deprecated/phpki-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

More formatting

Browse Source
This commit is contained in:
John Crisp
2021-03-07 18:56:21 +01:00
parent 431786fa36
commit d95ee329f5
3 changed files with 398 additions and 400 deletions
Download Patch File Download Diff File Expand all files Collapse all files

385
setup.php-presetup
View File

@@ -262,60 +262,60 @@ switch ($stage) {
# PHPki CONFIGURATION FILE
# Automatically generated by PHPki. Edit at your own peril.
#
\$config['organization'] = '$organization';
\$config['unit'] = '$unit';
\$config['contact'] = '$contact';
\$config['locality'] = '$locality';
\$config['province'] = '$province';
\$config['country'] = '$country';
\$config['common_name'] = '$common_name';
\$config['organization'] = '$organization';
\$config['unit'] = '$unit';
\$config['contact'] = '$contact';
\$config['locality'] = '$locality';
\$config['province'] = '$province';
\$config['country'] = '$country';
\$config['common_name'] = '$common_name';
# Store Directory
\$config['store_dir'] = '$store_dir';
\$config['store_dir'] = '$store_dir';
# Location HTTP Password File
\$config['passwd_file'] = '$passwd_file';
\$config['passwd_file'] = '$passwd_file';
# Password for CA root certificate.
\$config['ca_pwd'] = '$passwd';
\$config['ca_pwd'] = '$passwd';
# Number of years the root certificate is good.
\$config['expiry'] = '$expiry';
\$config['expiry'] = '$expiry';
# CA certificate key size
\$config['keysize'] = '$keysize';
\$config['keysize'] = '$keysize';
# This is superimposed over the PHPki logo on each page.
\$config['header_title'] = '$header_title';
\$config['header_title'] = '$header_title';
# String to prefix cer and crl uploads
\$config['ca_prefix'] = '$ca_prefix';
\$config['ca_prefix'] = '$ca_prefix';
# Location of your OpenSSL binary.
\$config['openssl_bin'] = '$openssl_bin';
\$config['openssl_bin'] = '$openssl_bin';
# Base URL
\$config['base_url'] = '$base_url';
\$config['base_url'] = '$base_url';
# CRL Distribution points path
\$config['crl_distrib'] = '$crl_distrib';
\$config['crl_distrib'] = '$crl_distrib';
# Certificate Revocation URL
\$config['revoke_url'] = '$revoke_url';
\$config['revoke_url'] = '$revoke_url';
# Certificate Authority Policy URL
\$config['policy_url'] = '$policy_url';
\$config['policy_url'] = '$policy_url';
# Certificate Comment Fields
\$config['comment_root'] = '$comment_root';
\$config['comment_email'] = '$comment_email';
\$config['comment_email'] = '$comment_email';
\$config['comment_sign'] = '$comment_sign';
\$config['comment_srv'] = '$comment_srv';
\$config['comment_stamp'] = '$comment_stamp';
\$config['comment_srv'] = '$comment_srv';
\$config['comment_stamp'] = '$comment_stamp';
# Who users should contact if they have technical difficulty with
# your certificate authority site.
\$config['getting_help'] = '$getting_help';
\$config['getting_help'] = '$getting_help';
#
# You shouldn't change anything below this line. If you do, don't
@@ -331,17 +331,17 @@ switch ($stage) {
\$config['pfx_dir'] = \$config['ca_dir'] . '/pfx';
\$config['index'] = \$config['ca_dir'] . '/index.txt';
\$config['serial'] = \$config['ca_dir'] . '/serial';
\$config['random'] = \$config['ca_dir'] . '/.rnd';
\$config['random'] = \$config['ca_dir'] . '/.rnd';
\$config['cacrl_pem'] = \$config['crl_dir'] . '/cacrl.pem';
\$config['cacrl_der'] = \$config['crl_dir'] . '/cacrl.crl';
\$config['cacert_pem'] = \$config['cert_dir'] . '/cacert.pem';
\$config['cacrl_pem'] = \$config['crl_dir'] . '/cacrl.pem';
\$config['cacrl_der'] = \$config['crl_dir'] . '/cacrl.crl';
\$config['cakey'] = \$config['private_dir'] . '/cakey.pem';
