all: chain.pem

%.private.pem:
	openssl ecparam -name secp384r1 -genkey -noout -out $@

%.public.pem: %.private.pem
	openssl ec -in $< -pubout -out $@

root.cert.pem: root.private.pem
	openssl req -new -key $< -out $@.tmp.csr -subj "/CN=Test Root CA (DO NOT TRUST)" -addext 'basicConstraints=critical,CA:TRUE' -addext 'keyUsage=digitalSignature,keyCertSign' 
	openssl x509 -req -days 365 -in $@.tmp.csr -signkey $< -out $@ -CAcreateserial -extfile cert.extensions.cfg
	rm -rf $@.tmp.csr

intermediate.cert.pem: intermediate.private.pem | root.private.pem
	openssl req -new -key $< -out $@.tmp.csr -subj "/CN=Test Intermediate CA (DO NOT TRUST)" -addext 'basicConstraints=critical,CA:TRUE' -addext 'keyUsage=digitalSignature,keyCertSign' 
	openssl x509 -req -days 365 -in $@.tmp.csr -CA ${subst private,cert,$|} -CAkey $| -out $@ -CAcreateserial -extfile cert.extensions.cfg
	rm $@.tmp.csr

leaf.cert.pem: leaf.private.pem | intermediate.private.pem
	openssl req -new -key $< -out $@.tmp.csr -subj "/CN=Test Leaf (DO NOT TRUST)"
	openssl x509 -req -days 365 -in $@.tmp.csr -CA ${subst private,cert,$|} -CAkey $| -out $@ -CAcreateserial
	rm -rf $@.tmp.csr

chain.pem: root.cert.pem intermediate.cert.pem leaf.cert.pem | root.public.pem intermediate.public.pem leaf.public.pem
	rm -rf $@
	cat `(for d in $^; do echo $$d; done) | tac` >> $@

clean:
	rm -f chain.pem root.*.pem intermediate.*.pem leaf.*.pem *.tmp.csr *.cert.srl