# Note - we force the serial numbers to be different
# each time - as to ensure that the browser accepts
# them again and again (it refuses an identical serial
# with a different key).
#

# Create a 'root' CA
openssl req -new -nodes -batch -x509  -text \
    -days 10 -subj '/CN=Da Root/O=Trac testing/L=Here/C=XX' \
    -set_serial 10$$ \
    -keyout root.key -out root.pem

# Create a certificate request for the server
#
openssl req -new -nodes -batch \
        -days 9 -subj "/CN=localhost/O=Keepers of Servers/L=Here/C=XX" \
        -keyout server.key -out server.req -batch

# And get it signed by our root authority.
#
openssl x509 -text -req \
        -CA root.pem -CAkey root.key \
        -set_serial 20$$ -in server.req -out server.pem

# Create a certificate request for 'Fred' the test user . Ensure it
# has a C, O and L - as otherwise firefox may refuse to import it.
#
openssl req -new -nodes -batch \
        -days 9 -subj "/CN=Fred the Test User/O=The Test Dept/L=Here/C=XX" \
        -keyout fred.key -out fred.req -batch

# And get it signed by our root authority.
#
openssl x509 -text -req \
        -CA root.pem -CAkey root.key \
        -set_serial 30$$ -in fred.req -out fred.pem

# And create a p12 for easy browser import. Note that
# it must have a password (macosx/windows will otherwise
# given an obscure error).
#
openssl pkcs12 -in fred.pem  -inkey fred.key \
        -CAfile root.pem -export -password pass:1234 -out fred.p12

exit 0