5 # Generate SSL certificates
7 # Mark Huang <mlhuang@cs.princeton.edu>
8 # Copyright (C) 2006 The Trustees of Princeton University
13 # Source function library and configuration
14 . /etc/plc.d/functions
15 . /etc/planetlab/plc_config
20 # Print the CNAME of an SSL certificate
23 openssl x509 -noout -in $1 -subject | \
24 sed -n -e 's@.*/CN=\([^/]*\).*@\1@p' | \
28 # Verify a certificate. If invalid, generate a new self-signed
30 verify_or_generate_certificate() {
36 # If the CA certificate does not exist, assume that the
37 # certificate is self-signed.
38 if [ ! -f $ca ] ; then
43 # Check if certificate is valid
44 verify=$(openssl verify -CAfile $ca $crt)
45 # Delete if invalid or if the subject has changed
46 if grep -q "error" <<<$verify || \
47 [ "$(ssl_cname $crt)" != "$cname" ] ; then
52 if [ ! -f $crt ] ; then
55 if [ -n "$cname" ] ; then
56 subj="$subj/CN=$cname"
59 # Generate new self-signed certificate
60 mkdir -p $(dirname $crt)
61 openssl req -new -x509 -days 3650 -set_serial $RANDOM \
62 -batch -subj "$subj" \
63 -nodes -keyout $key -out $crt
66 # The certificate it self-signed, so it is its own CA
76 MESSAGE=$"Generating SSL certificates"
79 # Generate HTTPS certificates if necessary. We generate a
80 # certificate for each enabled server with a different
81 # hostname. These self-signed certificates may be overridden
83 for server in WWW API BOOT ; do
84 ssl_key=PLC_${server}_SSL_KEY
85 ssl_crt=PLC_${server}_SSL_CRT
86 ca_ssl_crt=PLC_${server}_CA_SSL_CRT
87 hostname=PLC_${server}_HOST
89 # Check if we have already generated a certificate for
91 for previous_server in WWW API BOOT ; do
92 if [ "$server" = "$previous_server" ] ; then
95 previous_ssl_key=PLC_${previous_server}_SSL_KEY
96 previous_ssl_crt=PLC_${previous_server}_SSL_CRT
97 previous_ca_ssl_crt=PLC_${previous_server}_CA_SSL_CRT
98 previous_hostname=PLC_${previous_server}_HOST
100 if [ -f ${!previous_ssl_crt} ] && \
101 [ "$(ssl_cname ${!previous_ssl_crt})" = "${!hostname}" ] ; then
102 cp -a ${!previous_ssl_key} ${!ssl_key}
103 cp -a ${!previous_ssl_crt} ${!ssl_crt}
104 cp -a ${!previous_ca_ssl_crt} ${!ca_ssl_crt}
109 verify_or_generate_certificate \
110 ${!ssl_crt} ${!ssl_key} ${!ca_ssl_crt} \
114 # Install HTTPS certificates into both /etc/pki (Fedora Core
115 # 4) and /etc/httpd/conf (Fedora Core 2). If the API, boot,
116 # and web servers are all running on the same machine, the web
117 # server certificate takes precedence.
118 for server in API BOOT WWW ; do
119 enabled=PLC_${server}_ENABLED
120 if [ "${!enabled}" != "1" ] ; then
123 ssl_key=PLC_${server}_SSL_KEY
124 ssl_crt=PLC_${server}_SSL_CRT
126 symlink ${!ssl_crt} /etc/pki/tls/certs/localhost.crt
127 symlink ${!ssl_key} /etc/pki/tls/private/localhost.key
128 symlink ${!ssl_crt} /etc/httpd/conf/ssl.crt/server.crt
129 symlink ${!ssl_key} /etc/httpd/conf/ssl.key/server.key