Generate the certificates and private keys before the first run

ocserv.service

@@ -9,6 +9,7 @@ After=dbus.service
 PrivateTmp=true
 Type=forking
 PIDFile=/var/run/ocserv.pid
+ExecStartPre=/usr/sbin/ocserv-genkey
 ExecStart=/usr/sbin/ocserv --pid-file /var/run/ocserv.pid --config /etc/ocserv/ocserv.conf
 ExecReload=/bin/kill -HUP $MAINPID
 

ocserv.spec

@@ -1,6 +1,6 @@
 Name:		ocserv
 Version:	0.8.0
-Release:	1%{?dist}
+Release:	2%{?dist}
 Summary:	OpenConnect SSL VPN server
 
 # For a breakdown of the licensing, see PACKAGE-LICENSING 
@@ -14,6 +14,7 @@ Source3:	ocserv-pamd.conf
 Source4:	PACKAGE-LICENSING
 Source5:	org.infradead.ocserv.conf
 Source6:	ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz.sig
+Source7:	ocserv-genkey
 
 Patch1:		ocserv-0.8.0-endianness.patch
 Patch2:		ocserv-0.8.0-cmp.patch
@@ -92,33 +93,6 @@ getent passwd ocserv &>/dev/null || \
 mkdir -p %{_sysconfdir}/pki/ocserv/public
 mkdir -p -m 700 %{_sysconfdir}/pki/ocserv/private
 mkdir -p %{_sysconfdir}/pki/ocserv/cacerts
-#generate CA certificate/key
-if test ! -f %{_sysconfdir}/pki/ocserv/private/ca.key;then
-certtool --generate-privkey --outfile %{_sysconfdir}/pki/ocserv/private/ca.key >/dev/null 2>&1
-echo "cn=`hostname -f` CA" >%{_sysconfdir}/pki/ocserv/ca.tmpl
-echo "expiration_days=-1" >>%{_sysconfdir}/pki/ocserv/ca.tmpl
-echo "serial=1" >>%{_sysconfdir}/pki/ocserv/ca.tmpl
-echo "ca" >>%{_sysconfdir}/pki/ocserv/ca.tmpl
-echo "cert_signing_key" >>%{_sysconfdir}/pki/ocserv/ca.tmpl
-certtool --template %{_sysconfdir}/pki/ocserv/ca.tmpl \
-	--generate-self-signed --load-privkey %{_sysconfdir}/pki/ocserv/private/ca.key \
-	--outfile %{_sysconfdir}/pki/ocserv/cacerts/ca.crt >/dev/null 2>&1
-#rm -f %{_sysconfdir}/pki/ocserv/ca.tmpl
-fi
-#generate server certificate/key
-if test ! -f %{_sysconfdir}/pki/ocserv/private/server.key;then
-certtool --generate-privkey --outfile %{_sysconfdir}/pki/ocserv/private/server.key >/dev/null 2>&1
-echo "cn=`hostname -f`" >%{_sysconfdir}/pki/ocserv/server.tmpl
-echo "serial=2" >>%{_sysconfdir}/pki/ocserv/server.tmpl
-echo "expiration_days=-1" >>%{_sysconfdir}/pki/ocserv/server.tmpl
-echo "signing_key" >>%{_sysconfdir}/pki/ocserv/server.tmpl
-echo "encryption_key" >>%{_sysconfdir}/pki/ocserv/server.tmpl
-certtool --template %{_sysconfdir}/pki/ocserv/server.tmpl \
-	--generate-certificate --load-privkey %{_sysconfdir}/pki/ocserv/private/server.key \
-	--load-ca-certificate %{_sysconfdir}/pki/ocserv/cacerts/ca.crt --load-ca-privkey \
-	%{_sysconfdir}/pki/ocserv/private/ca.key --outfile %{_sysconfdir}/pki/ocserv/public/server.crt >/dev/null 2>&1
-#rm -f %{_sysconfdir}/pki/ocserv/server.tmpl
-fi
 
 %post
 %systemd_post ocserv.service
@@ -142,6 +116,8 @@ mkdir -p %{buildroot}/%{_unitdir}
 install -p -m 644 %{SOURCE2} %{buildroot}/%{_unitdir}
 mkdir -p %{buildroot}%{_localstatedir}/lib/ocserv/
 install -p -m 644 doc/profile.xml %{buildroot}%{_localstatedir}/lib/ocserv/
+mkdir -p %{buildroot}/%{_sbindir}
+install -p -m 755 %{SOURCE7} %{buildroot}/%{_sbindir}
 %make_install
 
 %clean
@@ -165,10 +141,14 @@ rm -rf %{buildroot}
 %{_bindir}/ocpasswd
 %{_bindir}/occtl
 %{_sbindir}/ocserv
+%{_sbindir}/ocserv-genkey
 %{_unitdir}/ocserv.service
 %{_localstatedir}/lib/ocserv/profile.xml
 
 %changelog
+* Mon Jun 02 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.0-2
+- Generate certificates and private keys before the first run
+
 * Mon Jun 02 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.0-1
 - New upstream release