sawa-control-panel/certs/create-client.sh

#!/bin/sh
# certs/create-client.sh — Generate Client Certificate for Sawa Control Panel

# Exit on error
set -e

if [ -z "$1" ]; then
    echo "Usage: $0 <device-name>"
    echo "Example: $0 my-phone"
    exit 1
fi

DEVICE_NAME=$1
CERT_DIR=$(dirname "$0")
CA_KEY="$CERT_DIR/ca.key"
CA_CRT="$CERT_DIR/ca.crt"
CLIENT_KEY="$CERT_DIR/$DEVICE_NAME.key"
CLIENT_CSR="$CERT_DIR/$DEVICE_NAME.csr"
CLIENT_CRT="$CERT_DIR/$DEVICE_NAME.crt"
CLIENT_P12="$CERT_DIR/$DEVICE_NAME.p12"

# Validation
if [ ! -f "$CA_KEY" ] || [ ! -f "$CA_CRT" ]; then
    echo "Error: Root CA not found. Please run create-ca.sh first."
    exit 1
fi

echo "Step 1: Generating 2048-bit RSA private key for $DEVICE_NAME..."
openssl genrsa -out "$CLIENT_KEY" 2048

echo "Step 2: Generating Certificate Signing Request (CSR)..."
openssl req -new -key "$CLIENT_KEY" -out "$CLIENT_CSR" -subj "/CN=$DEVICE_NAME/O=Sawa/C=XX"

echo "Step 3: Signing the client certificate with Root CA (valid for 2 years)..."
printf "extendedKeyUsage=clientAuth\nkeyUsage=digitalSignature" > "$CERT_DIR/client_ext.cnf"
openssl x509 -req -in "$CLIENT_CSR" -CA "$CA_CRT" -CAkey "$CA_KEY" \
    -CAcreateserial -out "$CLIENT_CRT" -days 730 -sha256 \
    -extfile "$CERT_DIR/client_ext.cnf"
rm "$CERT_DIR/client_ext.cnf"

echo "Step 4: Exporting to PKCS12 (.p12) for mobile/browser installation..."
echo "IMPORTANT: iOS requires a non-empty password. You will be prompted for one now:"
openssl pkcs12 -export -out "$CLIENT_P12" -inkey "$CLIENT_KEY" -in "$CLIENT_CRT" -certfile "$CA_CRT"

# Cleanup temporary CSR
rm "$CLIENT_CSR"

echo ""
echo "--------------------------------------------------------"
echo "CLIENT CERTIFICATE SUCCESSFUL for: $DEVICE_NAME"
echo "--------------------------------------------------------"
echo "PEM Key:  $CLIENT_KEY"
echo "PEM Cert: $CLIENT_CRT"
echo "PKCS12:   $CLIENT_P12 (Use this for phone/browser)"
echo "--------------------------------------------------------"