echo "Client Name: $CLIENT_NAME"

# Create client directory
mkdir -p certificates/clients/$CLIENT_NAME

# Generate client private key
echo "Generating client private key..."
openssl genrsa -out certificates/clients/$CLIENT_NAME/$CLIENT_NAME.key 2048
# Generate client certificate signing request
echo "Generating client certificate signing request..."
openssl req -new -key certificates/clients/$CLIENT_NAME/$CLIENT_NAME.key \
    -out certificates/clients/$CLIENT_NAME/$CLIENT_NAME.csr \
    -subj "/DC=de/DC=hottis/DC=homea2/CN=$CLIENT_NAME"

# Sign the client certificate
echo "Signing client certificate..."
openssl x509 -req -in certificates/clients/$CLIENT_NAME/$CLIENT_NAME.csr \
    -CA certificates/ca/ca.crt -CAkey certificates/ca/ca.key -CAcreateserial \
    -out certificates/clients/$CLIENT_NAME/$CLIENT_NAME.crt \
    -days 365 -sha256

# Create PKCS#12 bundle
echo "Creating PKCS#12 bundle..."
openssl pkcs12 -export \
    -out certificates/clients/$CLIENT_NAME/$CLIENT_NAME.p12 \
    -inkey certificates/clients/$CLIENT_NAME/$CLIENT_NAME.key \
    -in certificates/clients/$CLIENT_NAME/$CLIENT_NAME.crt \
    -certfile certificates/ca/ca.crt \
    -name "$CLIENT_NAME Home Automation Client" \
    -passout pass:$P12_PASSWORD

# Set appropriate permissions
chmod 400 certificates/clients/$CLIENT_NAME/$CLIENT_NAME.key
chmod 644 certificates/clients/$CLIENT_NAME/$CLIENT_NAME.crt
chmod 644 certificates/clients/$CLIENT_NAME/$CLIENT_NAME.p12

# Verify client certificate
echo "Verifying client certificate..."
openssl x509 -noout -text -in certificates/clients/$CLIENT_NAME/$CLIENT_NAME.crt
echo ""
echo "=== Client Certificate Created ==="
echo "Client Certificate: certificates/clients/$CLIENT_NAME/$CLIENT_NAME.crt"
echo "Client Private Key: certificates/clients/$CLIENT_NAME/$CLIENT_NAME.key"
echo "PKCS#12 Bundle: certificates/clients/$CLIENT_NAME/$CLIENT_NAME.p12"
echo ""
echo "Installation Instructions:"
echo "1. Import the PKCS#12 file into your browser/application"
echo "2. The bundle contains both the client certificate and CA certificate"
echo "3. Password for PKCS#12 file: $P12_PASSWORD"
echo ""
echo "For testing with curl:"
echo "curl --cert certificates/clients/$CLIENT_NAME/$CLIENT_NAME.crt --key certificates/clients/$CLIENT_NAME/$CLIENT_NAME.key https://homea2.hottis.de/"