#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :

DAYS=90
SUBJ=/CN=localhost
ALG=EC
CURVE=secp384r1

if [ -f /etc/default/gen-nginx-cert ]; then
    . /etc/default/gen-nginx-cert
fi

set -- \
    -out /etc/nginx/ssl/server.key \
    -algorithm "${ALG}"

case "${ALG}" in
EC)
    set -- "$@" \
        -pkeyopt ec_paramgen_curve:${CURVE} \
        -pkeyopt ec_param_enc:named_curve
    ;;
RSA)
    set -- "$@" \
        -pkeyopt rsa_keygen_bits:${BITS:+4096}
    ;;
esac

rm -f /etc/nginx/ssl/server.crt /etc/nginx/ssl/server.key
: > /etc/nginx/ssl/server.key
openssl genpkey "$@"
openssl \
	req -x509 \
	-subj "${SUBJ}" \
	-key /etc/nginx/ssl/server.key \
	-out /etc/nginx/ssl/server.crt \
	-sha256 \
	-days "${DAYS}"