+. /etc/planetlab/plc_config
+
+# Be verbose
+set -x
+
+# Print the CNAME of an SSL certificate
+ssl_cname ()
+{
+ openssl x509 -noout -in $1 -subject | \
+ sed -n -e 's@.*/CN=\([^/]*\).*@\1@p' | \
+ lower
+}
+
+backup_file ()
+{
+ filepath=$1
+ filename=$(basename ${filepath})
+ dir=$(dirname ${filepath})
+ mv -f ${filepath} ${dir}/${filename}-`date +%Y-%m-%d-%H-%M-%S`.bak
+}
+
+# Verify a certificate. If invalid, generate a new self-signed
+# certificate.
+verify_or_generate_certificate() {
+ crt=$1
+ key=$2
+ ca=$3
+ cname=$(lower $4)
+
+ # If the CA certificate does not exist, assume that the
+ # certificate is self-signed.
+ if [ ! -f $ca ] ; then
+ cp -a $crt $ca
+ fi
+
+ if [ -f $crt ] ; then
+ # Check if certificate is valid
+ # Backup if invalid or if the subject has changed
+ if openssl verify -CAfile $ca $crt | grep -q "error" || \
+ [ "$(ssl_cname $crt)" != "$cname" ] ; then
+ backup_file $crt
+ backup_file $ca
+ backup_file $key
+ fi
+ fi
+
+ if [ ! -f $crt ] ; then
+ # Set subject
+ subj=
+ if [ -n "$cname" ] ; then
+ subj="$subj/CN=$cname"
+ fi
+
+ # Generate new self-signed certificate
+ mkdir -p $(dirname $crt)
+ openssl req -new -x509 -days 3650 -set_serial $RANDOM \
+ -batch -subj "$subj" \
+ -nodes -keyout $key -out $crt
+ check
+
+ # The certificate it self-signed, so it is its own CA
+ cp -a $crt $ca
+ fi
+
+ # Fix permissions
+ chmod 644 $crt $ca
+}