#!/bin/sh

set -e -x

# Install certstrap
go get -v github.com/square/certstrap

# Place keys and certificates here
depot_path="cf-networking-certs"
mkdir -p ${depot_path}

# CA to distribute to cf-networking policy server and client
certstrap --depot-path ${depot_path} init --passphrase '' --common-name cf-networking-ca

# Server certificate for the policy server
certstrap --depot-path ${depot_path} request-cert --passphrase '' --common-name policy-server.service.cf.internal --domain '*.policy-server.service.cf.internal,policy-server.service.cf.internal'
certstrap --depot-path ${depot_path} sign policy-server.service.cf.internal --CA cf-networking-ca
mv -f ${depot_path}/policy-server.service.cf.internal.key ${depot_path}/policy-server.key
mv -f ${depot_path}/policy-server.service.cf.internal.csr ${depot_path}/policy-server.csr
mv -f ${depot_path}/policy-server.service.cf.internal.crt ${depot_path}/policy-server.crt

# Client certificate for the policy agent
certstrap --depot-path ${depot_path} request-cert --passphrase '' --common-name 'policy-agent'
certstrap --depot-path ${depot_path} sign policy-agent --CA cf-networking-ca

# Server certificate for the silk controller
certstrap --depot-path ${depot_path} request-cert --passphrase '' --common-name silk-controller.service.cf.internal --domain '*.silk-controller.service.cf.internal,silk-controller.service.cf.internal'
certstrap --depot-path ${depot_path} sign silk-controller.service.cf.internal --CA cf-networking-ca
mv -f ${depot_path}/silk-controller.service.cf.internal.key ${depot_path}/silk-controller.key
mv -f ${depot_path}/silk-controller.service.cf.internal.csr ${depot_path}/silk-controller.csr
mv -f ${depot_path}/silk-controller.service.cf.internal.crt ${depot_path}/silk-controller.crt

# Client certificate for the silk daemon
certstrap --depot-path ${depot_path} request-cert --passphrase '' --common-name 'silk-daemon'
certstrap --depot-path ${depot_path} sign silk-daemon --CA cf-networking-ca
