#!/bin/bash
# Generiert selbstsignierte Zertifikate für die lokale Entwicklung

mkdir -p ssl

# Generiere Root-CA
openssl req -x509 -nodes -new -sha256 -days 1024 -newkey rsa:2048 \
  -keyout ssl/rootCA.key -out ssl/rootCA.pem \
  -subj "/C=DE/ST=Berlin/L=Berlin/O=Development/CN=Local Development CA"

# Generiere localhost-Zertifikat
openssl req -new -nodes -newkey rsa:2048 \
  -keyout ssl/localhost+2-key.pem -out ssl/localhost.csr \
  -subj "/C=DE/ST=Berlin/L=Berlin/O=Development/CN=localhost"

# Konfigurationsdatei für Alternativen Namen
cat > ssl/localhost.ext << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
DNS.2 = *.localhost
IP.1 = 127.0.0.1
EOF

# Signiere das Zertifikat
openssl x509 -req -in ssl/localhost.csr \
  -CA ssl/rootCA.pem -CAkey ssl/rootCA.key -CAcreateserial \
  -out ssl/localhost+2.pem -days 500 \
  -sha256 -extfile ssl/localhost.ext

echo "SSL certificates generated:"
ls -la ssl/