diff --git a/ca/main.php b/ca/main.php index b4bcb63..2891a8e 100644 --- a/ca/main.php +++ b/ca/main.php @@ -10,6 +10,14 @@ $stage = gpvar('stage'); switch($stage) { +case 'dl_takey': + upload("$config[private_dir]/takey.pem", "$config[ca_prefix]takey.pem", 'application/octet-stream'); + break; + +case 'dl_dhparam': + upload("$config[private_dir]/dhparam1024.pem", "$config[ca_prefix]dhparam1024.pem", 'application/octet-stream'); + break; + case 'dl_root': upload("$config[cacert_pem]", "$config[ca_prefix]cacert.crt", 'application/x-x509-ca-cert'); break; @@ -18,37 +26,81 @@ case 'dl_crl': upload("$config[cacrl_der]", "$config[ca_prefix]cacrl.crl", 'application/pkix-crl'); break; +case 'dl_crl_pem': + upload("$config[cacrl_pem]", "$config[ca_prefix]cacrl.crl", 'application/octet-stream'); + break; + case 'gen_crl': - list($ret,$errtxt) = CA_generate_crl(); + list($ret,$errtxt) = CA_generate_crl(); - printHeader(false); + printHeader(false); + + if ($ret) { + ?> +

Certificate Revocation List Updated

+

+

+ +
+ '.CA_crl_text().''; + } + else { + ?> + +

There was an error updating the Certificate Revocation List.


+
+

Debug Info:

+
+
+
+

+ +

+

+ +

OpenVPN pre-shared Key

+

+

+ +
+ '.ta_key_text().''; + break; + +case 'display_dhparam': + printHeader(false); + + ?> +

OpenVPN Diffie-Helman parameters

+

+

+ +
+ '.dhparam_text().''; + break; + +case 'display_root_pem': + printHeader(false); + + ?> +

Root certificate file (PEM Encoded)

+

+

+ +
+ '.root_pem_text().''; + break; - if ($ret) { - ?> -

Certificate Revocation List Updated

-

-

- -
- '.CA_crl_text().''; - } - else { - ?> - -

There was an error updating the Certificate Revocation List.


-
-

Debug Info:

-
-
-
-

- -

-

-
- + Update & View the Certificate Revocation List - Display the Root Certificate (PEM Encoded) + Download the Root Certificate

+ Display the Root Certificate (PEM Encoded) + Download the Certificate Revocation List

+ Download in PEM format. + browser application is optional. Some applications will automagically reference this list. + + + + + + + +
CERTIFICATE MANAGEMENT MENU
Create a New Certificate Use the Certificate Request Form to create and download new digital certificates. @@ -70,23 +121,42 @@ default: Certificate Management Control Panel.
- Update & View the Certificate Revocation List Some applications automagically reference the Certificate Revocation List to determine certificate validity. It is not necessary to perform this update function, as the CRL is updated when certificates are revoked. However, doing so is harmless. Read the online help to learn more about this.
- Download the Root Certificate The "Root" certificate must be installed before using any of the certificates issued here. Read the online help to learn more about this.
- Download the Certificate Revocation List This is the official list of revoked certificates. Using this list with your e-mail or - browser application is optional. Some applications will automagically reference this list.
+ Download the static pre-shared key

+ Display the static pre-shared key		This key can be used with OpenVPN as a standalone auth mechanism, or as an additional TLS authentication.
+ Download the Diffie-Hellman parameters

+ Display the Diffie-Hellman parameters		This file is used by OpenVPN for the hand-shake. The Diffie-Hellman key agreement + protocol enables two communication partners to exchange a secret key safely.
diff --git a/include/openssl_functions.php b/include/openssl_functions.php index 42174d5..16b8b8d 100644 --- a/include/openssl_functions.php +++ b/include/openssl_functions.php @@ -232,7 +232,7 @@ $alt_names # Write out the config file. - $cnf_file = tempnam('./tmp','cnf-'); + $cnf_file = tempnam('./tmp','cnf-'); // Why is this not in the phpki dir ? why ../../ ? $handle = fopen($cnf_file,"w"); fwrite($handle, $cnf_contents); fclose($handle); @@ -367,15 +367,43 @@ function CAdb_explode_entry($dbentry) { if (time() > strtotime("$mm-$dd-$yy")) $db['status'] = "Expired"; - $db['serial'] = $a[3]; - $db['country'] = $b[1]; - $db['province'] = $b[2]; - $db['locality'] = $b[3]; - $db['organization'] = $b[4]; - $db['issuer'] = $b[5]; - $db['unit'] = $b[6]; - $db['common_name'] = $b[7]; - $db['email'] = $b[8]; + + // Compatibility with migrated certs from openvpn-bridge + if(count($b) == 7){ + $db['serial'] = $a[3]; + $db['country'] = $b[1]; + $db['province'] = $b[2]; + $db['locality'] = ''; + $db['organization'] = $b[3]; + $db['issuer'] = ''; + $db['unit'] = $b[4]; + $db['common_name'] = $b[5]; + $db['email'] = $b[6]; + } + // Compatibility with renewed certs from openvpn-bridge + elseif(count($b) == 8){ + $db['serial'] = $a[3]; + $db['country'] = $b[1]; + $db['province'] = $b[2]; + $db['locality'] = $b[3]; + $db['organization'] = $b[4]; + $db['issuer'] = ''; + $db['unit'] = $b[5]; + $db['common_name'] = $b[6]; + $db['email'] = $b[7]; + } + // Else, it's a certificate created with phpki + else{ + $db['serial'] = $a[3]; + $db['country'] = $b[1]; + $db['province'] = $b[2]; + $db['locality'] = $b[3]; + $db['organization'] = $b[4]; + $db['issuer'] = $b[5]; + $db['unit'] = $b[6]; + $db['common_name'] = $b[7]; + $db['email'] = $b[8]; + } return $db; } @@ -431,6 +459,24 @@ function CA_crl_text() { return(shell_exec(CRL.' -in '.escshellarg($crlfile).' -text 2>&1')); } +// Returns the static takey.pem file +function ta_key_text() { + global $config; + return(shell_exec('cat '.escshellarg($config['private_dir']).'/takey.pem 2>&1')); +} + +// Returns the dhparam file +function dhparam_text() { + global $config; + return(shell_exec('cat '.escshellarg($config['private_dir']).'/dhparam1024.pem 2>&1')); +} + +// Returns the root CA certificate file (PEM Encoded) +function root_pem_text() { + global $config; + return(shell_exec('cat '.escshellarg($config['cacert_pem']).' 2>&1')); +} + // // Returns the subject of a certificate. // diff --git a/main.php b/main.php index e121c40..93201d6 100644 --- a/main.php +++ b/main.php @@ -32,6 +32,10 @@ case 'dl_crl': upload("$config[cacrl_der]", "$config[ca_prefix]cacrl.crl", 'application/pkix-crl'); break; +case 'dl_crl_pem': + upload("$config[cacrl_pem]", "$config[ca_prefix]cacrl.crl", 'application/octet-stream'); + break; + default: printHeader('public'); @@ -55,12 +59,14 @@ default: ?stage=display_root>Display Our Root Certificate (PEM Encoded) This option provides the "Root" certificate PEM encoded text for advanced users to manually install via copy and paste. Read the online help - to learn more about this. - + to learn more about this. + + ?stage=dl_crl>Download Our Certificate Revocation List The official list of certificates revoked by this site. Installation and use of - this list is optional. Some e-mail programs will reference this list automagically. + this list is optional. Some e-mail programs will reference this list automagically. + (Some will need it in PEM format.)