Add Openvpn certificate handling
This commit is contained in:
John Crisp
84
ca/main.php
84
ca/main.php
@@ -10,6 +10,14 @@ $stage = gpvar('stage');
|
||||
|
||||
switch($stage) {
|
||||
|
||||
case 'dl_takey':
|
||||
upload("$config[private_dir]/takey.pem", "$config[ca_prefix]takey.pem", 'application/octet-stream');
|
||||
break;
|
||||
|
||||
case 'dl_dhparam':
|
||||
upload("$config[private_dir]/dhparam1024.pem", "$config[ca_prefix]dhparam1024.pem", 'application/octet-stream');
|
||||
break;
|
||||
|
||||
case 'dl_root':
|
||||
upload("$config[cacert_pem]", "$config[ca_prefix]cacert.crt", 'application/x-x509-ca-cert');
|
||||
break;
|
||||
@@ -18,6 +26,10 @@ case 'dl_crl':
|
||||
upload("$config[cacrl_der]", "$config[ca_prefix]cacrl.crl", 'application/pkix-crl');
|
||||
break;
|
||||
|
||||
case 'dl_crl_pem':
|
||||
upload("$config[cacrl_pem]", "$config[ca_prefix]cacrl.crl", 'application/octet-stream');
|
||||
break;
|
||||
|
||||
case 'gen_crl':
|
||||
list($ret,$errtxt) = CA_generate_crl();
|
||||
|
||||
@@ -47,9 +59,49 @@ case 'gen_crl':
|
||||
<p>
|
||||
</form>
|
||||
<?php
|
||||
}
|
||||
}
|
||||
break;
|
||||
|
||||
case 'display_takey':
|
||||
printHeader(false);
|
||||
|
||||
?>
|
||||
<center><h2>OpenVPN pre-shared Key</h2></center>
|
||||
<p>
|
||||
<form action="<?php echo $PHP_SELF?>" method="post">
|
||||
<input type=submit name=submit value="Back to Menu">
|
||||
</form>
|
||||
<?php
|
||||
print '<pre>'.ta_key_text().'</pre>';
|
||||
break;
|
||||
|
||||
case 'display_dhparam':
|
||||
printHeader(false);
|
||||
|
||||
?>
|
||||
<center><h2>OpenVPN Diffie-Helman parameters</h2></center>
|
||||
<p>
|
||||
<form action="<?php echo $PHP_SELF?>" method="post">
|
||||
<input type=submit name=submit value="Back to Menu">
|
||||
</form>
|
||||
<?php
|
||||
print '<pre>'.dhparam_text().'</pre>';
|
||||
break;
|
||||
|
||||
case 'display_root_pem':
|
||||
printHeader(false);
|
||||
|
||||
?>
|
||||
<center><h2>Root certificate file (PEM Encoded)</h2></center>
|
||||
<p>
|
||||
<form action="<?php echo $PHP_SELF?>" method="post">
|
||||
<input type=submit name=submit value="Back to Menu">
|
||||
</form>
|
||||
<?php
|
||||
print '<pre>'.root_pem_text().'</pre>';
|
||||
break;
|
||||
|
||||
|
||||
default:
|
||||
printHeader('ca');
|
||||
?>
|
||||
@@ -57,7 +109,6 @@ default:
|
||||
<br>
|
||||
<center>
|
||||
<table class=menu width=600><th class=menu colspan=2><big>CERTIFICATE MANAGEMENT MENU</big></th>
|
||||
|
||||
<tr><td style="text-align: center; vertical-align: middle; font-weight: bold;" width=33%>
|
||||
<a href=request_cert.php>Create a New Certificate</a></td>
|
||||
<td>Use the <strong><cite>Certificate Request Form</cite></strong> to create and download new digital certificates.
|
||||
@@ -70,23 +121,42 @@ default:
|
||||
<strong><cite>Certificate Management Control Panel</cite></strong>.</td></tr>
|
||||
|
||||
<tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
|
||||
<a href="<?php echo $PHP_SELF?>"?stage="gen_crl">Update & View the Certificate Revocation List</a></td>
|
||||
<a href='<?php echo $PHP_SELF?>?stage=gen_crl'>Update & View the Certificate Revocation List</a></td>
|
||||
<td>Some applications automagically reference the Certificate Revocation List to determine
|
||||
certificate validity. It is not necessary to perform this update function, as the CRL is
|
||||
updated when certificates are revoked. However, doing so is harmless.
