# Commands to create Privoxy Root CA certificate

# Clean start
# rm ca.* index.txt* serial*


##################
# CA
##################

# Privoxy Root CA

# mkdir certs && cd certs
# touch index.txt
# echo 1000 > serial

# CA certificate encrypted key passphrase, both -passin and -passout
# sf-pwgen --algorithm memorable --count 2 --length 24 2>/dev/null | paste -s -d -- '-' \
#     1>passphrase.txt || true
# if [ $(head -1 passphrase.txt | wc -c) < 20 ]; then openssl rand -base64 23 1>passphrase.txt 2>/dev/null; fi
# cat passphrase.txt passphrase.txt > passphrase-dbl.txt \
#     && mv passphrase-dbl.txt passphrase.txt \
#     || rm -f passphrase-dbl.txt
# chmod go-rwx passphrase.txt

# CA encrypted key
# EC
# openssl genpkey -out ca.key.pem -algorithm EC \
#     -pkeyopt ec_paramgen_curve:P-384 -aes256 \
#     -pass file:passphrase.txt
#
# RSA
# # openssl genpkey -out ca.key.pem -algorithm RSA \
# #     -pkeyopt rsa_keygen_bits:2048 -aes256 \
# #     -pass file:passphrase.txt

# CA certificate
# openssl req -config openssl.cnf \
#     -new -x509 -days 3650 -sha384 -extensions v3_ca -out certs/ca.cert.pem \
#     -key ca.key.pem -passin file:passphrase.txt -batch

# CA certificate text verification
# openssl x509 -text -noout -in ca.cert.pem

# CA certificate openssl self-verification
# openssl verify -CAfile ca.cert.pem ca.cert.pem

# CA convert to PKCS12
# Note: `man openssl`: "If the same pathname
#     argument is supplied to -passin and -passout arguments then the
#     first line will be used for the input password and the next line
#     for the output password."
# https://developer.apple.com/forums/thread/697030
# openssl pkcs12 -legacy -export -out ca.p12 \
#     -inkey ca.key.pem -in ca.cert.pem \
#     -passin file:passphrase.txt \
#     -passout file:passphrase.txt
# verify .p12 passphrase
# openssl pkcs12 -legacy -noout -in ca.p12 -passin file:passphrase.txt

######################
# Server certificates
######################

# Clean and prepare directory for new certificates
# rm serial* 01.pem index.txt ; echo 01 > serial ; touch index.txt

# Server certificate encrypted key and decrypted key
# openssl genpkey -out adblock2privoxy-nginx.key.pem \
#     -algorithm EC -pkeyopt ec_paramgen_curve:P-384 -aes256 \
#     -pass file:passphrase.txt
# openssl ec -in adblock2privoxy-nginx.key.pem -passin file:passphrase.txt \
#     -out adblock2privoxy-nginx.key.pem.decrypted
# chmod go-rwx adblock2privoxy-nginx.key.pem.decrypted

# Server certificate CSR
# openssl req -config openssl.cnf -new -sha384 \
#     -key adblock2privoxy-nginx.key.pem -passin file:passphrase.txt \
#     -out adblock2privoxy-nginx.csr.pem -batch

# Server certificate (825 days maximum validity)
# https://support.apple.com/en-us/HT210176
# openssl ca -config openssl.cnf -days 825 -notext -md sha384 \
#     -extensions server_cert -in adblock2privoxy-nginx.csr.pem \
#     -out adblock2privoxy-nginx.cert.pem -passin file:passphrase.txt \
#     -subj '/CN=adblock2privoxy-nginx' -batch

# Server certificate chain of trust
# cat adblock2privoxy-nginx.cert.pem ca.cert.pem > adblock2privoxy-nginx.chain.pem

# Server certificate text
# openssl x509 -in adblock2privoxy-nginx.cert.pem -text -noout

# Server certificate and chain validity
# openssl verify -CAfile ca.cert.pem adblock2privoxy-nginx.cert.pem
# openssl verify -CAfile ca.cert.pem adblock2privoxy-nginx.chain.pem

# DH params
# openssl dhparam -out dhparam.pem 2048


[ca]
default_ca        = CA_default

[ CA_default ]
# Directory and file locations.
dir               = .
certs             = $dir
crl_dir           = $dir
new_certs_dir     = $dir
database          = $dir/index.txt
serial            = $dir/serial
RANDFILE          = $dir/.rand

# The root key and root certificate.
private_key       = $dir/ca.key.pem
certificate       = $dir/ca.cert.pem

# For certificate revocation lists.
crlnumber         = $dir/crlnumber
crl               = $dir/ca.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30

# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha256

name_opt          = ca_default
cert_opt          = ca_default
default_days      = 825
preserve          = no
policy            = policy_strict

[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = optional
stateOrProvinceName     = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = optional
emailAddress            = optional

[req]
# Options for the `req` tool (`man req`).
# default_bits        = 4096
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only

# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha256

[req_distinguished_name]
countryName = US
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = Massachusetts
stateOrProvinceName_default = Massachusetts
localityName = Boston
localityName_default = Boston
0.organizationName = MacPorts
0.organizationName_default = MacPorts
organizationalUnitName = adblock2privoxy-nginx
commonName = adblock2privoxy-nginx
commonName_default = adblock2privoxy-nginx
commonName_max = 64
emailAddress = macports-users@lists.macports.org
emailAddress_max = 40

[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
#authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = critical, serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
subjectAltName = DNS:localhost, IP:127.0.0.1


[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always

[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning

[ smime ]
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = critical, email:copy
extendedKeyUsage = critical, emailProtection