#!/bin/bash
PASSWORD="abcd1234"
VALIDITY_DAYS=365
KEYS_DIR="ssl"
DNAME="CN=localhost, OU=Dev, O=MyCompany, L=Seoul, C=KR"
CA_DNAME="CN=My Kafka CA, OU=Dev, O=MyCompany, L=Seoul, C=KR"

rm -rf ./${KEYS_DIR}
mkdir ${KEYS_DIR}
cd ${KEYS_DIR}

keytool -genkeypair -alias ca -keyalg RSA -keysize 2048 -validity ${VALIDITY_DAYS} \
  -keystore kafka.ca.keystore.jks \
  -storepass ${PASSWORD} -keypass ${PASSWORD} -dname "${CA_DNAME}" \
  -ext "BasicConstraints:critical=ca:true"

keytool -exportcert -alias ca -file ca.crt \
  -keystore kafka.ca.keystore.jks -storepass ${PASSWORD}

keytool -genkeypair -alias broker -keyalg RSA -keysize 2048 -validity ${VALIDITY_DAYS} \
  -keystore kafka.broker.keystore.jks \
  -storepass ${PASSWORD} -keypass ${PASSWORD} -dname "${DNAME}"

keytool -certreq -alias broker -file broker.csr \
  -keystore kafka.broker.keystore.jks -storepass ${PASSWORD}

keytool -gencert -alias ca -infile broker.csr -outfile broker.crt \
  -keystore kafka.ca.keystore.jks -storepass ${PASSWORD} -validity ${VALIDITY_DAYS} \
  -ext "SAN=dns:broker-1,dns:broker-2,dns:broker-3,dns:localhost" \
  -ext "ExtendedKeyUsage=serverAuth,clientAuth"

keytool -importcert -alias ca -file ca.crt \
  -keystore kafka.broker.keystore.jks -storepass ${PASSWORD} -noprompt

keytool -importcert -alias broker -file broker.crt \
  -keystore kafka.broker.keystore.jks -storepass ${PASSWORD} -noprompt

keytool -importcert -alias ca -file ca.crt \
  -keystore kafka.broker.truststore.jks -storepass ${PASSWORD} -noprompt

echo ${PASSWORD} > password

rm ca.crt broker.csr broker.crt

echo ""
echo "🎉 SSL/TLS 키 파일 생성 완료"