param(
  [Parameter(Mandatory = $true)]
  [string]$InputPath,

  [Parameter(Mandatory = $false)]
  [string]$OutputDir = (Get-Location).Path
)

if (-not (Test-Path -Path $InputPath -PathType Leaf)) {
  throw "Input file not found: $InputPath"
}

if (-not (Test-Path -Path $OutputDir -PathType Container)) {
  throw "Output directory not found: $OutputDir"
}

$template = @'
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=$Placeholder.printer.MBIE.govt.nz;OU=ICT;O=Ministry of Business, Innovation and Employment;L=Wellington;S=Wellington;C=NZ"
X500NameFlags = 0x40000000
Exportable = TRUE
KeyLength = 2048
KeySpec = 1
KeyUsage = 0xA0
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
HashAlgorithm = sha256
RequestType = PKCS10
FriendlyName = "$Placeholder.printer.MBIE.govt.nz - 2026"
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication
[Extensions]
; If your client operating system is Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7
; SANs can be included in the Extensions section by using the following text format. Note 2.5.29.17 is the OID for a SAN extension.
 
2.5.29.17 = "{text}"
 
_continue_ = "dns=$Placeholder.printer.MBIE.govt.nz&"
_continue_ = "dns=$Placeholder.wd.govt.nz&"
_continue_ = "dns=$Placeholder.ciga.ldap.govt.nz&"
_continue_ = "dns=$Placeholder.printer.MBIE.govt.nz&"
_continue_ = "dns=$Placeholder.wd.govt.nz&"
_continue_ = "dns=$Placeholder.ciga.ldap.govt.nz&"
'@

$invalidChars = [IO.Path]::GetInvalidFileNameChars()

Get-Content -Path $InputPath | ForEach-Object {
  $name = $_.Trim()
  if ([string]::IsNullOrWhiteSpace($name)) { return }

  $safeName = -join ($name.ToCharArray() | ForEach-Object {
    if ($invalidChars -contains $_) { '_' } else { $_ }
  })

  $content = $template.Replace('$Placeholder', $name)
  $outPath = Join-Path -Path $OutputDir -ChildPath ($safeName + '.inf')
  Set-Content -Path $outPath -Value $content -Encoding ascii
}