#!/bin/bash

#
# Initialize the EasyRSA PKI
#

if [ "$DEBUG" == "1" ]; then
  set -x
else
  exec 2> /dev/null
fi

set -e

# Provides a sufficient warning before erasing pre-existing files
easyrsa init-pki

# we rely on external KMS
echo "BastionOpenVPNRootCA" | easyrsa build-ca nopass

easyrsa gen-dh
openvpn --genkey secret $EASYRSA_PKI/ta.key

easyrsa gen-crl

echo "Successfully bootstrapped PKI"