blob: bc9ca078efccedcbb37522ea32c455264f0fad09 [file] [log] [blame]
#!/bin/sh
[ -n "$KEYFILE" ] || KEYFILE=/etc/ssl/private/device.key
[ -n "$CERTFILE" ] || CERTFILE=/etc/ssl/certs/device.pem
[ -n "$SSLCONF" ] || SSLCONF=/usr/share/gfiber-device-cert/openssl.conf
fatal() {
echo "$0:" "$@" >&2
exit 99
}
host=$(
hostname -f |
sed -e 's/\([^.]*\.[^.]*\).*/\1/' \
-e 's/\./_/g' \
-e 's/-//g'
)
full_cn="f88fca-Linux-$host"
if [ "$1" = "-f" ] || [ ! -e "$CERTFILE" ]; then
echo "Generating cert for '$full_cn'" >&2
touch "$CERTFILE.new" 2>/dev/null ||
fatal "can't write '$CERTFILE.new'. run as root?"
touch "$KEYFILE.new" 2>/dev/null ||
fatal "can't write '$KEYFILE.new'. run as root?"
openssl req \
-config "$SSLCONF" \
-batch \
-new \
-x509 \
-newkey rsa:2048 \
-nodes \
-keyout "$KEYFILE.new" \
-out "$CERTFILE.new" \
-days 36500 \
-subj "/CN=$full_cn" || fatal "failed to generate key"
chmod a+r "$CERTFILE.new"
mv "$KEYFILE.new" "$KEYFILE"
mv "$CERTFILE.new" "$CERTFILE"
fi
[ -r "$CERTFILE" ] || fatal "'$CERTFILE' is not readable. run as root?"
real_cn=$(
openssl x509 -in "$CERTFILE" -text -noout |
perl -ne '/Subject: CN=(.*)/ && { print $1 }'
)
openssl x509 -in "$CERTFILE" -text || fatal "error dumping certificate"
if [ "$real_cn" != "$full_cn" ]; then
echo >&2
echo "Warning: expected 'CN=$full_cn'" >&2
echo " got 'CN=$real_cn'" >&2
echo "Warning: this cert might not be accepted by servers." >&2
echo "Warning: to regenerate it, run: $0 -f" >&2
exit 10
fi
exit 0