#!/bin/bash
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0

USAGE="Usage: $(basename $0) [-acj] cert_arn [pca_arn]\n\
  Get a certificate issued by a Private CA, i.e., Certificate ARN starting with arn:aws:acm-pca:\n\
  Note 1: Certificates issued by a Private CA are not listed on ACM Console.
  Note 2: If pca_arn is not specified, it will be derived from the cert_arn.
\t-a  Include Arn in the output\n\
\t-c  Get the chain instead\n\
\t-j  Get the full JSON with Chain\n\
If multiple options are specified, only the last one will be effective."
usage() { echo -e "$USAGE" >&2; exit 2; }

outputType=
while getopts "acj" arg; do
  case "$arg" in
    a)  outputType=arn;;
    c)  outputType=chain;;
    j)  outputType=json;;
  esac
done
shift $((OPTIND-1))

cert=$1
pca=$2
if [ -z "$cert" ]; then
  usage
fi
if [ -z "$pca" ]; then
    pca=${cert%/certificate/*}
    echo PCA Derived
    echo $pca
fi

aws acm-pca get-certificate --certificate-authority-arn $pca --certificate-arn $cert |
case "$outputType" in
  arn)    ( echo "{\"Arn\": \"$cert\"}"; cat ) | jq -s add;;
  chain)  jq -r '(.CertificateChain)';;
  json)   jq .;;
  *)      jq -r '(.Certificate)';;
esac