doc: check for changed subject on cert creation

UPC · Sep 27, 2024 · 318dbe0 · 318dbe0
1 parent 91d4c2c
commit 318dbe0
Showing 1 changed file with 35 additions and 10 deletions.
diff --git a/docs/docs/create_cert.sh b/docs/docs/create_cert.sh
@@ -1,23 +1,39 @@
 #!/bin/bash
 
+DIR="/etc/pki/libvirt-spice"
+
 SERVER_IP="$1"
 if [ -z "$SERVER_IP" ]; then
     echo "Error, server ip required."
     echo "  Usage: $0 ip"
     exit -1
 fi
 
-# change the next line
-SUBJECT="/C=IL/L=Raanana/O=Red Hat"
+SUBJECT_DEFAULT="/C=XX/CN=Foo Bar"
+
+if [ -e "subject.txt" ]; then
+    subject_old=`cat subject.txt`
+    SUBJECT_DEFAULT=$subject_old
+fi
+
+echo -n "Subject [$SUBJECT_DEFAULT] : "
+read subject2
+SUBJECT=${subject2:-$SUBJECT_DEFAULT}
 
 SERVER_KEY=server-key.pem
 
 # creating a key for our ca
 if [ ! -e ca-key.pem ]; then
     openssl genrsa -des3 -out ca-key.pem 2048
+else
+    echo -n Using ca-key created on 
+    stat ca-key.pem | tail -1 | awk '{ print " " $2 " " $3 }'
 fi
+
+
 # creating a ca
-if [ ! -e ca-cert.pem ]; then
+if [ ! -e ca-cert.pem ] || [ "$SUBJECT" != "$subject_old" ]; then
+
     openssl req -new -x509 -nodes -sha256 -days 1095 -key ca-key.pem -out ca-cert.pem \
         -subj "${SUBJECT}/CN=my CA"
 fi
@@ -26,12 +42,20 @@ if [ ! -e $SERVER_KEY ]; then
     openssl genrsa -out $SERVER_KEY
 fi
 # create a certificate signing request (csr)
-if [ ! -e server-key.csr ]; then
+if [ ! -e server-key.csr ] || [ "$SUBJECT" != "$subject_old" ]; then
+    echo "Creating server-key.csr"
     openssl req -new -nodes -key $SERVER_KEY -out server-key.csr -subj "$SUBJECT/CN=$SERVER_IP"
+    if [ $? -ne 0 ]; then
+        echo $?
+        exit
+    fi
 fi
 # signing our server certificate with this ca
-if [ ! -e server-cert.pem ]; then
+if [ ! -e server-cert.pem ] || [ "$SUBJECT" != "$subject_old" ]; then
+
     openssl x509 -req -days 1095 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -sha256 -extfile v3.ext
+
+    echo $SUBJECT > subject.txt
 fi
 
 # now create a key that doesn't require a passphrase
@@ -40,14 +64,15 @@ mv $SERVER_KEY $SERVER_KEY.secure
 mv $SERVER_KEY.insecure $SERVER_KEY
 
 # copy *.pem file to /etc/pki/libvirt-spice
-if [ ! -d "/etc/pki/libvirt-spice" ]
+if [ ! -d "$DIR" ]
 then
-    mkdir -p /etc/pki/libvirt-spice
+    mkdir -p $DIR
 fi
-cp ./*.pem /etc/pki/libvirt-spice
-chown :kvm  /etc/pki/libvirt-spice/*pem
-chmod g+rx /etc/pki/libvirt-spice/*pem
+cp ./*.pem $DIR
+chown :kvm  $DIR/*pem
+chmod g+rx $DIR/*pem
 
 # echo --host-subject
 echo "your --host-subject is" \" `openssl x509 -noout -text -in server-cert.pem | grep Subject: | cut -f 10- -d " "` \"
+echo "Certificate installed in $DIR"