diff --git a/phpki.spec b/phpki.spec
index 8073ad2..0a94bb5 100644
--- a/phpki.spec
+++ b/phpki.spec
@@ -1,10 +1,10 @@
-# $Id: phpki-ng.spec,v 1.4 2018/11/17 13:20:42 jcrisp Exp $
+# $Id: phpki.spec,v 1.4 2018/11/17 13:20:42 jcrisp Exp $
 # Authority: vip-ire
 # Name: Daniel Berteaud
 
 %define 	name phpki
 %define 	version 0.84
-%define 	release 12
+%define 	release 17
 Summary: 	Phpki is a simple certificate management suite
 Name: 		%{name}
 Version: 	%{version}
@@ -14,14 +14,16 @@ URL: 		http://sourceforge.net/projects/phpki/
 Group: 		SMEserver/addon
 #wget 		http://www.fooweb.com/downloads/foo-3.6.431.tar.gz
 Source: 	%{name}-%{version}.tar.gz
-Patch1:         phpki-ng-0.84-fix-for-php74-code-tidy.patch
-Patch2:         phpki-ng-0.84-fix-pregmatch-revoke-certs.patch
-Patch3:         phpki-ng-0.84-fix-crl.patch
-Patch4:         phpki-ng-0.84-fix-missing-slash-certtype-detection.patch
-Patch5:         phpki-ng-0.84-fix-html-directory-check.patch
-Patch6:         phpki-ng-0.84-fix-download-cert.patch
-Patch7:         phpki-ng-0.84-fix-html-syntax-in-help.patch
-Patch8:         phpki-ng-0.84-fix-final-redirect.patch
+#Patch1:         phpki-ng-0.84-fix-for-php74-code-tidy.patch
+#Patch2:         phpki-ng-0.84-fix-pregmatch-revoke-certs.patch
+#Patch3:         phpki-ng-0.84-fix-crl.patch
+#Patch4:         phpki-ng-0.84-fix-missing-slash-certtype-detection.patch
+#Patch5:         phpki-ng-0.84-fix-html-directory-check.patch
+#Patch6:         phpki-ng-0.84-fix-download-cert.patch
+#Patch7:         phpki-ng-0.84-fix-html-syntax-in-help.patch
+#Patch8:         phpki-ng-0.84-fix-final-redirect.patch
+#Patch9:		phpki-ng-bz12272-bz12273-crl-whitespacepass.patch
+#Patch10:	phpki-ng-bz12274-regex-secu.patch
 
 BuildArch: 	noarch
 BuildRoot: 	/var/tmp/%{name}-%{version}
@@ -44,6 +46,24 @@ With it, you may create and centrally manage X.509 certificates for use with S/M
 e-mail clients, SSL servers, and VPN applications.
 
 %changelog
+* Thu Sep 11 2025 Jean-Philippe Pialasse <jpp@koozali.org> 0.84-17.sme
+- import from SME10 CVS and rename back to phpki
+
+* Sat Dec 17 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.84-16.sme
+- add dl_crl_pem.php [SME: 12272]
+
+* Wed Dec 14 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.84-15.sme
+- fix regex and potential code injection [SME: 12274]
+
+* Wed Dec 14 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.84-14.sme
+- add easy and safe access to crl download [SME: 12272]
+- fix revoke certificate failing on whitespace pass [SME: 12273]
+- fix missing default_md in config.php from previous versions [SME: 12267]
+- updated scriptlet to ease backup and restore
+
+* Fri Nov 18 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.84-13.sme
+- remove extra space in URL in search.php [SME: 12232]
+
 * Thu Sep 30 2021 John Crisp <jcrisp@safeandsoundit.co.uk> 0.84-12.sme
 - Attempt to fix the final reload after CA creation [SME: 11192]
 
@@ -198,14 +218,6 @@ e-mail clients, SSL servers, and VPN applications.
 
 %prep
 %setup  -c -n %{name}
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
 
 %build
 %{__mkdir_p} root/opt/phpki/html
diff --git a/root/README.md b/root/README.md
index 5808598..4975e67 100644
--- a/root/README.md
+++ b/root/README.md
@@ -10,7 +10,7 @@ No one appears to be maintaining this and I find it very handy.
 
