5 # Generate SSL certificates
7 # Mark Huang <mlhuang@cs.princeton.edu>
8 # Copyright (C) 2006 The Trustees of Princeton University
10 # $Id: ssl,v 1.10 2006/07/24 19:30:45 mlhuang Exp $
13 # Source function library and configuration
14 . /etc/plc.d/functions
15 . /etc/planetlab/plc_config
20 # Print the CNAME of an SSL certificate
23 openssl x509 -noout -in $1 -subject | \
24 sed -n -e 's@.*/CN=\([^/]*\).*@\1@p'
27 # Print the emailAddress of an SSL certificate
30 openssl x509 -noout -in $1 -subject | \
31 sed -n -e 's@.*/emailAddress=\([^/]*\).*@\1@p'
34 # Verify a certificate. If invalid, generate a new self-signed
36 verify_or_generate_certificate() {
43 # If the CA certificate does not exist, assume that the
44 # certificate is self-signed.
45 if [ ! -f $ca ] ; then
50 # Check if certificate is valid
51 verify=$(openssl verify -CAfile $ca $crt)
52 # Delete if invalid or if the subject has changed
53 if grep -q "error" <<<$verify || \
54 [ "$(ssl_cname $crt)" != "$cname" ] || \
55 [ "$(ssl_email $crt)" != "$email" ] ; then
60 if [ ! -f $crt ] ; then
63 if [ -n "$cname" ] ; then
64 subj="$subj/CN=$cname"
66 if [ -n "$email" ] ; then
67 subj="$subj/emailAddress=$email"
70 # Generate new self-signed certificate
71 mkdir -p $(dirname $crt)
72 openssl req -new -x509 -days 3650 -set_serial $RANDOM \
73 -batch -subj "$subj" \
74 -nodes -keyout $key -out $crt
78 # The certificate it self-signed, so it is its own CA
85 MESSAGE=$"Generating SSL certificates"
88 # Generate HTTPS certificates if necessary. We generate a
89 # certificate for each enabled server with a different
90 # hostname. These self-signed certificates may be overridden
92 for server in WWW API BOOT ; do
93 ssl_key=PLC_${server}_SSL_KEY
94 ssl_crt=PLC_${server}_SSL_CRT
95 ca_ssl_crt=PLC_${server}_CA_SSL_CRT
96 hostname=PLC_${server}_HOST
98 # Check if we have already generated a certificate for
100 for previous_server in WWW API BOOT ; do
101 if [ "$server" = "$previous_server" ] ; then
104 previous_ssl_key=PLC_${previous_server}_SSL_KEY
105 previous_ssl_crt=PLC_${previous_server}_SSL_CRT
106 previous_ca_ssl_crt=PLC_${previous_server}_CA_SSL_CRT
107 previous_hostname=PLC_${previous_server}_HOST
109 if [ -f ${!previous_ssl_crt} ] && \
110 [ "$(ssl_cname ${!previous_ssl_crt})" = "${!hostname}" ] ; then
111 cp -a ${!previous_ssl_key} ${!ssl_key}
112 cp -a ${!previous_ssl_crt} ${!ssl_crt}
113 cp -a ${!previous_ca_ssl_crt} ${!ca_ssl_crt}
118 verify_or_generate_certificate \
119 ${!ssl_crt} ${!ssl_key} ${!ca_ssl_crt} \
123 # Install HTTPS certificates into both /etc/pki (Fedora Core
124 # 4) and /etc/httpd/conf (Fedora Core 2). If the API, boot,
125 # and web servers are all running on the same machine, the web
126 # server certificate takes precedence.
127 for server in API BOOT WWW ; do
128 enabled=PLC_${server}_ENABLED
129 if [ "${!enabled}" != "1" ] ; then
132 ssl_key=PLC_${server}_SSL_KEY
133 ssl_crt=PLC_${server}_SSL_CRT
135 symlink ${!ssl_crt} /etc/pki/tls/certs/localhost.crt
136 symlink ${!ssl_key} /etc/pki/tls/private/localhost.key
137 symlink ${!ssl_crt} /etc/httpd/conf/ssl.crt/server.crt
138 symlink ${!ssl_key} /etc/httpd/conf/ssl.key/server.key