MTLS Client Cert generator

{ pkgs ?  import <nixpkgs> {} }:
let
  openSSLScriptClientCA = pkgs.writeShellScriptBin "create-ca" ''
    echo "create CA"
    echo
    mkdir ca
    ${pkgs.openssl}/bin/openssl genrsa -aes256 -out ca/ca.key 4096
    chmod 400 ca/ca.key
    ${pkgs.openssl}/bin/openssl req -new -x509 -sha256 -days 730 -key ca/ca.key -out ca/ca.crt
    chmod 444 ca/ca.crt
  '';

  openSSLScriptClientCert = pkgs.writeShellScriptBin "create-cert" ''
    echo "create client cert"
    echo
    if [[ ! -f ca/ca.crt ]]
    then
      echo "create ca first"
      exit 1
    fi
    CERT_NAME=''${1:-heiko}
    mkdir client
    ${pkgs.openssl}/bin/openssl genrsa -out client/''${CERT_NAME}.key 2048
    ${pkgs.openssl}/bin/openssl req -new -key client/''${CERT_NAME}.key -out client/''${CERT_NAME}.csr
    ${pkgs.openssl}/bin/openssl x509 -req -days 365 -sha256 -in client/''${CERT_NAME}.csr -CA ca/ca.crt \
      -CAkey ca/ca.key -set_serial 2 -out client/''${CERT_NAME}.crt
  '';
in
pkgs.mkShell {

  buildInputs = with pkgs; [
    openSSLScriptClientCA
    openSSLScriptClientCert
    openssl
  ];

  shellHook = ''
    HISTFILE=${toString ./.}/.history
  '';
}