#!/bin/sh

# As explained in
#  https://gist.github.com/darrenjs/4645f115d10aa4b5cebf57483ec82eca

openssl genrsa -des3 -passout pass:xxxx -out server.pass.key 2048
openssl rsa -passin pass:xxxx -in server.pass.key -out server.key
rm -f server.pass.key

openssl req \
    -subj "/C=US/ST=California/L=Santa Clara/O=Beyond Aggravated/CN=localhost" \
    -new -key server.key -out server.csr

openssl x509 -req -sha256 -days 99999 -in server.csr -signkey server.key -out server.crt
rm -f server.csr

# Now create the list of certificates we trust as a client.

rm trusted.pem

# For now we just trust our own server.
openssl x509 -in server.crt -text >> trusted.pem

# Also add the system standard CA cert chain.
# cat /opt/local/etc/openssl/cert.pem >> trusted.pem

# Convert .pem to .der
# openssl x509 -outform der -in trusted.pem -out trusted.der

# Convert .crt and .key to .p12 for use by Security.framework
# Enter password "foo"!
openssl pkcs12 -export -inkey server.key -in server.crt -name localhost -out server.p12