# Default OpenSSL Config File.
\$config['openssl_cnf'] = \$config['home_dir'] . '/config/openssl.cnf';
# Define default md
\$config['default_md'] = 'sha512';
\$config['default_md'] = 'sha512';
\$PHPki_admins = Array(md5('admin'));
@@ -419,167 +419,166 @@ EOS;
$config_txt1 = "
HOME = $configHOME
RANDFILE = $configRANDFILE
dir = $configCa_dir
certs = $configCert_dir
crl_dir = $configCrl_dir
database = $configDatabase
new_certs_dir = $configNew_certs_dir
private_dir = $configPrivate_dir
serial = $configSerial
certificate = $configCacert_pem
crl = $configCacrl_pem
private_key = $configCakey
crl_extentions = crl_ext
default_days = 365
default_crl_days = 30
preserve = no
default_md = $configDefault_md
HOME = $configHOME
RANDFILE = $configRANDFILE
dir = $configCa_dir
certs = $configCert_dir
crl_dir = $configCrl_dir
database = $configDatabase
new_certs_dir = $configNew_certs_dir
private_dir = $configPrivate_dir
serial = $configSerial
certificate = $configCacert_pem
crl = $configCacrl_pem
private_key = $configCakey
crl_extentions = crl_ext
default_days = 365
default_crl_days = 30
preserve = no
default_md = $configDefault_md
[ ca ]
default_ca = email_cert
default_ca = email_cert
[ root_cert ]
x509_extensions = root_ext
default_days = 3650
policy = policy_supplied
x509_extensions = root_ext
default_days = 3650
policy = policy_supplied
[ email_cert ]
x509_extensions = email_ext
default_days = 365
policy = policy_supplied
x509_extensions = email_ext
default_days = 365
policy = policy_supplied
[ email_signing_cert ]
x509_extensions = email_signing_ext
default_days = 365
policy = policy_supplied
x509_extensions = email_signing_ext
default_days = 365
policy = policy_supplied
[ server_cert ]
x509_extensions = server_ext
default_days = 365
policy = policy_supplied
x509_extensions = server_ext
default_days = 365
policy = policy_supplied
[ vpn_cert ]
x509_extensions = vpn_client_server_ext
default_days = 365
policy = policy_supplied
x509_extensions = vpn_client_server_ext
default_days = 365
policy = policy_supplied
[ time_stamping_cert ]
x509_extensions = time_stamping_ext
default_days = 365
policy = policy_supplied
x509_extensions = time_stamping_ext
default_days = 365
policy = policy_supplied
[ policy_supplied ]
countryName = supplied
stateOrProvinceName = supplied
localityName = supplied
organizationName = supplied
organizationalUnitName = supplied
commonName = supplied
emailAddress = supplied
countryName = supplied
stateOrProvinceName = supplied
localityName = supplied
organizationName = supplied
organizationalUnitName = supplied
commonName = supplied
emailAddress = supplied
[ root_ext ]
basicConstraints = CA:true
keyUsage = cRLSign, keyCertSign
nsCertType = sslCA, emailCA, objCA
subjectKeyIdentifier = hash
subjectAltName = email:copy
crlDistributionPoints = URI:$configBase_url$configCrl_dist
nsComment = $configComment_root
#nsCaRevocationUrl =
nsCaPolicyUrl = $configBase_url$configPolicy_url
basicConstraints = CA:true
keyUsage = cRLSign, keyCertSign
nsCertType = sslCA, emailCA, objCA
subjectKeyIdentifier = hash
subjectAltName = email:copy
crlDistributionPoints = URI:$configBase_url$configCrl_dist
nsComment = $configComment_root
#nsCaRevocationUrl =
nsCaPolicyUrl = $configBase_url$configPolicy_url
[ email_ext ]
basicConstraints = critical, CA:false
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = critical, emailProtection, clientAuth
nsCertType = critical, client, email
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = email:copy
issuerAltName = issuer:copy
crlDistributionPoints = URI:$configBase_url$configCrl_dist
nsComment = $configComment_email
nsBaseUrl = $configBase_url
nsRevocationUrl = $configRevoke_url
#nsRenewalUrl =
nsCaPolicyUrl = $configBase_url$configPolicy_url
#nsSslServerName =
basicConstraints = critical, CA:false
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = critical, emailProtection, clientAuth
nsCertType = critical, client, email
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = email:copy
issuerAltName = issuer:copy
crlDistributionPoints = URI:$configBase_url$configCrl_dist
nsComment = $configComment_email
nsBaseUrl = $configBase_url
nsRevocationUrl = $configRevoke_url
#nsRenewalUrl =
nsCaPolicyUrl = $configBase_url$configPolicy_url
#nsSslServerName =
[ email_signing_ext ]
basicConstraints = critical, CA:false
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = critical, emailProtection, clientAuth, codeSigning
nsCertType = critical, client, email
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = email:copy
issuerAltName = issuer:copy
crlDistributionPoints = URI:$configBase_url$configCrl_dist
nsComment = $configComment_sign
nsBaseUrl = $configBase_url
nsRevocationUrl = $configRevoke_url
#nsRenewalUrl =
nsCaPolicyUrl = $configBase_url$configPolicy_url
#nsSslServerName =
basicConstraints = critical, CA:false
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = critical, emailProtection, clientAuth, codeSigning
nsCertType = critical, client, email
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = email:copy
issuerAltName = issuer:copy
crlDistributionPoints = URI:$configBase_url$configCrl_dist
nsComment = $configComment_sign
nsBaseUrl = $configBase_url
nsRevocationUrl = $configRevoke_url
#nsRenewalUrl =
nsCaPolicyUrl = $configBase_url$configPolicy_url
#nsSslServerName =
[ server_ext ]
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature, keyEncipherment
nsCertType = server
extendedKeyUsage = critical, serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = $server_altnames
