5 # Generate SSL certificates
7 # Mark Huang <mlhuang@cs.princeton.edu>
8 # Copyright (C) 2006 The Trustees of Princeton University
10 # $Id: ssl,v 1.9 2006/07/17 21:28:55 mlhuang Exp $
13 # Source function library and configuration
14 . /etc/plc.d/functions
15 . /etc/planetlab/plc_config
20 # Print the CNAME of an SSL certificate
23 openssl x509 -noout -in $1 -subject | \
24 sed -n -e 's@.*/CN=\([^/]*\).*@\1@p'
27 # Print the emailAddress of an SSL certificate
30 openssl x509 -noout -in $1 -subject | \
31 sed -n -e 's@.*/emailAddress=\([^/]*\).*@\1@p'
34 # Verify a certificate. If invalid, generate a new self-signed
36 verify_or_generate_certificate() {
43 # If the CA certificate does not exist, assume that the
44 # certificate is self-signed.
45 if [ ! -f $ca ] ; then
50 # Check if certificate is valid
51 verify=$(openssl verify -CAfile $ca $crt)
52 # Delete if invalid or if the subject has changed
53 if grep -q "error" <<<$verify || \
54 [ "$(ssl_cname $crt)" != "$cname" ] || \
55 [ "$(ssl_email $crt)" != "$email" ] ; then
60 if [ ! -f $crt ] ; then
63 if [ -n "$cname" ] ; then
64 subj="$subj/CN=$cname"
66 if [ -n "$email" ] ; then
67 subj="$subj/emailAddress=$email"
70 # Generate new self-signed certificate
71 mkdir -p $(dirname $crt)
72 openssl req -new -x509 -days 3650 -set_serial $RANDOM \
73 -batch -subj "$subj" \
74 -nodes -keyout $key -out $crt
78 # The certificate it self-signed, so it is its own CA
85 MESSAGE=$"Generating SSL certificates"
88 # Verify or generate MA/SA certificate if necessary. This
89 # self-signed certificate may be overridden later.
90 verify_or_generate_certificate \
91 $PLC_MA_SA_SSL_CRT $PLC_MA_SA_SSL_KEY $PLC_MA_SA_CA_SSL_CRT \
92 "$PLC_NAME Management and Slice Authority" \
93 $PLC_MAIL_SUPPORT_ADDRESS
95 # Make MA/SA key readable by apache so that the API can sign
97 chown apache $PLC_MA_SA_SSL_KEY
98 chmod 600 $PLC_MA_SA_SSL_KEY
100 # Extract the public key of the root CA (if any) that signed
101 # the MA/SA certificate.
102 openssl x509 -in $PLC_MA_SA_CA_SSL_CRT -noout -pubkey >$PLC_MA_SA_CA_SSL_KEY_PUB
104 chmod 644 $PLC_MA_SA_CA_SSL_KEY_PUB
106 # Generate HTTPS certificates if necessary. We generate a
107 # certificate for each enabled server with a different
108 # hostname. These self-signed certificates may be overridden
110 for server in WWW API BOOT ; do
111 ssl_key=PLC_${server}_SSL_KEY
112 ssl_crt=PLC_${server}_SSL_CRT
113 ca_ssl_crt=PLC_${server}_CA_SSL_CRT
114 hostname=PLC_${server}_HOST
116 # Check if we have already generated a certificate for
118 for previous_server in WWW API BOOT ; do
119 if [ "$server" = "$previous_server" ] ; then
122 previous_ssl_key=PLC_${previous_server}_SSL_KEY
123 previous_ssl_crt=PLC_${previous_server}_SSL_CRT
124 previous_ca_ssl_crt=PLC_${previous_server}_CA_SSL_CRT
125 previous_hostname=PLC_${previous_server}_HOST
127 if [ -f ${!previous_ssl_crt} ] && \
128 [ "$(ssl_cname ${!previous_ssl_crt})" = "${!hostname}" ] ; then
129 cp -a ${!previous_ssl_key} ${!ssl_key}
130 cp -a ${!previous_ssl_crt} ${!ssl_crt}
131 cp -a ${!previous_ca_ssl_crt} ${!ca_ssl_crt}
136 verify_or_generate_certificate \
137 ${!ssl_crt} ${!ssl_key} ${!ca_ssl_crt} \
141 # Install HTTPS certificates into both /etc/pki (Fedora Core
142 # 4) and /etc/httpd/conf (Fedora Core 2). If the API, boot,
143 # and web servers are all running on the same machine, the web
144 # server certificate takes precedence.
145 for server in API BOOT WWW ; do
146 enabled=PLC_${server}_ENABLED
147 if [ "${!enabled}" != "1" ] ; then
150 ssl_key=PLC_${server}_SSL_KEY
151 ssl_crt=PLC_${server}_SSL_CRT
153 symlink ${!ssl_crt} /etc/pki/tls/certs/localhost.crt
154 symlink ${!ssl_key} /etc/pki/tls/private/localhost.key
155 symlink ${!ssl_crt} /etc/httpd/conf/ssl.crt/server.crt
156 symlink ${!ssl_key} /etc/httpd/conf/ssl.key/server.key