5 # Generate SSL certificates
7 # Mark Huang <mlhuang@cs.princeton.edu>
8 # Copyright (C) 2006 The Trustees of Princeton University
10 # $Id: ssl,v 1.7 2006/06/28 21:34:18 mlhuang Exp $
13 # Source function library and configuration
14 . /etc/plc.d/functions
15 . /etc/planetlab/plc_config
20 # Print the CNAME of an SSL certificate
23 openssl x509 -noout -in $1 -subject | \
24 sed -n -e 's@.*/CN=\([^/]*\).*@\1@p'
27 # Print the emailAddress of an SSL certificate
30 openssl x509 -noout -in $1 -subject | \
31 sed -n -e 's@.*/emailAddress=\([^/]*\).*@\1@p'
34 # Verify a certificate. If invalid, generate a new self-signed
36 verify_or_generate_certificate() {
44 # Check if certificate is valid
45 verify=$(openssl verify -CAfile $ca $crt)
46 # Delete if invalid or if the subject has changed
47 if grep -q "error" <<<$verify || \
48 [ "$(ssl_cname $crt)" != "$cname" ] || \
49 [ "$(ssl_email $crt)" != "$email" ] ; then
54 if [ ! -f $crt ] ; then
57 if [ -n "$cname" ] ; then
58 subj="$subj/CN=$cname"
60 if [ -n "$email" ] ; then
61 subj="$subj/emailAddress=$email"
64 # Generate new self-signed certificate
65 mkdir -p $(dirname $crt)
66 openssl req -new -x509 -days 3650 -set_serial $RANDOM \
67 -batch -subj "$subj" \
68 -nodes -keyout $key -out $crt
73 if [ ! -f $ca ] ; then
74 # The certificate it self-signed, so it is its own CA
81 MESSAGE=$"Generating SSL certificates"
84 # Verify or generate MA/SA certificate if necessary. This
85 # self-signed certificate may be overridden later.
86 verify_or_generate_certificate \
87 $PLC_MA_SA_SSL_CRT $PLC_MA_SA_SSL_KEY $PLC_MA_SA_CA_SSL_CRT \
88 "$PLC_NAME Management and Slice Authority" \
89 $PLC_MAIL_SUPPORT_ADDRESS
91 # Make MA/SA key readable by apache so that the API can sign
93 chown apache $PLC_MA_SA_SSL_KEY
94 chmod 600 $PLC_MA_SA_SSL_KEY
96 # Extract the public key of the root CA (if any) that signed
97 # the MA/SA certificate.
98 openssl x509 -in $PLC_MA_SA_CA_SSL_CRT -noout -pubkey >$PLC_MA_SA_CA_SSL_KEY_PUB
100 chmod 644 $PLC_MA_SA_CA_SSL_KEY_PUB
102 # Generate HTTPS certificates if necessary. We generate a
103 # certificate for each enabled server with a different
104 # hostname. These self-signed certificates may be overridden
106 for server in WWW API BOOT ; do
107 ssl_key=PLC_${server}_SSL_KEY
108 ssl_crt=PLC_${server}_SSL_CRT
109 ca_ssl_crt=PLC_${server}_CA_SSL_CRT
110 hostname=PLC_${server}_HOST
112 # Check if we have already generated a certificate for
114 for previous_server in WWW API BOOT ; do
115 if [ "$server" = "$previous_server" ] ; then
118 previous_ssl_key=PLC_${previous_server}_SSL_KEY
119 previous_ssl_crt=PLC_${previous_server}_SSL_CRT
120 previous_ca_ssl_crt=PLC_${previous_server}_CA_SSL_CRT
121 previous_hostname=PLC_${previous_server}_HOST
123 if [ -f ${!previous_ssl_crt} ] && \
124 [ "$(ssl_cname ${!previous_ssl_crt})" = "${!hostname}" ] ; then
125 cp -a ${!previous_ssl_key} ${!ssl_key}
126 cp -a ${!previous_ssl_crt} ${!ssl_crt}
127 cp -a ${!previous_ca_ssl_crt} ${!ca_ssl_crt}
132 verify_or_generate_certificate \
133 ${!ssl_crt} ${!ssl_key} ${!ca_ssl_crt} \
134 ${!hostname} $PLC_MAIL_SUPPORT_ADDRESS
138 # Install HTTPS certificates into both /etc/pki (Fedora Core
139 # 4) and /etc/httpd/conf (Fedora Core 2). If the API, boot,
140 # and web servers are all running on the same machine, the web
141 # server certificate takes precedence.
142 for server in API BOOT WWW ; do
143 enabled=PLC_${server}_ENABLED
144 if [ "${!enabled}" != "1" ] ; then
147 ssl_key=PLC_${server}_SSL_KEY
148 ssl_crt=PLC_${server}_SSL_CRT
150 symlink ${!ssl_crt} /etc/pki/tls/certs/localhost.crt
151 symlink ${!ssl_key} /etc/pki/tls/private/localhost.key
152 symlink ${!ssl_crt} /etc/httpd/conf/ssl.crt/server.crt
153 symlink ${!ssl_key} /etc/httpd/conf/ssl.key/server.key