 I discovered some issues and there are some additional bits we have for OpenVPN (if installed) at Koozali SME server so I thought I'd incorporate them in as well.
 
-It tries to detect if it is installed on Koozali which needs a couple of small mods, and if openvpn is installed it will create a takey.
+It tries to detect if it is installed on Koozali whcih needs a couple of small mods, and if openvpn is installed it wil create a takey.
 
 Note... YMMV....
 
diff --git a/root/ca/request_cert.php b/root/ca/request_cert.php
index 1b0a4f7..e9c10aa 100644
--- a/root/ca/request_cert.php
+++ b/root/ca/request_cert.php
@@ -207,29 +207,29 @@ switch ($form_stage) {
 
         <h4>Are you sure? After creation you will be returned to the Create Certificate dialogue.</h4>
         <p><form action='<?php echo $PHP_SELF?>' method=post>
-        <?php echo  $hidden_fields ?>
-        <input type=hidden name=form_stage value=final>
-        <!-- <input type=submit name=submit value='Yes. Create and Download' >&nbsp; -->
-        <input type=submit name=submit value='Yes. Just Create' >&nbsp;
-        <input type=submit name=submit value='Go Back'>
-        </form>
+    <?php echo  $hidden_fields ?>
+    <input type=hidden name=form_stage value=final>
+    <input type=submit name=submit value='Yes. Create and Download' >&nbsp;
+    <input type=submit name=submit value='Yes. Just Create' >&nbsp;
+    <input type=submit name=submit value='Go Back'>
+    </form>
 
-        <?php
-        printFooter();
+    <?php
+    printFooter();
 
-        # Save user's defaults
-        $fp = fopen($user_cnf, 'w');
-        $x = '<?php
-        $country      = \''.addslashes($country).'\';
-        $locality     = \''.addslashes($locality).'\';
-        $province     = \''.addslashes($province).'\';
-        $organization = \''.addslashes($organization).'\';
-        $unit         = \''.addslashes($unit).'\';
-        $expiry       = \''.addslashes($expiry).'\';
-        $keysize      = \''.addslashes($keysize).'\';
-        ?>';
-        fwrite($fp, $x);
-        fclose($fp);
+    # Save user's defaults
+    $fp = fopen($user_cnf, 'w');
+    $x = '<?php
+    $country      = \''.addslashes($country).'\';
+    $locality     = \''.addslashes($locality).'\';
+    $province     = \''.addslashes($province).'\';
+    $organization = \''.addslashes($organization).'\';
+    $unit         = \''.addslashes($unit).'\';
+    $expiry       = \''.addslashes($expiry).'\';
+    $keysize      = \''.addslashes($keysize).'\';
+    ?>';
+    fwrite($fp, $x);
+    fclose($fp);
 
         break;
 
@@ -263,27 +263,21 @@ switch ($form_stage) {
             }
         }
 
-        
-        // This section is disabled in the form above
-        // If we do Download it does not return to Create New cert
-        // I believe this is because the upload function messes the http headers
-        // There may be a solution but I haven't got one
-        
         if ($submit == "Yes. Create and Download") {
             switch ($cert_type) {
                 case 'server':
-                    # upload(array("$config[private_dir]/$serial-key.pem","$config[new_certs_dir]/$serial.pem",$config['cacert_pem']), "$common_name ($email).pem",'application/pkix-cert');
+        #               upload(array("$config[private_dir]/$serial-key.pem","$config[new_certs_dir]/$serial.pem",$config['cacert_pem']), "$common_name ($email).pem",'application/pkix-cert');
                     upload(array($config['private_dir'] . "/$serial-key.pem",$config['new_certs_dir'] . "/$serial.pem",$config['cacert_pem']), $rec['common_name'] . "-Bundle.pem", 'application/pkix-cert');
-                    break; # << Here
+                    break;
                 case 'email':
                 case 'email_signing':
                 case 'time_stamping':
                 case 'vpn_client_server':
                 case 'vpn_client':
                 case 'vpn_server':
-                    # upload("$config[pfx_dir]/$serial.pfx", "$common_name ($email).p12", 'application/x-pkcs12');
+        #               upload("$config[pfx_dir]/$serial.pfx", "$common_name ($email).p12", 'application/x-pkcs12');
                     upload($config['pfx_dir'] . "/$serial.pfx", $rec['common_name'] . ".p12", 'application/x-pkcs12');
-                    break; # << here
+                    break;
             }
 
