#!/bin/sh
usage()
{
	printf "Usage: %s [-c curve] [-d days] domain\n" "${0##*/}" >&2
	exit 1
}

tonumber()
{
	printf "%u\n" "$*"
}

curve=secp384r1
days=3650
while getopts c:d: flag; do
	case $flag in
	c)	[ -n "$OPTARG" ] || usage
		curve=$OPTARG
		;;
	d)	days=$(tonumber "$OPTARG") || usage
		;;
	*)	usage
		;;
	esac
done
shift $((OPTIND - 1))
[ $# -eq 1 ] && [ -n "$1" ] || usage
domain=$1

(umask 077 && openssl genpkey -aes256 \
    -algorithm ec -pkeyopt ec_paramgen_curve:"$curve" -out "$domain.key")
if [ $? -ne 0 ] || [ ! -s "$domain.key" ]; then
	# openssl doesn't return an error code if there is a password mismatch
	# or a password too short, and it creates the output file anyways
	rm -f "$domain.key"
	exit 1
fi
openssl req -new -x509 -days "$days" -subj "/CN=$domain" \
    -key "$domain.key" -out "$domain.pem"