issuerAltName = issuer:copy
crlDistributionPoints = URI:$configBase_url$configCrl_dist
nsComment = $configComment_srv
nsBaseUrl = $configBase_url
nsRevocationUrl = $configRevoke_url
nsCaPolicyUrl = $configBase_url$configPolicy_url
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature, keyEncipherment
nsCertType = server
extendedKeyUsage = critical, serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = $server_altnames
issuerAltName = issuer:copy
crlDistributionPoints = URI:$configBase_url$configCrl_dist
nsComment = $configComment_srv
nsBaseUrl = $configBase_url
nsRevocationUrl = $configRevoke_url
nsCaPolicyUrl = $configBase_url$configPolicy_url
[ time_stamping_ext ]
basicConstraints = CA:false
keyUsage = critical, nonRepudiation, digitalSignature
extendedKeyUsage = timeStamping
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = DNS:$common_name,email:copy
issuerAltName = issuer:copy
crlDistributionPoints = URI:$configBase_url$configCrl_dist
nsComment = $config[comment_stamp]
nsBaseUrl = $configBase_url
nsRevocationUrl = $configRevoke_url
nsCaPolicyUrl = $configBase_url$configPolicy_url
basicConstraints = CA:false
keyUsage = critical, nonRepudiation, digitalSignature
extendedKeyUsage = timeStamping
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = DNS:$common_name,email:copy
issuerAltName = issuer:copy
crlDistributionPoints = URI:$configBase_url$configCrl_dist
nsComment = $config[comment_stamp]
nsBaseUrl = $configBase_url
nsRevocationUrl = $configRevoke_url
nsCaPolicyUrl = $configBase_url$configPolicy_url
[ vpn_client_ext ]
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, clientAuth
nsCertType = critical, client
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = DNS:$common_name,email:copy
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, clientAuth
nsCertType = critical, client
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = DNS:$common_name,email:copy
[ vpn_server_ext ]
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = critical, serverAuth
nsCertType = critical, server
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = DNS:$common_name,email:copy
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = critical, serverAuth
nsCertType = critical, server
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = DNS:$common_name,email:copy
[ vpn_client_server_ext ]
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = critical, serverAuth, clientAuth
nsCertType = critical, server, client
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = DNS:$common_name,email:copy
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = critical, serverAuth, clientAuth
nsCertType = critical, server, client
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = DNS:$common_name,email:copy
[ crl_ext ]
issuerAltName=issuer:copy
@@ -589,36 +588,36 @@ authorityKeyIdentifier=keyid:always,issuer:always
$config_txt2 = <<< EOS
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_name
string_mask = nombstr
req_extensions = req_ext
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_name
string_mask = nombstr
req_extensions = req_ext
[ req_name]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default =
localityName = Locality Name (eg, city)
localityName_default =
localityName = Locality Name (eg, city)
localityName_default =
0.organizationName = Organization Name (eg, company)
0.organizationName = Organization Name (eg, company)
0.organizationName_default =
1.organizationName = Second Organization Name (eg, company)
1.organizationName = Second Organization Name (eg, company)
1.organizationName_default =
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default =
commonName = Common Name (eg, YOUR name)
commonName = Common Name (eg, YOUR name)
emailAddress = Email Address or Web URL
emailAddress = Email Address or Web URL
[ req_ext ]
basicConstraints = critical, CA:false
@@ -636,21 +635,21 @@ EOS;
$config_txt3 = <<< EOS
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_name
string_mask = nombstr
req_extensions = req_ext
prompt = no
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_name
string_mask = nombstr
req_extensions = req_ext
prompt = no
[ req_name ]
C = $configCountry
ST = $configProvince
L = $configLocality
O = $configOrganization
OU = $configUnit
CN = $configCommon_name
emailAddress = $configEmailaddress
C = $configCountry
ST = $configProvince
L = $configLocality
O = $configOrganization
OU = $configUnit
CN = $configCommon_name
emailAddress = $configEmailaddress
[ req_ext ]
basicConstraints = critical, CA:true
@@ -675,7 +674,7 @@ EOS;
fclose($fd);
#
# Intialize index.txt and serial files
# Initialize index.txt and serial files
#
$fd = fopen($config['index'], 'w');
fwrite($fd, "");
@@ -698,12 +697,12 @@ EOS;
$configOpenssl_cnf = $config['openssl_cnf'];
$configPrivate_dir = $config['private_dir'];
$configCacert_pem = $config['cacert_pem'];
$configCa_pwd = $config['ca_pwd'];
$configCakey = $config['cakey'];
$configRandom = $config['random'];
$configCacrl_der = $config['cacrl_der'];
$configCacrl_pem = $config['cacrl_pem'];
$configCacert_pem = $config['cacert_pem'];
$configCa_pwd = $config['ca_pwd'];
$configCakey = $config['cakey'];
$configRandom = $config['random'];
$configCacrl_der = $config['cacrl_der'];
$configCacrl_pem = $config['cacrl_pem'];
// .rnd created here
exec(REQ . " -x509 -config $tmp_cnf -extensions root_ext -newkey rsa:$keysize -keyout $configCakey -out $configCacert_pem -passout pass:'$configCa_pwd' -days $days 2>&1");