             # Clear common_name fields
diff --git a/root/dl_crl.php b/root/dl_crl.php
new file mode 100644
index 0000000..3993a1c
--- /dev/null
+++ b/root/dl_crl.php
@@ -0,0 +1,8 @@
+<?php
+include('./config.php');
+include(STORE_DIR.'/config/config.php');
+include('./include/common.php');
+include('./include/my_functions.php');
+include('./include/openssl_functions.php');
+upload($config['cacrl_der'], $config['ca_prefix'] . "cacrl.crl", 'application/pkix-crl');
+?>
diff --git a/root/dl_crl_pem.php b/root/dl_crl_pem.php
new file mode 100644
index 0000000..d525b9c
--- /dev/null
+++ b/root/dl_crl_pem.php
@@ -0,0 +1,8 @@
+<?php
+include('./config.php');
+include(STORE_DIR.'/config/config.php');
+include('./include/common.php');
+include('./include/my_functions.php');
+include('./include/openssl_functions.php');
+upload($config['cacrl_pem'], $config['ca_prefix'] . "cacrl.crl", 'application/octet-stream');
+?>
diff --git a/root/help.php b/root/help.php
index b7b96cc..2091f1a 100644
--- a/root/help.php
+++ b/root/help.php
@@ -11,7 +11,6 @@ printHeader(about);
   <p><a href="<?php echo BASE_URL?>help/cacert_install_ie.html"><h3>Installing Our Root Certificate For Use With Outlook and Outlook Express</h3></a></p>
   <p><a href="<?php echo BASE_URL?>help/usercert_install_ie.html"><h3>Installing Your Personal E-mail Certificate For Use With Outlook and Outlook Express</h3></a></p>
   <p><a href="<?php echo BASE_URL?>help/glossary.html"><h3>Glossary</h3></a></p>
-
 </center>
 <?php
 printFooter();
diff --git a/root/include/openssl_functions.php b/root/include/openssl_functions.php
index 8d638fd..a6e19b7 100644
--- a/root/include/openssl_functions.php
+++ b/root/include/openssl_functions.php
@@ -601,7 +601,7 @@ function CA_revoke_cert($serial)
     $cmd_output[] = 'Revoking the certificate.';
     $configCa_pwd = $config['ca_pwd'];
     $configOpenssl_cnf = $config['openssl_cnf'];
-    exec(CA." -config $configOpenssl_cnf -revoke ".escshellarg($certfile)." -passin pass:$configCa_pwd 2>&1", $cmd_output, $ret);
+    exec(CA." -config $configOpenssl_cnf -revoke ".escshellarg($certfile)." -passin pass:'$configCa_pwd' 2>&1", $cmd_output, $ret);
 
     if ($ret == 0) {
         unset($cmd_output);
@@ -652,7 +652,7 @@ function CA_create_cert($cert_type = 'email', $country, $province, $locality, $o
     $cmd_output[] = 'Creating certificate request.';
 
     if (($_passwd) && ($_passwd != "''")) {
-        exec(REQ." -new -newkey rsa:$keysize -keyout '$userkey' -out '$userreq' -config '$cnf_file' -days '$expiry_days' -passout pass:$_passwd  2>&1", $cmd_output, $ret);
+        exec(REQ." -new -newkey rsa:$keysize -keyout '$userkey' -out '$userreq' -config '$cnf_file' -days '$expiry_days' -passout pass:'$_passwd'  2>&1", $cmd_output, $ret);
     } else {
         exec(REQ." -new -newkey rsa:$keysize -keyout '$userkey' -out '$userreq' -config '$cnf_file' -days '$expiry_days' -nodes  2>&1", $cmd_output, $ret);
     }
@@ -681,8 +681,8 @@ function CA_create_cert($cert_type = 'email', $country, $province, $locality, $o
         $configRandom = $config['random'];
 
