ovs-pki: add option to suppress generated id in common name

For some applications, it is desirable to have full control of the common name field in generated certificates. Add a command-line option to suppress appending " id:<uuid-or-date>" to the user- specified name. Signed-off-by: Lance Richardson <[email protected]> Signed-off-by: Ben Pfaff <[email protected]>
caozhiyuan · May 4, 2017 · 674ebdd · 674ebdd
1 parent 40e66ba
commit 674ebdd
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 3 deletions.
diff --git a/utilities/ovs-pki.8.in b/utilities/ovs-pki.8.in
@@ -48,6 +48,8 @@ The available options are:
 .br
 [\fB\-l\fR \fIfile\fR | \fB\-\^\-log=\fIfile\fR]
 .br
+[\fB\-u\fR | \fB\-\^\-unique\fR]
+.br
 [\fB\-h\fR | \fB\-\^\-help\fR]
 .sp
 Some options do not apply to every command.
@@ -233,6 +235,13 @@ directories.  This option overrides this behavior.
 Sets the log file to \fIfile\fR.  Default:
 \fB@LOGDIR@/ovs\-pki.log\fR.
 
+.IP "\fB\-u\fR"
+.IQ "\fB\-\^\-unique\fR"
+Changes the format of the certificate's Common Name (CN) field; by
+default, this field has the format "<name> id:<uuid-or-date>", this
+option causes the provided name to be treated as unique and changes
+the format of the CN field to be simply "<name>".
+
 .IP "\fB\-h\fR"
 .IQ "\fB\-\^\-help\fR"
 Prints a help usage message and exits.
diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
@@ -21,6 +21,7 @@ command=
 prev=
 force=no
 batch=no
+unique_name=no
 log='@LOGDIR@/ovs-pki.log'
 keytype=rsa
 bits=2048
@@ -110,6 +111,7 @@ Options that apply to any command:
                          (default: $pkidir)
   -f, --force          Continue even if file or directory already exists
   -l, --log=FILE       Log openssl output to FILE (default: ovs-log.log)
+  -u, --unique         NAME is unique (don't append UUID/date)
   -h, --help           Print this usage message.
   -V, --version        Display version information.
 EOF
@@ -155,6 +157,9 @@ EOF
         --ba*|-b)
             batch=yes
             ;;
+        --un*|-u)
+            unique_name=yes
+            ;;
         -*)
             echo "unrecognized option $option" >&2
             exit 1
@@ -429,8 +434,13 @@ make_request() {
     must_not_exist "$arg1-privkey.pem"
     must_not_exist "$arg1-req.pem"
     make_tmpdir
-    # Use uuidgen or date to create unique subject DNs.
-    unique=`(uuidgen) 2>/dev/null` || unique=`date +"%Y %b %d %T"`
+    if test $unique_name != yes; then
+        # Use uuidgen or date to create unique subject DNs.
+        unique=`(uuidgen) 2>/dev/null` || unique=`date +"%Y %b %d %T"`
+        cn="$arg1 id:$unique"
+    else
+        cn="$arg1"
+    fi
     cat > "$TMP/req.cnf" <<EOF
 [ req ]
 prompt = no
@@ -442,7 +452,7 @@ ST = CA
 L = Palo Alto
 O = Open vSwitch
 OU = Open vSwitch certifier
-CN = $arg1 id:$unique
+CN = $cn
 EOF
     if test $keytype = rsa; then
         (umask 077 && openssl genrsa -out "$1-privkey.pem" $bits) 1>&3 2>&3 \