#!/usr/bin/env zsh
set -eu

export TZ=UTC

keyFile=${2%"-cert.pub"}.pub
principalsFile=${keyFile:h}/host-principals
gup -u ${keyFile} ${principalsFile}
gup -u expiration

ssh-keygen -h -Us ../ca/ca.pub -I $(uuidgen) -z $(tai64dec --no-ns) -V "-1d:$(cat expiration)" -n $(cat ${principalsFile}) -f $1 ${keyFile}
sleep 1