#!env sh
# SPDX-License-Identifier: Apache-2.0

# Make CA key
openssl req -nodes -new -x509 -keyout ca_key.pem -out ca_cert.pem -days 800 -subj '/CN=MalwareDB Root CA/C=US/ST=Maryland/L=Baltimore/O=MalwareDB'

# Make CSR
openssl req -new -nodes -out server.csr -newkey rsa:4096 -keyout server_key.pem -subj '/CN=MalwareDB Server/C=US/ST=Maryland/L=Baltimore/O=MalwareDB'

cat > server.v3.ext << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
IP.1 = 127.0.0.1
EOF

# Sign server cert
openssl x509 -req -in server.csr -CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial -out server_cert.pem -days 800 -sha256 -extfile server.v3.ext

# Server cert to have the CA cert as well.
cat server_cert.pem ca_cert.pem > server_ca_cert.pem

# DER-encode the certificate and key
openssl rsa -in server_key.pem -out server_key.der -outform DER
openssl x509 -in server_cert.pem -out server_cert.der -outform DER