{ pkgs, ca ? "", algo ? "rsa" }:
let
  initca = import ./initca.nix { inherit pkgs ca; };

  ca' = {
    key = "${initca}/ca-key.pem";
    cert = "${initca}/ca.pem";
  };

  ca-config = pkgs.writeText "ca-config.json" ''
  {
      "signing": {
          "default": {
              "expiry": "8760h"
          },
          "profiles": {
              "default": {
                  "usages": [
                      "signing",
                      "key encipherment",
                      "server auth",
                      "client auth"
                  ],
                  "expiry": "8760h"
              }
          }
      }
  }
  '';

  gencsr = args:
    let
      csr = {
        CN = "${args.cn}";
        key = {
          inherit algo;
          size = if algo == "ecdsa" then 256 else 2048;
        };
        names = [
          {
            CN = "${args.cn}";
            O = "${args.o}";
            OU = "${args.cn}.${args.o}.pki.caSpec";
            L = "generated";
          }
        ];
        hosts = args.hosts;
      };
    in
      pkgs.writeText "${args.cn}-csr.json" (builtins.toJSON csr);
in
# Example usage:
#
# gencert { cn = "test"; ca = ca; o = "test; };
#
rec {
  inherit initca;
  ca = ca';
  gencert = attrs:
    let
      conf = {
        cn = attrs.cn;
        ca = attrs.ca;
        csr = gencsr { cn = attrs.cn; o = attrs.o; hosts = attrs.hosts; };
      };
      cfssl = conf:
        ''
          cfssl gencert -ca ${ca.cert} -ca-key ${ca.key} \
          -config=${ca-config} -profile=default ${conf.csr} | \
          cfssljson -bare cert; \
          mkdir -p $out; cp *.pem $out
        '';
      crt =
        pkgs.runCommand "${attrs.cn}" {
          buildInputs = [ pkgs.cfssl ];
        } (cfssl conf);
    in
    {
      key = "${crt}/cert-key.pem";
      cert = "${crt}/cert.pem";
    };
}