[ovs-dev,RFC,v3,3/6] ovs-pki: add option to suppress generated id in common name

Submitted by Lance Richardson on April 19, 2017, 7:06 p.m.

Details

Message ID 20170419190656.4232-1-lrichard@redhat.com
State Superseded
Headers show

Commit Message

Lance Richardson April 19, 2017, 7:06 p.m.
For some applications, it is desirable to have full control of
the common name field in generated certificates.  Add a command-line
option to suppress appending " id:<uuid-or-date>" to the user-
specified name.

Signed-off-by: Lance Richardson <lrichard@redhat.com>
---
v3: New patch.

 utilities/ovs-pki.8.in |  9 +++++++++
 utilities/ovs-pki.in   | 16 +++++++++++++---
 2 files changed, 22 insertions(+), 3 deletions(-)

Patch hide | download patch | download mbox

diff --git a/utilities/ovs-pki.8.in b/utilities/ovs-pki.8.in
index 9c3019b..a1bcc11 100644
--- a/utilities/ovs-pki.8.in
+++ b/utilities/ovs-pki.8.in
@@ -48,6 +48,8 @@  The available options are:
 .br
 [\fB\-l\fR \fIfile\fR | \fB\-\^\-log=\fIfile\fR]
 .br
+[\fB\-u\fR | \fB\-\^\-unique\fR]
+.br
 [\fB\-h\fR | \fB\-\^\-help\fR]
 .sp
 Some options do not apply to every command.
@@ -233,6 +235,13 @@  directories.  This option overrides this behavior.
 Sets the log file to \fIfile\fR.  Default:
 \fB@LOGDIR@/ovs\-pki.log\fR.
 
+.IP "\fB\-u\fR"
+.IQ "\fB\-\^\-unique\fR"
+Changes the format of the certificate's Common Name (CN) field; by
+default, this field has the format "<name> id:<uuid-or-date>", this
+option causes the provided name to be treated as unique and changes
+the format of the CN field to be simply "<name>".
+
 .IP "\fB\-h\fR"
 .IQ "\fB\-\^\-help\fR"
 Prints a help usage message and exits.
diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
index 7a992a5..d5ce1dc 100755
--- a/utilities/ovs-pki.in
+++ b/utilities/ovs-pki.in
@@ -21,6 +21,7 @@  command=
 prev=
 force=no
 batch=no
+unique_name=no
 log='@LOGDIR@/ovs-pki.log'
 keytype=rsa
 bits=2048
@@ -110,6 +111,7 @@  Options that apply to any command:
                          (default: $pkidir)
   -f, --force          Continue even if file or directory already exists
   -l, --log=FILE       Log openssl output to FILE (default: ovs-log.log)
+  -u, --unique         NAME is unique (don't append UUID/date)
   -h, --help           Print this usage message.
   -V, --version        Display version information.
 EOF
@@ -155,6 +157,9 @@  EOF
         --ba*|-b)
             batch=yes
             ;;
+        --un*|-u)
+            unique_name=yes
+            ;;
         -*)
             echo "unrecognized option $option" >&2
             exit 1
@@ -429,8 +434,13 @@  make_request() {
     must_not_exist "$arg1-privkey.pem"
     must_not_exist "$arg1-req.pem"
     make_tmpdir
-    # Use uuidgen or date to create unique subject DNs.
-    unique=`(uuidgen) 2>/dev/null` || unique=`date +"%Y %b %d %T"`
+    if test $unique_name != yes; then
+        # Use uuidgen or date to create unique subject DNs.
+        unique=`(uuidgen) 2>/dev/null` || unique=`date +"%Y %b %d %T"`
+        cn="$arg1 id:$unique"
+    else
+        cn="$arg1"
+    fi
     cat > "$TMP/req.cnf" <<EOF
 [ req ]
 prompt = no
@@ -442,7 +452,7 @@  ST = CA
 L = Palo Alto
 O = Open vSwitch
 OU = Open vSwitch certifier
-CN = $arg1 id:$unique
+CN = $cn
 EOF
     if test $keytype = rsa; then
         (umask 077 && openssl genrsa -out "$1-privkey.pem" $bits) 1>&3 2>&3 \