         if (($_passwd) && ($_passwd != "''")) {
-            $cmd_output[] = "infile: $usercert   keyfile: $userkey   outfile: $userpfx  pass: $_passwd";
-            exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$configCacert_pem' -caname '$configOrganization' -out '$userpfx' -name $friendly_name -rand '$configRandom' -passin pass:$_passwd -passout pass:$_passwd  2>&1", $cmd_output, $ret);
+            $cmd_output[] = "infile: $usercert   keyfile: $userkey   outfile: $userpfx  pass:'$_passwd'";
+            exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$configCacert_pem' -caname '$configOrganization' -out '$userpfx' -name $friendly_name -rand '$configRandom' -passin pass:'$_passwd' -passout pass:'$_passwd'  2>&1", $cmd_output, $ret);
         } else {
             $cmd_output[] = "infile: $usercert   keyfile: $userkey   outfile: $userpfx";
             // reetp - this needs looking at
@@ -823,8 +823,8 @@ function CA_renew_cert($old_serial, $expiry, $passwd)
         unset($cmd_output);
         $cmd_output[] = "Creating PKCS12 format certificate.";
         if (($_passwd) && ($_passwd != "''")) {
-            $cmd_output[] = "infile: $usercert   keyfile: $userkey   outfile: $userpfx  pass: $_passwd";
-            exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$configCacert_pem' -caname '$configOrganization' -out '$userpfx' -name $friendly_name -rand '$configRandom' -passin pass:$_passwd -passout pass:$_passwd  2>&1", $cmd_output, $ret);
+            $cmd_output[] = "infile: $usercert   keyfile: $userkey   outfile: $userpfx  pass:'$_passwd'";
+            exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$configCacert_pem' -caname '$configOrganization' -out '$userpfx' -name $friendly_name -rand '$configRandom' -passin pass:'$_passwd' -passout pass:'$_passwd'  2>&1", $cmd_output, $ret);
         } else {
             $cmd_output[] = "infile: $usercert   keyfile: $userkey   outfile: $userpfx";
             // reetp - this needs looking at
diff --git a/root/index.php b/root/index.php
deleted file mode 100644
index 42f85a9..0000000
--- a/root/index.php
+++ /dev/null
@@ -1 +0,0 @@
-readme.php
\ No newline at end of file
diff --git a/root/index.php b/root/index.php
new file mode 120000
index 0000000..42f85a9
--- /dev/null
+++ b/root/index.php
@@ -0,0 +1 @@
+readme.php
\ No newline at end of file
diff --git a/root/ns_revoke_query.php b/root/ns_revoke_query.php
index bd1e2a1..4d967a6 100644
--- a/root/ns_revoke_query.php
+++ b/root/ns_revoke_query.php
@@ -16,13 +16,16 @@
 #
 include('./config.php');
 include(STORE_DIR.'/config/config.php');
-
-$serial = escapeshellcmd(trim($_SERVER['QUERY_STRING']));
+$serial=trim($_SERVER['QUERY_STRING']);
+if ( ! is_numeric($serial) ) {
+    # if it is not a numerical serial, then it is not revoked!
+    print '0';
+    exit;
+}
+$serial = escapeshellcmd($serial);
 #header("Content-type: application/x-netscape-revocation");
 
-# old Reg Ex doesnt work, new should do the work
-#$regexp = "^R\t.*\t.*\t$serial\t.*\t.*$";
-$regexp = "^R.*$serial.*$";
+$regexp = "^R\t.*\t.*\t$serial\t.*\t.*$";
 $configIndex = $config['index'];
 
