added alt_names for ssl vert
This commit is contained in:
majestick
@@ -5,11 +5,42 @@
|
||||
// File name is placed in ./tmp with a random name. It lingers unless
|
||||
// removed manually.
|
||||
//
|
||||
function CA_create_cnf($country='',$province='',$locality='',$organization='',$unit='',$common_name='',$email='',$keysize=4096) {
|
||||
function CA_create_cnf($country='',$province='',$locality='',$organization='',$unit='',$common_name='',$email='',$keysize=4096,$dns_names='',$ip_addr='') {
|
||||
global $config, $PHPki_user;
|
||||
|
||||
$issuer = $PHPki_user;
|
||||
$count_dns = 0;
|
||||
$count_ip = 0;
|
||||
$alt_names = "";
|
||||
|
||||
if (! $dns_names == '') {
|
||||
|
||||
$dns_n=explode("\n", $dns_names);
|
||||
$count_dns = $count_dns + 1;
|
||||
$alt_names .= "DNS.$count_dns = $common_name\n";
|
||||
|
||||
foreach ($dns_n as $value) {
|
||||
$count_dns = $count_dns + 1;
|
||||
$alt_names .= "DNS.$count_dns = ".trim($value)."\n";
|
||||
}
|
||||
}
|
||||
|
||||
if (! $ip_addr == '') {
|
||||
$ip_ar=explode("\n", $ip_addr);
|
||||
foreach ($ip_ar as $value) {
|
||||
$count_dns = $count_dns + 1;
|
||||
$count_ip = $count_ip + 1;
|
||||
$alt_names .= "DNS.$count_dns = ".trim($value)."\n";
|
||||
$alt_names .= "IP.$count_ip = ".trim($value)."\n";
|
||||
}
|
||||
}
|
||||
|
||||
if (($count_dns > 0) || ($count_ip > 0)) {
|
||||
$server_altnames = "@alt_names";
|
||||
} else {
|
||||
$server_altnames = "DNS:$common_name,email:copy";
|
||||
}
|
||||
|
||||
$cnf_contents = "
|
||||
HOME = $config[home_dir]
|
||||
RANDFILE = $config[random]
|
||||
@@ -104,7 +135,7 @@ subjectKeyIdentifier = hash
|
||||
subjectAltName = email:copy
|
||||
crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl
|
||||
nsComment = \"PHPki/OpenSSL Generated Root Certificate\"
|
||||
#nsCaRevocationUrl = ns_revoke_query.php?
|
||||
#nsCaRevocationUrl = $config[base_url]ns_revoke_query.php?$config[serial]
|
||||
nsCaPolicyUrl = $config[base_url]policy.html
|
||||
|
||||
[ email_ext ]
|
||||
@@ -119,7 +150,7 @@ issuerAltName = issuer:copy
|
||||
crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl
|
||||
nsComment = \"PHPki/OpenSSL Generated Personal Certificate\"
|
||||
nsBaseUrl = $config[base_url]
|
||||
nsRevocationUrl = ns_revoke_query.php?
|
||||
nsRevocationUrl = $config[base_url]ns_revoke_query.php?$config[serial]
|
||||
nsCaPolicyUrl = $config[base_url]policy.html
|
||||
|
||||
[ email_signing_ext ]
|
||||
@@ -134,7 +165,7 @@ issuerAltName = issuer:copy
|
||||
crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl
|
||||
nsComment = \"PHPki/OpenSSL Generated Personal Certificate\"
|
||||
nsBaseUrl = $config[base_url]
|
||||
nsRevocationUrl = ns_revoke_query.php?
|
||||
nsRevocationUrl = $config[base_url]ns_revoke_query.php?$config[serial]
|
||||
nsCaPolicyUrl = $config[base_url]policy.html
|
||||
|
||||
[ server_ext ]
|
||||
@@ -144,12 +175,12 @@ nsCertType = critical, server
|
||||
extendedKeyUsage = critical, serverAuth
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid:always, issuer:always
|
||||
subjectAltName = DNS:$common_name,email:copy
|
||||
subjectAltName = $server_altnames
|
||||
issuerAltName = issuer:copy
|
||||
crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl
|
||||
nsComment = \"PHPki/OpenSSL Generated Server Certificate\"
|
||||
nsBaseUrl = $config[base_url]
|
||||
nsRevocationUrl = ns_revoke_query.php?
|
||||
nsRevocationUrl = $config[base_url]ns_revoke_query.php?$config[serial]
|
||||
nsCaPolicyUrl = $config[base_url]policy.html
|
||||
|
||||
[ time_stamping_ext ]
|
||||
@@ -163,7 +194,7 @@ issuerAltName = issuer:copy
|
||||
crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl
|
||||
nsComment = \"PHPki/OpenSSL Generated Time Stamping Certificate\"
|
||||
nsBaseUrl = $config[base_url]
|
||||
nsRevocationUrl = ns_revoke_query.php?
|
||||
nsRevocationUrl = $config[base_url]ns_revoke_query.php?$config[serial]
|
||||
|
||||
[ vpn_client_ext ]
|
||||
basicConstraints = critical, CA:false
|
||||
@@ -191,8 +222,12 @@ nsCertType = critical, server, client
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid:always, issuer:always
|
||||
subjectAltName = DNS:$common_name,email:copy
|
||||
|
||||
[alt_names]
|
||||
$alt_names
|
||||
";
|
||||
|
||||
|
||||
# Write out the config file.
|
||||
$cnf_file = tempnam('./tmp','cnf-');
|
||||
$handle = fopen($cnf_file,"w");
|
||||
@@ -466,7 +501,7 @@ function CA_revoke_cert($serial) {
|
||||
//
|
||||
// Returns an array containing the output of failed openssl commands.
|
||||
//
|
||||
function CA_create_cert($cert_type='email',$country,$province,$locality,$organization,$unit,$common_name,$email,$expiry,$passwd,$keysize=1024) {
|
||||
function CA_create_cert($cert_type='email',$country,$province,$locality,$organization,$unit,$common_name,$email,$expiry,$passwd,$keysize=1024,$dns_names,$ip_addr) {
|
||||
global $config;
|
||||
|
||||
# Wait here if another user has the database locked.
|
||||
@@ -484,7 +519,7 @@ function CA_create_cert($cert_type='email',$country,$province,$locality,$organiz
|
||||
|
||||
$expiry_days = round($expiry * 365.25, 0);
|
||||
|
||||
$cnf_file = CA_create_cnf($country,$province,$locality,$organization,$unit,$common_name,$email,$keysize);
|
||||
$cnf_file = CA_create_cnf($country,$province,$locality,$organization,$unit,$common_name,$email,$keysize,$dns_names,$ip_addr);
|
||||
|
||||
# Escape certain dangerous characters in user input
|
||||
$email = escshellcmd($email);
|
||||
|
||||
Reference in New Issue
Block a user