7 # Generate SSL certificates
9 # Mark Huang <mlhuang@cs.princeton.edu>
10 # Copyright (C) 2006 The Trustees of Princeton University
13 # Source function library and configuration
14 . /etc/plc.d/functions
15 . /etc/planetlab/plc_config
20 # Print the CNAME of an SSL certificate
23 openssl x509 -noout -in $1 -subject | \
24 sed -n -e 's@.*/CN=\([^/]*\).*@\1@p' | \
31 filename=$(basename ${filepath})
32 dir=$(dirname ${filepath})
33 mv -f ${filepath} ${dir}/${filename}-`date +%Y-%m-%d-%H-%M-%S`.bak
36 # Verify a certificate. If invalid, generate a new self-signed
38 verify_or_generate_certificate() {
44 # If the CA certificate does not exist, assume that the
45 # certificate is self-signed.
46 if [ ! -f $ca ] ; then
51 # Check if certificate is valid
52 # Backup if invalid or if the subject has changed
53 if openssl verify -CAfile $ca $crt | grep -q "error" || \
54 [ "$(ssl_cname $crt)" != "$cname" ] ; then
61 if [ ! -f $crt ] ; then
64 if [ -n "$cname" ] ; then
65 subj="$subj/CN=$cname"
68 # Generate new self-signed certificate
69 mkdir -p $(dirname $crt)
70 openssl req -new -x509 -days 3650 -set_serial $RANDOM \
71 -batch -subj "$subj" \
72 -nodes -keyout $key -out $crt
75 # The certificate it self-signed, so it is its own CA
86 # Generate HTTPS certificates if necessary. We generate a
87 # certificate for each enabled server with a different
88 # hostname. These self-signed certificates may be overridden
90 MESSAGE=$"Generating SSL certificates for"
93 for server in WWW API BOOT MONITOR; do
94 eval "a=\$PLC_${server}_ENABLED"
96 if [ "$a" -ne 1 ] ; then
101 ssl_key=PLC_${server}_SSL_KEY
102 ssl_crt=PLC_${server}_SSL_CRT
103 ca_ssl_crt=PLC_${server}_CA_SSL_CRT
104 hostname=PLC_${server}_HOST
106 # Check if we have already generated a certificate for
108 for previous_server in WWW API BOOT MONITOR; do
109 if [ "$server" = "$previous_server" ] ; then
112 previous_ssl_key=PLC_${previous_server}_SSL_KEY
113 previous_ssl_crt=PLC_${previous_server}_SSL_CRT
114 previous_ca_ssl_crt=PLC_${previous_server}_CA_SSL_CRT
115 previous_hostname=PLC_${previous_server}_HOST
117 if [ -f ${!previous_ssl_crt} ] && \
118 [ "$(ssl_cname ${!previous_ssl_crt})" = "${!hostname}" ] ; then
119 cp -a ${!previous_ssl_key} ${!ssl_key}
120 cp -a ${!previous_ssl_crt} ${!ssl_crt}
121 cp -a ${!previous_ca_ssl_crt} ${!ca_ssl_crt}
126 verify_or_generate_certificate \
127 ${!ssl_crt} ${!ssl_key} ${!ca_ssl_crt} \
131 # Install HTTPS certificates into both /etc/pki (Fedora Core
132 # 4) and /etc/httpd/conf (Fedora Core 2). If the API, boot,
133 # and web servers are all running on the same machine, the web
134 # server certificate takes precedence.
135 for server in API BOOT MONITOR WWW; do
136 enabled=PLC_${server}_ENABLED
137 if [ "${!enabled}" != "1" ] ; then
140 ssl_key=PLC_${server}_SSL_KEY
141 ssl_crt=PLC_${server}_SSL_CRT
142 ssl_ca_crt=PLC_${server}_CA_SSL_CRT
144 symlink ${!ssl_crt} /etc/pki/tls/certs/localhost.crt
145 symlink ${!ssl_key} /etc/pki/tls/private/localhost.key
146 symlink ${!ssl_ca_crt} /etc/pki/tls/certs/server-chain.crt
147 symlink ${!ssl_crt} /etc/httpd/conf/ssl.crt/server.crt
148 symlink ${!ssl_key} /etc/httpd/conf/ssl.key/server.key
151 # Ensure that the server-chain gets used, as it is off by
153 sed -i -e 's/^#SSLCertificateChainFile /SSLCertificateChainFile /' \
154 /etc/httpd/conf.d/ssl.conf