 if (exec("egrep '$regexp' '$configIndex'")) {
diff --git a/root/openssl.cnf b/root/openssl.cnf
index cf637c7..c17d398 100644
--- a/root/openssl.cnf
+++ b/root/openssl.cnf
@@ -60,7 +60,7 @@ keyUsage               = cRLSign, keyCertSign
 nsCertType             = sslCA, emailCA, objCA
 subjectKeyIdentifier   = hash
 subjectAltName         = email:copy
-crlDistributionPoints  = URI:http://www.somewhere.com/phpki/index.php?stage=dl_crl
+crlDistributionPoints  = URI:http://www.somewhere.com/phpki/dl_crl.php
 nsComment              = "PHPki/OpenSSL Generated Root Certificate Authority"
 #nsCaRevocationUrl	= ns_revoke_query.php?
 nsCaPolicyUrl          = http://www.somewhere.com/phpki/policy.html
@@ -74,7 +74,7 @@ subjectKeyIdentifier   = hash
 authorityKeyIdentifier = keyid:always, issuer:always
 subjectAltName         = email:copy
 issuerAltName          = issuer:copy
-crlDistributionPoints  = URI:http://www.somewhere.com/phpki/index.php?stage=dl_crl
+crlDistributionPoints  = URI:http://www.somewhere.com/phpki/dl_crl.php
 nsComment              = "PHPki/OpenSSL Generated Personal Certificate"
 nsBaseUrl              = http://www.somewhere.com/phpki/
 nsRevocationUrl	       = ns_revoke_query.php?
@@ -91,7 +91,7 @@ subjectKeyIdentifier   = hash
 authorityKeyIdentifier = keyid:always, issuer:always
 subjectAltName         = email:copy
 issuerAltName          = issuer:copy
-crlDistributionPoints  = URI:http://www.somewhere.com/phpki/index.php?stage=dl_crl
+crlDistributionPoints  = URI:http://www.somewhere.com/phpki/dl_crl.php
 nsComment              = "PHPki/OpenSSL Generated Personal Certificate"
 nsBaseUrl              = http://www.somewhere.com/phpki/
 nsRevocationUrl	       = ns_revoke_query.php?
@@ -109,7 +109,7 @@ subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid:always, issuer:always
 subjectAltName          = email:copy
 issuerAltName           = issuer:copy
-crlDistributionPoints  = URI:http://www.somewhere.com/phpki/index.php?stage=dl_crl
+crlDistributionPoints  = URI:http://www.somewhere.com/phpki/dl_crl.php
 nsComment		= "PHPki/OpenSSL Generated Secure Server Certificate"
 nsBaseUrl		= http://www.somewhere.com/phpki/
 nsRevocationUrl		= ns_revoke_query.php?
diff --git a/root/search.php b/root/search.php
index 45b0b87..0fc9c71 100644
--- a/root/search.php
+++ b/root/search.php
@@ -102,7 +102,7 @@ switch ($stage) {
         <td><?php echo htvar($rec['unit'])?></td>
         <td><?php echo htvar($rec['locality'])?></td>
         <td><?php echo htvar($rec['province'])?></td>
-        <td><a href="<?php echo htmlentities($_SERVER['SCRIPT_NAME'])?> ?stage=display&serial=<?php echo htvar($rec['serial'])?>" target=_certdisp><img src=images/display.png alt="Display" title="Display the certificate in excruciating detail"></a>
+        <td><a href="<?php echo htmlentities($_SERVER['SCRIPT_NAME'])?>?stage=display&serial=<?php echo htvar($rec['serial'])?>" target=_certdisp><img src=images/display.png alt="Display" title="Display the certificate in excruciating detail"></a>
         <?php
         if ($rec['status'] != 'Revoked') {
             ?>
diff --git a/root/secure.sh b/root/secure.sh
old mode 100644
new mode 100755
diff --git a/root/setup.php b/root/setup.php
deleted file mode 100644
index 8c56157..0000000
--- a/root/setup.php
+++ /dev/null
@@ -1 +0,0 @@
-setup.php-presetup
\ No newline at end of file
diff --git a/root/setup.php b/root/setup.php
new file mode 120000
index 0000000..8c56157
--- /dev/null
+++ b/root/setup.php
@@ -0,0 +1 @@
+setup.php-presetup
\ No newline at end of file
diff --git a/root/setup.php-presetup b/root/setup.php-presetup
index 8607e9e..2ea1579 100644
--- a/root/setup.php-presetup
+++ b/root/setup.php-presetup
@@ -801,7 +801,7 @@ EOS;
 
     case 'finished':
         // We get here if we complete the previous section
-        // if OS = SME the go to server manager else, reload
+        // if OS = SME then go to server manager else, reload
         if (getOSInformation){
             $location = "/server-manager/cgi-bin/phpki";
         } else {
@@ -887,7 +887,7 @@ E-mail: <a href=mailto:someone@somewhere.com>someone@somewhere.com</a>&nbsp;&nbs
         }
 
         if (! $crl_distrib) {
-            $crl_distrib = 'index.php?stage=dl_crl';
+            $crl_distrib = 'dl_crl.php';
         }
         if (! $revoke_url) {
             $revoke_url = 'ns_revoke_query.php?';