5 # Generate SSL certificates
7 # Mark Huang <mlhuang@cs.princeton.edu>
8 # Copyright (C) 2006 The Trustees of Princeton University
13 # Source function library and configuration
14 . /etc/plc.d/functions
15 . /etc/planetlab/plc_config
20 # Print the CNAME of an SSL certificate
23 openssl x509 -noout -in $1 -subject | \
24 sed -n -e 's@.*/CN=\([^/]*\).*@\1@p' | \
28 # Verify a certificate. If invalid, generate a new self-signed
30 verify_or_generate_certificate() {
36 # If the CA certificate does not exist, assume that the
37 # certificate is self-signed.
38 if [ ! -f $ca ] ; then
43 # Check if certificate is valid
44 verify=$(openssl verify -CAfile $ca $crt)
45 # Delete if invalid or if the subject has changed
46 if grep -q "error" <<<$verify || \
47 [ "$(ssl_cname $crt)" != "$cname" ] ; then
52 if [ ! -f $crt ] ; then
55 if [ -n "$cname" ] ; then
56 subj="$subj/CN=$cname"
59 # Generate new self-signed certificate
60 mkdir -p $(dirname $crt)
61 openssl req -new -x509 -days 3650 -set_serial $RANDOM \
62 -batch -subj "$subj" \
63 -nodes -keyout $key -out $crt
66 # The certificate it self-signed, so it is its own CA
77 # Generate HTTPS certificates if necessary. We generate a
78 # certificate for each enabled server with a different
79 # hostname. These self-signed certificates may be overridden
81 MESSAGE=$"Generating SSL certificates for"
84 for server in WWW API BOOT ; do
85 eval "a=\$PLC_${server}_ENABLED"
87 if [ "$a" -ne 1 ] ; then
92 ssl_key=PLC_${server}_SSL_KEY
93 ssl_crt=PLC_${server}_SSL_CRT
94 ca_ssl_crt=PLC_${server}_CA_SSL_CRT
95 hostname=PLC_${server}_HOST
97 # Check if we have already generated a certificate for
99 for previous_server in WWW API BOOT ; do
100 if [ "$server" = "$previous_server" ] ; then
103 previous_ssl_key=PLC_${previous_server}_SSL_KEY
104 previous_ssl_crt=PLC_${previous_server}_SSL_CRT
105 previous_ca_ssl_crt=PLC_${previous_server}_CA_SSL_CRT
106 previous_hostname=PLC_${previous_server}_HOST
108 if [ -f ${!previous_ssl_crt} ] && \
109 [ "$(ssl_cname ${!previous_ssl_crt})" = "${!hostname}" ] ; then
110 cp -a ${!previous_ssl_key} ${!ssl_key}
111 cp -a ${!previous_ssl_crt} ${!ssl_crt}
112 cp -a ${!previous_ca_ssl_crt} ${!ca_ssl_crt}
117 verify_or_generate_certificate \
118 ${!ssl_crt} ${!ssl_key} ${!ca_ssl_crt} \
122 # Install HTTPS certificates into both /etc/pki (Fedora Core
123 # 4) and /etc/httpd/conf (Fedora Core 2). If the API, boot,
124 # and web servers are all running on the same machine, the web
125 # server certificate takes precedence.
126 for server in API BOOT WWW ; do
127 enabled=PLC_${server}_ENABLED
128 if [ "${!enabled}" != "1" ] ; then
131 ssl_key=PLC_${server}_SSL_KEY
132 ssl_crt=PLC_${server}_SSL_CRT
134 symlink ${!ssl_crt} /etc/pki/tls/certs/localhost.crt
135 symlink ${!ssl_key} /etc/pki/tls/private/localhost.key
136 symlink ${!ssl_crt} /etc/httpd/conf/ssl.crt/server.crt
137 symlink ${!ssl_key} /etc/httpd/conf/ssl.key/server.key