+# Generate Gigi certificates manually
+cabasename=assured
+caname=${cabasename}_$(date +%Y)_1
+ca=../signer/ca/$caname/ca
+if [[ -f "$ca.key" ]] && ! [[ -f keystore.pkcs12 ]]; then
+ if [[ -f serial_base ]]; then
+ serial_base=$(< serial_base)
+ else
+ serial_base=100000
+ fi
+ serial_base=$((serial_base + 1))
+ printf '%d\n' "$serial_base" >| serial_base
+ # when the domain is provided externally as environment variable, use it and do not prompt for it.
+ [[ -z $DOMAIN ]] && read -rp "I need to generate gigi-certificates. I need your base domain: " DOMAIN
+ # Assuming we have access to the CA-keys we generate two certificates and present them to gigi
+ # One to be used for all 4 https domains and one as email certificate.
+
+ # Generate two keys and certs requests. The CN of the SSL-server cert doesn't really matter, as we use subject alt names anyways.
+ openssl req -newkey rsa:2048 -keyout www.key -out www.csr -nodes -subj "/CN=gigi server certificate"
+ openssl req -newkey rsa:2048 -keyout mail.key -out mail.csr -nodes -subj "/CN=gigi system"
+
+ # Sign the two requests with the keys in the config of the simple signer. Use the serial_base with extensions 1 and 2. These serials are long enough to probably not collide with the "simple signer"
+ openssl x509 -req -days 356 -in www.csr -out www.crt -CA $ca.crt -CAkey $ca.key -set_serial ${serial_base}1 -extfile <(printf '[ext]\nsubjectAltName=DNS:www.%s,DNS:secure.%s,DNS:static.%s,DNS:api.%s\nbasicConstraints=CA:FALSE\nextendedKeyUsage=serverAuth\nkeyUsage=digitalSignature,keyEncipherment\n' "$DOMAIN" "$DOMAIN" "$DOMAIN" "$DOMAIN") -extensions ext
+ openssl x509 -req -days 356 -in mail.csr -out mail.crt -CA $ca.crt -CAkey $ca.key -set_serial ${serial_base}2 -extfile <(printf '[ext]\nsubjectAltName=email:support@%s\nbasicConstraints=CA:FALSE\nextendedKeyUsage=emailProtection\nkeyUsage=digitalSignature,keyEncipherment\n' "$DOMAIN") -extensions ext