|
||||
<a href=../help.php target=_help>Read the online help</a> to learn more about this.</td></tr>
|
||||
|
||||
<tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
|
||||
<a href="<?php echo $PHP_SELF?>"?stage="dl_root">Download the Root Certificate</a></td>
|
||||
<a href="<?php echo $PHP_SELF?>"?stage="display_root_pem">Display the Root Certificate (PEM Encoded)</a></td>
|
||||
<a href='<?php echo $PHP_SELF?>?stage=dl_root'>Download the Root Certificate</a><br><br>
|
||||
<a href='<?php echo $PHP_SELF?>?stage=display_root_pem'>Display the Root Certificate (PEM Encoded)</a></td>
|
||||
<td>The "Root" certificate must be installed before using any of the
|
||||
certificates issued here. <a href=../help.php target=_help>Read the online help</a>
|
||||
to learn more about this.</td></tr>
|
||||
|
||||
<tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
|
||||
<a href="<?php echo $PHP_SELF?>"?stage="dl_crl">Download the Certificate Revocation List</a></td>
|
||||
<a href='<?php echo $PHP_SELF?>?stage=dl_crl'>Download the Certificate Revocation List</a><br><br>
|
||||
<a href='<?php echo $PHP_SELF?>?stage=dl_crl_pem'>Download in PEM format.</a></td>
|
||||
<td>This is the official list of revoked certificates. Using this list with your e-mail or
|
||||
browser application is optional. Some applications will automagically reference this list. </td></tr>
|
||||
browser application is optional. Some applications will automagically reference this list.</td></tr>
|
||||
<?php
|
||||
if (file_exists($config[private_dir] . '/takey.pem')) {
|
||||
?>
|
||||
<tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
|
||||
<a href='<?php echo $PHP_SELF?>?stage=dl_takey'>Download the static pre-shared key</a><br><br>
|
||||
<a href='<?php echo $PHP_SELF?>?stage=display_takey'>Display the static pre-shared key</a></td>
|
||||
<td>This key can be used with OpenVPN as a standalone auth mechanism, or as an additional TLS authentication.</td></tr>
|
||||
<?php }
|
||||
?>
|
||||
<?php if (file_exists ($config[private_dir] . '/dhparam1024.pem')) {
|
||||
?>
|
||||
<tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
|
||||
<a href='<?php echo $PHP_SELF?>?stage=dl_dhparam'>Download the Diffie-Hellman parameters</a><br><br>
|
||||
<a href='<?php echo $PHP_SELF?>?stage=display_dhparam'>Display the Diffie-Hellman parameters</a></td>
|
||||
<td>This file is used by OpenVPN for the hand-shake. The Diffie-Hellman key agreement
|
||||
protocol enables two communication partners to exchange a secret key safely.</td></tr>
|
||||
<?php }
|
||||
?>
|
||||
|
||||
</table>
|
||||
</center>
|
||||
|
||||
@@ -232,7 +232,7 @@ $alt_names
|
||||
|
||||
|
||||
# Write out the config file.
|
||||
$cnf_file = tempnam('./tmp','cnf-');
|
||||
$cnf_file = tempnam('./tmp','cnf-'); // Why is this not in the phpki dir ? why ../../ ?
