#!/bin/bash
# 
# issuecert - Issue a signed certifcate, given a CSR file. This cert can presented to an MSK cluster which uses mTLS
#
# Usage: issuecert cert.csr
#
# Generates a signed certificate in PEM format. The output file name replaces the .csr suffix in the input file name with .pem
# Note - this assumes that there is only one ACM PCA in this region of this account, and that PCA is associated with the MSK cluster

#
if [ "$#" != 1 ]; then
    echo "Usage: issuecert certfile.csr"
    exit 1
fi

csr_file=$1
if [ ! -f "$csr_file" ]; then
    echo "$csr_file does not exist."
    exit 1
fi

if [ -z "${ACM_PCA_ARN}" ]; then
    pca_arn=`aws acm-pca list-certificate-authorities | grep Arn | head -n 1 | cut -d "\"" -f 4`
else
    pca_arn="${ACM_PCA_ARN}"
fi

if [ -z $pca_arn ]; then
    echo "No Private Certificate Authorities found. Use ACM in your AWS console to create a PCA" 
    exit 1
fi

tmp_output=$(mktemp)
aws acm-pca issue-certificate --certificate-authority-arn $pca_arn  --csr fileb://$csr_file --signing-algorithm "SHA256WITHRSA" --validity Value=300,Type="DAYS" > $tmp_output
if [ ! $? -eq 0 ]; then
    echo "Failed to issue certificate"
    exit 1
fi
cert_arn=`cat $tmp_output | grep Arn | cut -d "\"" -f 4`
rm -f $tmp_output
sleep 5

json_certs_file=`basename $csr_file .csr`.json
aws acm-pca get-certificate --certificate-authority-arn $pca_arn --certificate-arn $cert_arn > $json_certs_file

jsoncerts2pem $json_certs_file
rm -f $json_certs_file