Skip to content

Commit 73ad94c

Browse files
Jenkinsopenstack-gerrit
authored andcommitted
Merge "Don't try to regenerate existing ssl certificates"
2 parents 40564a2 + 2f69c6b commit 73ad94c

1 file changed

Lines changed: 46 additions & 41 deletions

File tree

lib/tls

Lines changed: 46 additions & 41 deletions
Original file line numberDiff line numberDiff line change
@@ -235,31 +235,34 @@ function make_cert {
235235
local common_name=$3
236236
local alt_names=$4
237237

238-
# Generate a signing request
239-
$OPENSSL req \
240-
-sha1 \
241-
-newkey rsa \
242-
-nodes \
243-
-keyout $ca_dir/private/$cert_name.key \
244-
-out $ca_dir/$cert_name.csr \
245-
-subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}"
246-
247-
if [[ -z "$alt_names" ]]; then
248-
alt_names="DNS:${common_name}"
249-
else
250-
alt_names="DNS:${common_name},${alt_names}"
251-
fi
238+
# Only generate the certificate if it doesn't exist yet on the disk
239+
if [ ! -r "$ca_dir/$cert_name.crt" ]; then
240+
# Generate a signing request
241+
$OPENSSL req \
242+
-sha1 \
243+
-newkey rsa \
244+
-nodes \
245+
-keyout $ca_dir/private/$cert_name.key \
246+
-out $ca_dir/$cert_name.csr \
247+
-subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}"
248+
249+
if [[ -z "$alt_names" ]]; then
250+
alt_names="DNS:${common_name}"
251+
else
252+
alt_names="DNS:${common_name},${alt_names}"
253+
fi
252254

253-
# Sign the request valid for 1 year
254-
SUBJECT_ALT_NAME="$alt_names" \
255-
$OPENSSL ca -config $ca_dir/signing.conf \
256-
-extensions req_extensions \
257-
-days 365 \
258-
-notext \
259-
-in $ca_dir/$cert_name.csr \
260-
-out $ca_dir/$cert_name.crt \
261-
-subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}" \
262-
-batch
255+
# Sign the request valid for 1 year
256+
SUBJECT_ALT_NAME="$alt_names" \
257+
$OPENSSL ca -config $ca_dir/signing.conf \
258+
-extensions req_extensions \
259+
-days 365 \
260+
-notext \
261+
-in $ca_dir/$cert_name.csr \
262+
-out $ca_dir/$cert_name.crt \
263+
-subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}" \
264+
-batch
265+
fi
263266
}
264267

265268

@@ -274,23 +277,25 @@ function make_int_CA {
274277
create_CA_config $ca_dir 'Intermediate CA'
275278
create_signing_config $ca_dir
276279

277-
# Create a signing certificate request
278-
$OPENSSL req -config $ca_dir/ca.conf \
279-
-sha1 \
280-
-newkey rsa \
281-
-nodes \
282-
-keyout $ca_dir/private/cacert.key \
283-
-out $ca_dir/cacert.csr \
284-
-outform PEM
285-
286-
# Sign the intermediate request valid for 1 year
287-
$OPENSSL ca -config $signing_ca_dir/ca.conf \
288-
-extensions ca_extensions \
289-
-days 365 \
290-
-notext \
291-
-in $ca_dir/cacert.csr \
292-
-out $ca_dir/cacert.pem \
293-
-batch
280+
if [ ! -r "$ca_dir/cacert.pem" ]; then
281+
# Create a signing certificate request
282+
$OPENSSL req -config $ca_dir/ca.conf \
283+
-sha1 \
284+
-newkey rsa \
285+
-nodes \
286+
-keyout $ca_dir/private/cacert.key \
287+
-out $ca_dir/cacert.csr \
288+
-outform PEM
289+
290+
# Sign the intermediate request valid for 1 year
291+
$OPENSSL ca -config $signing_ca_dir/ca.conf \
292+
-extensions ca_extensions \
293+
-days 365 \
294+
-notext \
295+
-in $ca_dir/cacert.csr \
296+
-out $ca_dir/cacert.pem \
297+
-batch
298+
fi
294299
}
295300

296301
# Make a root CA to sign other CAs

0 commit comments

Comments
 (0)