# Using 'cc -E' causes some problems.
CPP			=cpp

CA			=com.example
CN			=com.example.SSL

# 2048 bits are currently (2003) recommended for CAs.
ABITS			=2048
ADAYS			=750

# 1024 bits because most browsers only support 512 or 1024.
NBITS			=1024
NDAYS			=750

RDAYS			=3

ASERI			=_CASerial
APKEY			=_CAPrivate_key
ACERT			=_CACertificate
ABOTH			=_CA

NPKEY			=_Private_key
NCREQ			=_CertRequest
NCERT			=_Certificate
NBOTH			=

# We want the private key, certificate, and merged
# version for our CN.

all:				${CN}${NPKEY}.pem
all:				${CN}${NCERT}.pem
all:				${CN}${NBOTH}.pem

# We never want to lose the CA private key, certificate,
# and merged version.

.PRECIOUS:			${CA}${APKEY}.pem
.PRECIOUS:			${CA}${ACERT}.pem
.PRECIOUS:			${CA}${ABOTH}.pem

#.PRECIOUS:			${CN}${NCREQ}.pem
#.PRECIOUS:			${CA}${ACERT}.cnf
#.PRECIOUS:			${CN}${NCREQ}.cnf
#.PRECIOUS:			${CN}${NCERT}.cnf

# A '.cnf' file (for CA or CN) is the concatenation of
# 'default.ini' and the specific '.init', processed.

%.cnf:				default.ini %.ini
	cpp -I. '$*.ini' | sed 's/ *%% *//g' > '$@'

# Generate site CA private key using RSA and encrypted using DES3.

%${APKEY}.pem:
	openssl genrsa	-out			'$@' \
			  -des3			'${ABITS}'
	chmod og= '$@'

# Generate site CA certificate via self-signing.
# Use 'openssl req' instead of 'openssl ca' because the CA has not
# yet been set up.

%${ACERT}.pem:			%${ACERT}.cnf %${APKEY}.pem
	openssl req	-out			'$@' \
			  -config		'$*${ACERT}.cnf' \
			  -new			-x509 \
			  -key			'$*${APKEY}.pem' \
			  -days			'${ADAYS}'
	chmod a+r '$@'

%${ABOTH}.pem:			%${APKEY}.pem %${ACERT}.pem
	cat '$*${APKEY}.pem' '$*${ACERT}.pem' > '$@'
	chmod og= '$@'

# Generate unencrypted host key and an unencrypted signing request.

%${NPKEY}.pem:
	openssl genrsa	-out			'$@' \
			  -des3			'${NBITS}'
	chmod og= '$@'

%${NCREQ}.pem:			%${NCREQ}.cnf %${NPKEY}.pem
	openssl req	-out			'$@' \
			  -config		'$*${NCREQ}.cnf' \
			  -new			-nodes \
			  -days			'${RDAYS}' \
			  -key			'$*${NPKEY}.pem'
	chmod og= '$@'

# Generate signed site certificate from the request.

%${NCERT}.pem:			${CA}${APKEY}.pem ${CA}${ACERT}.pem \
				  %${NCERT}.cnf %${NCREQ}.pem
	openssl x509	-out			'$@' \
			  -CAcreateserial \
			  -CAserial		'${CA}${ASERI}.txt' \
			  -CA			'${CA}${ACERT}.pem' \
			  -CAkey		'${CA}${APKEY}.pem' \
			  -req \
			  -extfile		'$*${NCERT}.cnf' \
	 		  -in			'$*${NCREQ}.pem' \
			  -days			'${NDAYS}'
	chmod a+r '$@'

%${NBOTH}.pem:			%${NPKEY}.pem %${NCERT}.pem
	cat '$*${NPKEY}.pem' '$*${NCERT}.pem' > '$@'
	chmod og= '$@'