|
||||
$handle = fopen($cnf_file,"w");
|
||||
fwrite($handle, $cnf_contents);
|
||||
fclose($handle);
|
||||
@@ -367,6 +367,33 @@ function CAdb_explode_entry($dbentry) {
|
||||
if (time() > strtotime("$mm-$dd-$yy"))
|
||||
$db['status'] = "Expired";
|
||||
|
||||
|
||||
// Compatibility with migrated certs from openvpn-bridge
|
||||
if(count($b) == 7){
|
||||
$db['serial'] = $a[3];
|
||||
$db['country'] = $b[1];
|
||||
$db['province'] = $b[2];
|
||||
$db['locality'] = '';
|
||||
$db['organization'] = $b[3];
|
||||
$db['issuer'] = '';
|
||||
$db['unit'] = $b[4];
|
||||
$db['common_name'] = $b[5];
|
||||
$db['email'] = $b[6];
|
||||
}
|
||||
// Compatibility with renewed certs from openvpn-bridge
|
||||
elseif(count($b) == 8){
|
||||
$db['serial'] = $a[3];
|
||||
$db['country'] = $b[1];
|
||||
$db['province'] = $b[2];
|
||||
$db['locality'] = $b[3];
|
||||
$db['organization'] = $b[4];
|
||||
$db['issuer'] = '';
|
||||
$db['unit'] = $b[5];
|
||||
$db['common_name'] = $b[6];
|
||||
$db['email'] = $b[7];
|
||||
}
|
||||
// Else, it's a certificate created with phpki
|
||||
else{
|
||||
$db['serial'] = $a[3];
|
||||
$db['country'] = $b[1];
|
||||
$db['province'] = $b[2];
|
||||
@@ -376,6 +403,7 @@ function CAdb_explode_entry($dbentry) {
|
||||
$db['unit'] = $b[6];
|
||||
$db['common_name'] = $b[7];
|
||||
$db['email'] = $b[8];
|
||||
}
|
||||
|
||||
return $db;
|
||||
}
|
||||
@@ -431,6 +459,24 @@ function CA_crl_text() {
|
||||
return(shell_exec(CRL.' -in '.escshellarg($crlfile).' -text 2>&1'));
|
||||
}
|
||||
|
||||
// Returns the static takey.pem file
|
||||
function ta_key_text() {
|
||||
global $config;
|
||||
return(shell_exec('cat '.escshellarg($config['private_dir']).'/takey.pem 2>&1'));
|
||||
}
|
||||
|
||||
// Returns the dhparam file
|
||||
function dhparam_text() {
|
||||
global $config;
|
||||
return(shell_exec('cat '.escshellarg($config['private_dir']).'/dhparam1024.pem 2>&1'));
|
||||
}
|
||||
|
||||
// Returns the root CA certificate file (PEM Encoded)
|
||||
function root_pem_text() {
|
||||
global $config;
|
||||
return(shell_exec('cat '.escshellarg($config['cacert_pem']).' 2>&1'));
|
||||
}
|
||||
|
||||
//
|
||||
// Returns the subject of a certificate.
|
||||
//
|
||||
|
||||
10
main.php
10
main.php
@@ -32,6 +32,10 @@ case 'dl_crl':
|
||||
upload("$config[cacrl_der]", "$config[ca_prefix]cacrl.crl", 'application/pkix-crl');
|
||||
break;
|
||||
|
||||
case 'dl_crl_pem':
|
||||
upload("$config[cacrl_pem]", "$config[ca_prefix]cacrl.crl", 'application/octet-stream');
|
||||
break;
|
||||
|
||||
default:
|
||||
printHeader('public');
|
||||
|
||||
@@ -55,12 +59,14 @@ default:
|
||||
<a href=<?php echo $PHP_SELF?>?stage=display_root>Display Our Root Certificate (PEM Encoded)</a></td>
|
||||
<td>This option provides the "Root" certificate PEM encoded text for advanced users
|
||||
to manually install via copy and paste. <a href=help.php target=_help>Read the online help</a>
|
||||
to learn more about this.</td></tr>
|
||||
to learn more about this.</td>
|
||||
|
||||
<tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
|
||||
|
||||
<a href=<?php echo $PHP_SELF?>?stage=dl_crl>Download Our Certificate Revocation List</a></td>
|
||||
<td>The official list of certificates revoked by this site. Installation and use of
|
||||
this list is optional. Some e-mail programs will reference this list automagically. </td></tr>
|
||||
this list is optional. Some e-mail programs will reference this list automagically.
|
||||
(<a href="<?php echo $PHP_SELF?>?stage=dl_crl_pem">Some will need it in PEM format.</a>)</td></tr>
|
||||
|
||||
</table>
|
||||
</center>
|
||||
|
||||
Reference in New Issue
Block a user