+ # Check if root CA certificate is valid
+ if [ -f $PLC_ROOT_CA_SSL_CRT ] ; then
+ verify=$(openssl verify $PLC_ROOT_CA_SSL_CRT)
+ # If self signed, assume that we generated it
+ if grep -q "self signed certificate" <<<$verify ; then
+ # Delete if expired or PLC name or e-mail address has changed
+ if grep -q "expired" <<<$verify || \
+ [ "$(ssl_cname $PLC_ROOT_CA_SSL_CRT)" != "$PLC_NAME Root CA" ] || \
+ [ "$(ssl_email $PLC_ROOT_CA_SSL_CRT)" != "$PLC_MAIL_SUPPORT_ADDRESS" ] ; then
+ rm -f $PLC_ROOT_CA_SSL_CRT
+ fi
+ fi
+ fi
+
+ # Generate root CA key pair and certificate
+ if [ ! -f $PLC_ROOT_CA_SSL_CRT ] ; then
+ mkdir -p $(dirname $PLC_ROOT_CA_SSL_CRT)
+ openssl req -config /etc/planetlab/ssl/openssl.cnf \
+ -new -x509 -extensions v3_ca -days 3650 -set_serial $RANDOM \
+ -batch -subj "/CN=$PLC_NAME Root CA/emailAddress=$PLC_MAIL_SUPPORT_ADDRESS" \
+ -nodes -keyout $PLC_ROOT_CA_SSL_KEY -out $PLC_ROOT_CA_SSL_CRT
+ check
+ chmod 600 $PLC_ROOT_CA_SSL_KEY
+ chmod 644 $PLC_ROOT_CA_SSL_CRT
+
+ # API certificate verification requires a public key
+ openssl rsa -pubout <$PLC_ROOT_CA_SSL_KEY >$PLC_ROOT_CA_SSL_KEY_PUB
+ check
+ chmod 644 $PLC_ROOT_CA_SSL_KEY_PUB
+
+ # Reset DB
+ >/etc/planetlab/ssl/index.txt
+ echo "01" >/etc/planetlab/ssl/serial
+ fi
+
+ # Check if MA/SA certificate is valid
+ if [ -f $PLC_MA_SA_SSL_CRT ] ; then
+ verify=$(openssl verify -CAfile $PLC_ROOT_CA_SSL_CRT $PLC_MA_SA_SSL_CRT)
+ # Delete if expired or not signed correctly
+ if grep -q "error" <<<$verify ; then
+ rm -f $PLC_MA_SA_SSL_CRT
+ fi
+ fi
+
+ # Generate MA/SA key pair and certificate
+ if [ ! -f $PLC_MA_SA_SSL_CRT ] ; then
+ mkcert "$PLC_NAME Management and Slice Authority" \
+ $PLC_MA_SA_SSL_KEY $PLC_MA_SA_SSL_CRT
+
+ # API requires a public key for slice ticket verification
+ openssl rsa -pubout <$PLC_MA_SA_SSL_KEY >$PLC_MA_SA_SSL_KEY_PUB
+ check
+ chmod 644 $PLC_MA_SA_SSL_KEY_PUB
+ fi
+
+ # Generate HTTPS certificate(s). We generate a certificate for
+ # each enabled server with a different hostname.