#!/usr/bin/php
<?php

# Non-interactive PKCS cerificate generator
# Copyright (C) 2009 Bogdan 'bogdro' Drozdowski <bogdandr@op.pl>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 3
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software Foudation:
#		Free Software Foundation
#		51 Franklin Street, Fifth Floor
#		Boston, MA 02110-1301
#		USA

	error_reporting (E_ALL|E_NOTICE);

// PKCS12 is available only from PHP 5.2.2 onwards.
// each password >= 4 chars
// each common name NOT empty - it's the user name or server address

	$master_cert_name = "maincert";	# CHANGE
	$password_main = "main";	# CHANGE
	$main_country = "US";		# CHANGE
	$main_state = "D.C.";		# CHANGE
	$main_city = "Washington";	# CHANGE
	$main_company = ".";		# CHANGE
	$main_unit = ".";		# CHANGE
	$main_common_name = "aaa";	# CHANGE: user name or server address
	$main_email = "a@a";		# CHANGE

	$challenge = "bbb";		# CHANGE
	$password = "cert0";		# CHANGE
	$country = "US";		# CHANGE
	$state = "D.C.";		# CHANGE
	$city = "Washington";		# CHANGE
	$company = ".";			# CHANGE
	$unit = ".";			# CHANGE
	$common_name = "bbb";		# CHANGE: user name or server address
	$email = "b@b";			# CHANGE
	$export_password = "cert0";	# CHANGE

	if ( ! file_exists ($master_cert_name . "_cert.pem") )
	{
		shell_exec ("echo -e \"$password_main\n$password_main\n$main_country\n$main_state\n\
			$main_city\n$main_company\n$main_unit\n$main_common_name\n$main_email\n\" |\
			openssl req -passout stdin -x509 -days 10950 -newkey rsa:2048 -keyout\
			${master_cert_name}_key.pem -out ${master_cert_name}_cert.pem");
		shell_exec ("openssl x509 -in ${master_cert_name}_cert.pem\
			-outform DER -out ${master_cert_name}_cert.der");
		mkdir ('certs');
		mkdir ('newcerts');
		mkdir ('crl');
		touch ('index.txt');
		$serial = fopen ("serial", "w");
		if ( $serial !== false )
		{
			$a = "01";
			fwrite ($serial, $a);
			fclose ($serial);
		}
		else die ("Can't create serial file");
	}
	for ($i=0; $i < 4000000000; $i++)
	{
		if ( ! file_exists ( "cert$i.pem" ) ) break;
	}
	$name="cert$i";
	shell_exec ("echo -e \"$password\n$password\n$country\n$state\n$city\n\
			$company\n$unit\n$common_name\n$email\n$challenge\n$company\n\"\
			| openssl req -passout stdin -days 10950 -newkey rsa:2048 -keyout\
			$name.key -out $name.req");
	shell_exec ("echo -e \"$password_main\ny\ny\n\" | openssl\
		ca -passin stdin -days 10000 -cert ${master_cert_name}_cert.pem -keyfile\
		${master_cert_name}_key.pem -in $name.req -out $name.pem");
	shell_exec ("echo -e \"$password\n$export_password\n$export_password\n\" | openssl pkcs12\
		-passin stdin -passout stdin -export -in $name.pem -inkey $name.key -out $name.p12\
 		-name \"Certificate for $name\"");
	shell_exec ("echo -e \"$export_password\n\" | openssl pkcs12 -passin stdin -in $name.p12 -out\
		$name-pub.pem -nokeys -clcerts");
	shell_exec ("openssl x509 -in $name-pub.pem -outform DER -out $name-pub.cer");
	shell_exec ("openssl crl2pkcs7 -nocrl -certfile $name-pub.pem -outform DER -out $name-pub.p7b");

?>