5 # Generate SSL certificates
7 # Mark Huang <mlhuang@cs.princeton.edu>
8 # Copyright (C) 2006 The Trustees of Princeton University
11 # Source function library and configuration
12 . /etc/plc.d/functions
13 . /etc/planetlab/plc_config
18 # Print the CNAME of an SSL certificate
21 openssl x509 -noout -in $1 -subject | \
22 sed -n -e 's@.*/CN=\([^/]*\).*@\1@p' | \
29 filename=$(basename ${filepath})
30 dir=$(dirname ${filepath})
31 mv -f ${filepath} ${dir}/${filename}-`date +%Y-%m-%d-%H-%M-%S`.bak
34 # Verify a certificate. If invalid, generate a new self-signed
36 verify_or_generate_certificate() {
42 # If the CA certificate does not exist, assume that the
43 # certificate is self-signed.
44 if [ ! -f $ca ] ; then
49 # Check if certificate is valid
50 # Backup if invalid or if the subject has changed
51 if openssl verify -CAfile $ca $crt | grep -q "error" || \
52 [ "$(ssl_cname $crt)" != "$cname" ] ; then
59 if [ ! -f $crt ] ; then
62 if [ -n "$cname" ] ; then
63 subj="$subj/CN=$cname"
66 # Generate new self-signed certificate
67 mkdir -p $(dirname $crt)
68 openssl req -new -x509 -days 3650 -set_serial $RANDOM \
69 -batch -subj "$subj" \
70 -nodes -keyout $key -out $crt
73 # The certificate it self-signed, so it is its own CA
84 # Generate HTTPS certificates if necessary. We generate a
85 # certificate for each enabled server with a different
86 # hostname. These self-signed certificates may be overridden
88 MESSAGE=$"Generating SSL certificates for"
91 for server in WWW API BOOT MONITOR; do
92 eval "a=\$PLC_${server}_ENABLED"
94 if [ "$a" -ne 1 ] ; then
99 ssl_key=PLC_${server}_SSL_KEY
100 ssl_crt=PLC_${server}_SSL_CRT
101 ca_ssl_crt=PLC_${server}_CA_SSL_CRT
102 hostname=PLC_${server}_HOST
104 # Check if we have already generated a certificate for
106 for previous_server in WWW API BOOT MONITOR; do
107 if [ "$server" = "$previous_server" ] ; then
110 previous_ssl_key=PLC_${previous_server}_SSL_KEY
111 previous_ssl_crt=PLC_${previous_server}_SSL_CRT
112 previous_ca_ssl_crt=PLC_${previous_server}_CA_SSL_CRT
113 previous_hostname=PLC_${previous_server}_HOST
115 if [ -f ${!previous_ssl_crt} ] && \
116 [ "$(ssl_cname ${!previous_ssl_crt})" = "${!hostname}" ] ; then
117 cp -a ${!previous_ssl_key} ${!ssl_key}
118 cp -a ${!previous_ssl_crt} ${!ssl_crt}
119 cp -a ${!previous_ca_ssl_crt} ${!ca_ssl_crt}
124 verify_or_generate_certificate \
125 ${!ssl_crt} ${!ssl_key} ${!ca_ssl_crt} \
129 # Install HTTPS certificates into both /etc/pki (Fedora Core
130 # 4) and /etc/httpd/conf (Fedora Core 2). If the API, boot,
131 # and web servers are all running on the same machine, the web
132 # server certificate takes precedence.
133 for server in API BOOT MONITOR WWW; do
134 enabled=PLC_${server}_ENABLED
135 if [ "${!enabled}" != "1" ] ; then
138 ssl_key=PLC_${server}_SSL_KEY
139 ssl_crt=PLC_${server}_SSL_CRT
140 ssl_ca_crt=PLC_${server}_CA_SSL_CRT
142 symlink ${!ssl_crt} /etc/pki/tls/certs/localhost.crt
143 symlink ${!ssl_key} /etc/pki/tls/private/localhost.key
144 symlink ${!ssl_ca_crt} /etc/pki/tls/certs/server-chain.crt
145 symlink ${!ssl_crt} /etc/httpd/conf/ssl.crt/server.crt
146 symlink ${!ssl_key} /etc/httpd/conf/ssl.key/server.key
149 # Ensure that the server-chain gets used, as it is off by
151 sed -i -e 's/^#SSLCertificateChainFile /SSLCertificateChainFile /' \
152 /etc/httpd/conf.d/ssl.conf