+. /etc/planetlab/plc_config
+
+# Be verbose
+set -x
+
+# Print the CNAME of an SSL certificate
+ssl_cname ()
+{
+ openssl x509 -noout -in $1 -subject | \
+ sed -n -e 's@.*/CN=\([^/]*\).*@\1@p' | \
+ lower
+}
+
+# Verify a certificate. If invalid, generate a new self-signed
+# certificate.
+verify_or_generate_certificate() {
+ crt=$1
+ key=$2
+ ca=$3
+ cname=$(lower $4)
+
+ # If the CA certificate does not exist, assume that the
+ # certificate is self-signed.
+ if [ ! -f $ca ] ; then
+ cp -a $crt $ca
+ fi
+
+ if [ -f $crt ] ; then
+ # Check if certificate is valid
+ verify=$(openssl verify -CAfile $ca $crt)
+ # Delete if invalid or if the subject has changed
+ if grep -q "error" <<<$verify || \
+ [ "$(ssl_cname $crt)" != "$cname" ] ; then
+ rm -f $crt $ca
+ fi
+ fi
+
+ if [ ! -f $crt ] ; then
+ # Set subject
+ subj=
+ if [ -n "$cname" ] ; then
+ subj="$subj/CN=$cname"
+ fi
+
+ # Generate new self-signed certificate
+ mkdir -p $(dirname $crt)
+ openssl req -new -x509 -days 3650 -set_serial $RANDOM \
+ -batch -subj "$subj" \
+ -nodes -keyout $key -out $crt
+ check
+
+ # The certificate it self-signed, so it is its own CA
+ cp -a $crt $ca
+ fi
+
+ # Fix permissions
+ chmod 644 $crt $ca
+}