+
+sub regenerate_host_certificate() {
+ my $errormessage = "";
+
+ &General::log("ipsec", "Regenerating host certificate...");
+
+ # Create a CSR based on the existing certificate
+ my $opt = " x509 -x509toreq -copy_extensions copyall";
+ $opt .= " -signkey ${General::swroot}/certs/hostkey.pem";
+ $opt .= " -in ${General::swroot}/certs/hostcert.pem";
+ $opt .= " -out ${General::swroot}/certs/hostreq.pem";
+ $errormessage = &callssl($opt);
+
+ # Revoke the old certificate
+ if (!$errormessage) {
+ &General::log("ipsec", "Revoking the old host cert...");
+
+ my $opt = " ca -revoke ${General::swroot}/certs/hostcert.pem";
+ $errormessage = &callssl($opt);
+ }
+
+ # Sign the host certificate request
+ if (!$errormessage) {
+ &General::log("ipsec", "Self signing host cert...");
+
+ my $opt = " ca -md sha256 -days 825";
+ $opt .= " -batch -notext";
+ $opt .= " -in ${General::swroot}/certs/hostreq.pem";
+ $opt .= " -out ${General::swroot}/certs/hostcert.pem";
+ $errormessage = &callssl ($opt);
+
+ unlink ("${General::swroot}/certs/hostreq.pem"); #no more needed
+ }
+
+ # Reload the new certificate
+ if (!$errormessage) {
+ &General::system('/usr/local/bin/ipsecctrl', 'R');
+ }
+
+ return $errormessage;
+}