5 # Generate SSL certificates
7 # Mark Huang <mlhuang@cs.princeton.edu>
8 # Copyright (C) 2006 The Trustees of Princeton University
10 # $Id: guest.init,v 1.12 2006/04/04 22:09:47 mlhuang Exp $
13 # Source function library and configuration
14 . /etc/plc.d/functions
18 MESSAGE=$"Generating SSL certificates"
21 # Generate self-signed SSL certificate(s). These nice
22 # commands come from the mod_ssl spec file for Fedora Core
23 # 2. We generate a certificate for each enabled server
24 # with a different hostname. These self-signed
25 # certificates may be overridden later.
26 for server in WWW API BOOT ; do
27 ssl_key=PLC_${server}_SSL_KEY
28 ssl_crt=PLC_${server}_SSL_CRT
29 hostname=PLC_${server}_HOST
31 # Check if we have already generated a certificate for
33 for previous_server in WWW API BOOT ; do
34 if [ "$server" = "$previous_server" ] ; then
37 previous_ssl_key=PLC_${previous_server}_SSL_KEY
38 previous_ssl_crt=PLC_${previous_server}_SSL_CRT
39 previous_hostname=PLC_${previous_server}_HOST
41 if [ -f ${!previous_ssl_crt} ] && \
42 [ "$(ssl_cname ${!previous_ssl_crt})" = "${!hostname}" ] ; then
43 cp -a ${!previous_ssl_key} ${!ssl_key}
44 cp -a ${!previous_ssl_crt} ${!ssl_crt}
49 # Generate new SSL private key
50 if [ ! -f ${!ssl_key} ] ; then
51 mkdir -p $(dirname ${!ssl_key})
52 openssl genrsa -rand /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime 1024 >${!ssl_key}
57 # Check if self signed certificate is valid
58 if [ -f ${!ssl_crt} ] ; then
59 verify=$(openssl verify ${!ssl_crt})
61 if grep -q "self signed certificate" <<<$verify ; then
62 # Delete if expired or hostname changed
63 if grep -q "expired" <<<$verify || \
64 [ "$(ssl_cname ${!ssl_crt})" != "${!hostname}" ] ; then
72 # Generate new self signed certificate
73 if [ ! -f ${!ssl_crt} ] ; then
74 mkdir -p $(dirname ${!ssl_crt})
75 openssl req -new -x509 -days 365 -set_serial $RANDOM \
76 -key ${!ssl_key} -out ${!ssl_crt} <<EOF
83 $PLC_MAIL_SUPPORT_ADDRESS
90 # API requires a public key for slice ticket verification
91 if [ ! -f $PLC_API_SSL_KEY_PUB ] ; then
92 openssl rsa -pubout <$PLC_API_SSL_KEY >$PLC_API_SSL_KEY_PUB
96 # Install into both /etc/pki (Fedora Core 4) and
97 # /etc/httpd/conf (Fedora Core 2). If the API, boot, and
98 # web servers are all running on the same machine, the web
99 # server certificate takes precedence.
100 for server in API BOOT WWW ; do
101 enabled=PLC_${server}_ENABLED
102 if [ "${!enabled}" != "1" ] ; then
105 ssl_key=PLC_${server}_SSL_KEY
106 ssl_crt=PLC_${server}_SSL_CRT
108 symlink ${!ssl_crt} /etc/pki/tls/certs/localhost.crt
109 symlink ${!ssl_key} /etc/pki/tls/private/localhost.key
110 symlink ${!ssl_crt} /etc/httpd/conf/ssl.crt/server.crt
111 symlink ${!ssl_key} /etc/httpd/conf/ssl.key/server.key