Commit 99841e98 authored by Leigh Stoller's avatar Leigh Stoller

New utility script to update a certificate that has expired.

Takes old certificate, gets the private key from inside it,
generates a new serial number, and uses x509 to create a new
certificate. Good for updating expired certs.
parent be040ff9
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2009 University of Utah and the Flux Group.
# Copyright (c) 2000-2010 University of Utah and the Flux Group.
# All rights reserved.
#
......@@ -14,11 +14,11 @@ include $(OBJDIR)/Makeconf
all: emulab.pem server.pem localnode.pem ronnode.pem pcwa.pem ctrlnode.pem \
capture.pem capture.fingerprint capture.sha1fingerprint \
keys mksig jabber.pem
keys mksig jabber.pem updatecert
remote-site: emulab.pem capture.pem capture.fingerprint server.pem \
localnode.pem capture.sha1fingerprint apache.pem apache-ops.pem \
ctrlnode.pem jabber.pem
ctrlnode.pem jabber.pem updatecert
clearinghouse: emulab.pem apache.pem
......@@ -254,6 +254,7 @@ boss-installX: $(INSTALL_ETCDIR)/emulab.pem \
$(INSTALL_ETCDIR)/capture.sha1fingerprint \
$(INSTALL_ETCDIR)/emulab_privkey.pem \
$(INSTALL_ETCDIR)/emulab_pubkey.pem \
$(INSTALL_SBINDIR)/updatecert \
install-conf
$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
chmod 640 $(INSTALL_ETCDIR)/emulab.pem
......@@ -282,6 +283,7 @@ remote-site-boss-install: install-dirs \
$(INSTALL_ETCDIR)/capture.sha1fingerprint \
$(INSTALL_ETCDIR)/ctrlnode.pem \
$(INSTALL_ETCDIR)/server.pem \
$(INSTALL_SBINDIR)/updatecert \
install-conf
$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
chmod 640 $(INSTALL_ETCDIR)/emulab.pem
......
#!/usr/bin/perl -w
#
# GENIPUBLIC-COPYRIGHT
# Copyright (c) 2008-2010 University of Utah and the Flux Group.
# All rights reserved.
#
use strict;
use English;
use Getopt::Std;
#
# Initialize an emulab to act as a protogeni emulab. Add optional -c
# option if this is a clearinghouse.
#
sub usage()
{
print "Usage: updatecert [-d] <certfile.pem>\n";
exit(1);
}
my $optlist = "d";
my $debug = 0;
#
# Configure variables
#
my $TB = "@prefix@";
my $TBOPS = "@TBOPSEMAIL@";
my $OPENSSL = "/usr/bin/openssl";
# un-taint path
$ENV{'PATH'} = '/bin:/usr/bin:/usr/local/bin:/usr/site/bin';
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
# Protos
sub fatal($);
sub UpdateCert($);
#
# Turn off line buffering on output
#
$| = 1;
# Load the Testbed support stuff.
use lib "@prefix@/lib";
use libtestbed;
use emutil qw(TBGetUniqueIndex);
if ($UID != 0) {
fatal("Must be root to run this script\n");
}
#
# Check args.
#
my %options = ();
if (! getopts($optlist, \%options)) {
usage();
}
if (defined($options{"d"})) {
$debug++;
}
usage()
if (!@ARGV);
my $certfile = $ARGV[0];
fatal("No such file: $certfile")
if (! -e $certfile);
exit(UpdateCert($certfile));
#
# Update a certificate using the installed CA.
#
sub UpdateCert($)
{
my ($file) = @_;
# Update by changing serial.
my $serial = TBGetUniqueIndex( "user_sslcerts" );
#
# Make sure we can get find the private key in the file, and
# save it for later.
#
my $privkey;
my $string;
open(CERT, $file)
or fatal("Could not open $file");
while (<CERT>) {
my $line = $_;
if ($line =~ /^-----BEGIN RSA/) {
$string = $line;
next;
}
if ($line =~ /^-----END RSA/) {
$string = $string .= $line;
$privkey = $string;
next;
}
$string .= $line
if (defined($string));
}
close(CERT);
if (!defined($privkey)) {
fatal("Could not find private key in $file");
}
#
# Save the new certificate to a temporary file: OpenSSL will reuse the
# plain text from the old certificate instead of the current version,
# so we regenerate the whole thing to avoid confusion.
#
my $newcert = "/tmp/$$";
# Put the private key back into the new file.
open(CERT, ">$newcert")
or fatal("Could not open $newcert for writing");
print CERT $privkey;
close(CERT);
system("$OPENSSL x509 -days 2000 -text " .
"-set_serial $serial -signkey $TB/etc/emulab.key " .
"< $file | $OPENSSL x509 -text >> $newcert");
if ($?) {
fatal("Could not create new certificate");
}
print "New certificate written to $newcert\n";
return 0;
}
sub fatal($)
{
my ($msg) = @_;
die("*** $0:\n".
" $msg\n");
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment