* Thu Sep 30 2021 John Crisp <jcrisp@safeandsoundit.co.uk> 0.84-12.sme

- Attempt to fix the final reload after CA creation [SME: 11192]
2025-09-11 00:03:08 -04:00
parent 245e1bcd0b
commit a747530268
35 changed files with 3917 additions and 2796 deletions
--- a/phpki.spec
+++ b/phpki.spec
@@ -1,55 +1,336 @@
 # $Id: phpki-ng.spec,v 1.4 2018/11/17 13:20:42 jcrisp Exp $
 # Authority: vip-ire
 # Name: Daniel Berteaud
 %define 	name phpki
-%define version 1.0
+%define 	version 0.84
-%define release 1
+%define 	release 12
-Summary: This is what phpki does.
+Summary: 	Phpki is a simple certificate management suite
 Name: 		%{name}
 Version: 	%{version}
 Release: 	%{release}%{?dist}
 Source: %{name}-%{version}.tar.gz
 License: 	GNU GPL version 2
 URL: 		http://sourceforge.net/projects/phpki/
 Group: 		SMEserver/addon
-BuildRoot: %{_tmppath}/%{name}-buildroot
+#wget 		http://www.fooweb.com/downloads/foo-3.6.431.tar.gz
-Prefix: %{_prefix}
+Source: 	%{name}-%{version}.tar.gz
-BuildArchitectures: noarch
+Patch1:         phpki-ng-0.84-fix-for-php74-code-tidy.patch
-BuildRequires: smeserver-devtools
+Patch2:         phpki-ng-0.84-fix-pregmatch-revoke-certs.patch
-Requires: smeserver-release >= 11.0
+Patch3:         phpki-ng-0.84-fix-crl.patch
 Patch4:         phpki-ng-0.84-fix-missing-slash-certtype-detection.patch
 Patch5:         phpki-ng-0.84-fix-html-directory-check.patch
 Patch6:         phpki-ng-0.84-fix-download-cert.patch
 Patch7:         phpki-ng-0.84-fix-html-syntax-in-help.patch
 Patch8:         phpki-ng-0.84-fix-final-redirect.patch
 BuildArch: 	noarch
 BuildRoot: 	/var/tmp/%{name}-%{version}
 BuildRequires:  e-smith-devtools
 Requires: 	e-smith-release >= 10.0
 Requires: 	php74-php-fpm
 Requires: 	openssl
 Requires: 	openvpn
 Provides:	phpki-ng
 AutoReqProv: 	no
 %description
-phki fork of unmaintained project with our patches.
+http://sourceforge.net/projects/phpki/
 https://github.com/radicand/phpki
 https://github.com/reetp/phpki
 PHPki is an Open Source Web application for managing a multi-agency PKI for HIPAA compliance.
 With it, you may create and centrally manage X.509 certificates for use with S/MIME enabled 
 e-mail clients, SSL servers, and VPN applications.
 %changelog
-* Day MMMM DD YYYY <brianr@koozali.org> 1.0-1.sme
+* Thu Sep 30 2021 John Crisp <jcrisp@safeandsoundit.co.uk> 0.84-12.sme
- Initial code - create RPM [SME:99999]
+- Attempt to fix the final reload after CA creation [SME: 11192]
 * Thu Aug 05 2021 John Crisp <jcrisp@safeandsoundit.co.uk> 0.84-11.sme
 - Fix html syntax error in help - Thanks Mauro De Carolis [SME: 11688]
 * Tue Apr 06 2021 John Crisp <jcrisp@safeandsoundit.co.uk> 0.84-10.sme
 - And tidy up the copying wording. [SME: 11192]
 - Credit to Terry Fage for persisting with testing
 * Mon Apr 05 2021 John Crisp <jcrisp@safeandsoundit.co.uk> 0.84-9.sme
 - Really fix the copy this time [SME: 11192]
 * Sat Apr 03 2021 John Crisp <jcrisp@safeandsoundit.co.uk> 0.84-8.sme
 - copy phpki-store as a backup instead of move [SME: 11192]
 * Thu Apr 01 2021 John Crisp <jcrisp@safeandsoundit.co.uk> 0.84-7.sme
 - Fix broken Download Certificate in Cert generation [SME: 11513]
 * Thu Mar 18 2021 John Crisp <jcrisp@safeandsoundit.co.uk> 0.84-6.sme
 - Update html header info [SME: 11192]
 - Remove obsolete align
 - Remove accidentally duplicated html
 - Fix typo
 - Fix directory check
 - move function flush_exec to functions file
 * Tue Mar 09 2021 John Crisp <jcrisp@safeandsoundit.co.uk> 0.84-5.sme
 - Fix missing / [SME:11435]
 - Update cert type detection for renew [SME: 11436]
 - Code formatting
 * Mon Mar 08 2021 John Crisp <jcrisp@safeandsoundit.co.uk> 0.84-4.sme
 - Fix crl creation [SME: 11141]
 - Extra notes in setup page
 * Mon Mar 08 2021 John Crisp <jcrisp@safeandsoundit.co.uk> 0.84-3.sme
 - Fix Typo in certificate password [SME: 11435]
 - Fix typos and preg_match issues [SME: 11436]
 - Add Certificate creation notification [SME: 11437]
 - Bit of file formatting
 * Wed Mar 03 2021 John Crisp <jcrisp@safeandsoundit.co.uk> 0.84-2.sme
 - Change version to 0.84
 - Fix undefined constant errors [SME: 11397]
 - fix tempdir [SME: 11398]
 - update code to be PHP 7.4+ compliant
 - format with CodeSniff to PSR2
 * Wed Apr 01 2020 John Crisp <jcrisp@safeandsoundit.co.uk> 0.84-1.sme
 - Rename to php-ng 0.84 [SME: 11192]
 - Fix date sorting in certificates
 * Thu Mar 19 2020 John Crisp <jcrisp@safeandsoundit.co.uk> 0.83-9.sme
 - Update DH to 2048
 * Mon Mar 09 2020 John Crisp <jcrisp@safeandsoundit.co.uk> 0.83-8.sme
 - move warning and exit to %pre
 * Sat Mar 07 2020 John Crisp <jcrisp@safeandsoundit.co.uk> 0.83-7.sme
 - Lots of formatting - adding quotes to items and tidying up
 - set default md to 512
 * Wed Mar 04 2020 John Crisp <jcrisp@safeandsoundit.co.uk> 0.83-6.sme
 - Fix renew-cert
 - revert DH setup so you can see progress
 * Wed Mar 04 2020 John Crisp <jcrisp@safeandsoundit.co.uk> 0.83-5.sme
 - Fix create cert without password
 * Wed Mar 04 2020 John Crisp <jcrisp@safeandsoundit.co.uk> 0.83-4.sme
 - Fix openvpn error
 * Tue Mar 03 2020 John Crisp <jcrisp@safeandsoundit.co.uk> 0.83-3.sme
 - more fixes
 * Sat Feb 29 2020 John Crisp <jcrisp@safeandsoundit.co.uk> 0.83-2.sme
 - small fixes
 * Fri Feb 28 2020 John Crisp <jcrisp@safeandsoundit.co.uk> 0.83-1.sme
 - Update to 0.83 
 * Sat Nov 17 2018 Terry Fage <tfage@yahoo.com.au> 0.82-19.sme
 - Fix preg_match warnings [SME:10622]
 * Mon Oct 8 2018 Daniel B. <daniel@firewall-services.com> 0.82-18.sme
 - Fix potential XSS with unsafe use of PHP_SELF [SME: 10626]
 * Thu Sep 6 2018 brian r. <brianr@bjsystems.co.uk> 0.82-17.sme
 - Replace use of ereg by preg_replace as per deprecated in php 5.3 and removed in 7.0
 - [SME: 10622]
 * Mon Dec 12 2011 Daniel B. <daniel@firewall-services.com> 0.82-16.sme
 - Remove php-posix dependency (not available, nor needed on SME 7.x) [SME: 6805]
 * Wed Oct 26 2011 Daniel B. <daniel@firewall-services.com> 0.82-15.sme
 - Requires php-posix
 * Wed Jun 29 2011 Daniel B. <daniel@firewall-services.com> 0.82-14.sme
 - Don't check issuer (everyone allowed to access /ca can manage
  all the certificates, access to /ca is controlled by apache)
 * Tue Mar 15 2011 Daniel B. <daniel@firewall-services.com> 0.82-13.sme
 - Replace md5 with sha1 for signing
 * Fri May 28 2010 Daniel B. <daniel@firewall-services.com> [0.82-12]
 - Weekly update the CRL via cron so MS Crypto API will be happy
 * Thu Mar 18 2010 Daniel B. <daniel@firewall-services.com> [0.82-11]
 - Fixe empty password with PHP 5.2 (SME 8b5)
 * Wed Aug 26 2009 Daniel B. <daniel@firewall-services.com> [0.82-10]
 - Fixe links for CA help page
 * Mon Mar 23 2009 Daniel B. <daniel@firewall-services.com> [0.82-9]
 - Remove links after uninstall so you can easily re-install the contrib
  later [SME: 5091]
 * Tue Mar 03 2009 Daniel B. <daniel@firewall-services.com> [0.82-8]
 - Add e-smith-devtools as a dependencie
 * Tue Jan 20 2009 Daniel B. <daniel@firewall-services.com> [0.82-7]
 - Don't replace config file on upgrades
 * Wed Jan 07 2009 Daniel B. <daniel@firewall-services.com> [0.82-6]
 - Remove the email address from the file name during upload (in search page)
 - Remove secure.sh script
 * Tue Dec 16 2008 Daniel B. <daniel@firewall-services.com> [0.82-5]
 - Link index.php to setup-presetup.php
 * Mon Dec 08 2008 Daniel B. <daniel@firewall-services.com> [0.82-4]
 - Changes so certificates imported from openvpn-bridge are recognized
 - Configure default admin user to 'admin'
 - Create a static key for OpenVPN TLS auth (requires openvpn)
 - Add expirey values (3 Months, 6 Months)
 - Display or download takey.pem and dhparam1024.pem from 
  the certificate management menue
 - Display the Root certificate in PEM format
 - Possibility to download the CRL in PEM format
 - Remove the email address from the file name during upload
 - Disable download of certificate after creating a new one
 - Remove security warning after setup
 * Fri Dec 05 2008 Daniel B. <daniel@firewall-services.com> [0.82-3]
 - Correct extension name for email_signing certificates
 - Remove links, and recreate them in the %post section so upgrade can be done smoothly
 * Wed Nov 26 2008 Daniel B. <daniel@firewall-services.com> [0.82-0]
 - initial release
 - builds from unchanged .tar.gz
 %prep
-
+%setup  -c -n %{name}
-%setup -q
+%patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
 %build
-perl createlinks
+%{__mkdir_p} root/opt/phpki/html
 %{__mkdir_p} root/opt/phpki/phpki-store
 %{__mkdir_p} root/opt/phpki/bin
 %{__mkdir_p} root/%{_sysconfdir}/cron.weekly/
 %{__mv} %{name}-%{version}/gen_crl.php root/opt/phpki/bin/
 %{__mv} %{name}-%{version}/* root/opt/phpki/html/
 cat <<"HERE" > root/%{_sysconfdir}/cron.weekly/phpki_update_crl
 #!/bin/bash
 cd /opt/phpki/bin
 /usr/bin/php74 ./gen_crl.php 2>&1 > /dev/null
 HERE
 # Remove links to setup page so upgrades can be done smoothly
 %{__rm} -f root/opt/phpki/html/index.php
 %{__rm} -f root/opt/phpki/html/ca/index.php
 %{__rm} -f root/opt/phpki/html/setup.php
 # This script shouldn't be here
 %{__rm} -f root/opt/phpki/html/secure.sh
 %install
 rm -rf $RPM_BUILD_ROOT
 (cd root   ; find . -depth -print | cpio -dump $RPM_BUILD_ROOT)
 rm -f %{name}-%{version}-filelist
 /sbin/e-smith/genfilelist $RPM_BUILD_ROOT \
   --file '/opt/phpki/html/config.php' 'attr(660,root,phpki) %config(noreplace)' \
   --file '/opt/phpki/html/openssl.cnf' 'attr(660,root,phpki) %config(noreplace)' \
   --file '%{_sysconfdir}/cron.weekly/phpki_update_crl' 'attr(744,root,root)' \
   --dir  '/opt/phpki/html' 'attr(770,root,phpki)' \
   --dir  '/opt/phpki/html/ca' 'attr(770,root,phpki)' \
   --dir  '/opt/phpki/phpki-store' 'attr(750,phpki,phpki)' \
    > %{name}-%{version}-filelist
-#echo "%doc COPYING"  >> %{name}-%{version}-filelist
+
-#--dir <dir> 'attr(755,user,grp)' \
+%files -f %{name}-%{version}-filelist
-#--file <file> 'attr(755,root,root)' \
+%defattr(-,root,root)
 %clean
 cd ..
-rm -rf %{name}-%{version}
+rm -rf $RPM_BUILD_ROOT
 %pre
 if ! /usr/bin/id phpki &>/dev/null; then
  echo "Creating phpki user"
  /usr/sbin/useradd -c 'Phpki User' -s /sbin/nologin -r -d /opt/phpki/phpki-store phpki &>/dev/null || \
                %logmsg "Unexpected error adding user \"phpki\". Abort installation."
 fi
 echo "******************************************************"
 echo "* "
 echo "*       !!! IMPORTANT - READ THIS NOW !!! "
 echo "* "
 echo "******************************************************"
 echo "*  This contrib now has higher levels of encryption"
 echo "* "
 echo "*  We cannot upgrade your existing certificates"
 echo "* existing certificates from SME9 or below have either "
 echo "* md5WithRSAEncryption sha1WithRSAEncryption"
 echo "* as Signature Algorithm (weak)."
 echo "* only way to update to sha256 or sha512 is to "
 echo "* start from scratch."
 echo "* "
 echo "*  If you have existing certificates you want to use"
 echo "*  then start with a new CA, backup up, and then restore"
 echo "*  your phpki-store directory in /opt/phpki"
 echo "* "
 echo "******************************************************"
 echo ""
 if [ -d /opt/phpki/phpki-store ] ; then
    echo "Backing up your /opt/phpki/phpki-store"
    today=$(date "+%Y%m%d%H%M")
    echo "Copying from /opt/phpki/phpki-store to /opt/phpki/phpki-store.$today"
    /bin/cp -pr /opt/phpki/phpki-store "/opt/phpki/phpki-store.$today"
    echo "Directory copied... continuing to install"
    # fix missing md_default
    if ( grep default_md /opt/phpki/phpki-store/config/config.php -q ); then
      echo "md_default OK"
    else
      echo "default_md missing in /opt/phpki/phpki-store/config/config.php"
      echo "getting  value from /opt/phpki/phpki-store/config/openssl.cnf"
      # it could ba acceptable to hash sha256 a certificate from a root with sha1. 
      defaultmd=$(awk '/^default_md/{print $NF}' /opt/phpki/phpki-store/config/openssl.cnf || echo "sha512")
      echo "inserting $defaultmd default_md at end of /opt/phpki/phpki-store/config/config.php"
      sed -i '/\?>/i \
      # Define default md \
      \$config['default_md']    = "'$defaultmd'";' /opt/phpki/phpki-store/config/config.php
      echo "Done... continuing to install"
    fi 
 else
    echo "No directory detected... continuing to install"
 fi
 %preun
 %post
 # First install, point index.php to setup.php
 if [ $1 == 1 ]; then
  #do not do if there is already a CA (restore from backup))
  if [ ! -f /opt/phpki/phpki-store/config/config.php ] ; then
 	%{__ln_s} /opt/phpki/html/setup.php-presetup /opt/phpki/html/index.php
 	%{__ln_s} /opt/phpki/html/setup.php-presetup /opt/phpki/html/setup.php
  fi
  echo "<?php
 header(\"Location: ./../index.php\");
 ?>
 " > /opt/phpki/html/ca/index.php
 fi
 %postun
-#uninstall
+# Remove the links to index.php after uninstall
-%files -f %{name}-%{version}-filelist
+if [ $1 == 0 ]; then
-%defattr(-,root,root)
+    %{__rm} -f /opt/phpki/html/index.php
    %{__rm} -f /opt/phpki/html/setup.php
    %{__rm} -f /opt/phpki/html/ca/index.php
 fi
 true
--- a/root/.gitignore
+++ b/root/.gitignore
@@ -0,0 +1 @@
 *.komodoproject
--- a/root/.htaccess
+++ b/root/.htaccess
@@ -0,0 +1,6 @@
 Options FollowSymLinks
 php_flag register_globals off
 php_flag register_long_arrays on
 AddType application/x-x509-ca-cert .crt  .pem
 AddType application/pkix-crl    .crl
 AddType application/pkix-cert   .cer .der
--- a/root/CHANGELOG
+++ b/root/CHANGELOG
@@ -118,3 +118,19 @@ v0.82 (possibly final release)
 - Fixed chown in secure.sh for FreeBSD compatibility.
 - Fixed quote mismatch in ca/help.php
 - Added support for time stamping certificates, Idea by Sebastien Bahlol.
 v0.83 (bugfix)
 - Converted deprecated HTTP_SERVER_VARS to _SERVER
 - Fixed emailcodesigning error in openssl_functions.php
 - Fixed failure to create httpasswd file in secure.sh
 - Fixed false positives when detecting if requested email certificate already exists
 - Added support for 4 character TLD in email address
 - Added support for short term certificates (1,3,6 months)
 v0.84 (updates and fixes)
 - Merge v0.83/radicand/SME v0.82
 - Add OpenVPN capability if installed
 - Lots of code formatting
 - Tidy dangling html tags
 - Sanitise some vars
 - Standardise some vars
--- a/root/Makefile
+++ b/root/Makefile
@@ -1,4 +1,4 @@
-VERSION = 0.82
+VERSION = 0.83
 UID = $(shell id -u)
 GID = $(shell id -g)
@@ -22,10 +22,10 @@ distclean: clean
 	echo -e '<?php\nheader("Location: ./../index.php");\n?>' > ca/index.php
 	echo '<?php' > config.php
-	echo 'define(PHPKI_VERSION, "$(VERSION)");' >> config.php
+	echo 'define("PHPKI_VERSION", "$(VERSION)");' >> config.php
 	echo '?>' >> config.php
-	rm -f index.php
+	rm -f index.php setup.php
 	ln -sf readme.php index.php
 	ln -sf setup.php-presetup setup.php
@@ -48,5 +48,8 @@ distclean: clean
 	@echo -e "Point your browser to your PHPki installation to configure and"
 	@echo -e "create your root certificate. (i.e. http://www.domain.com/phpki/)\n"
 secure:
 	@./secure.sh
 fixperms:
 	@./secure.sh
--- a/root/README.md
+++ b/root/README.md
@@ -1,3 +1,52 @@
 PHPKi
 =====
 A simple PHP/web based system for generating your own certificates
 ------------------------------------------------------------------
 Here are the comments from the radicand repo and the original docs
 No one appears to be maintaining this and I find it very handy.
 I discovered some issues and there are some additional bits we have for OpenVPN (if installed) at Koozali SME server so I thought I'd incorporate them in as well.
 It tries to detect if it is installed on Koozali which needs a couple of small mods, and if openvpn is installed it will create a takey.
 Note... YMMV....
 I'm sure it is primitive by todays standards but does what I need.
 I will try and maintain it for the foreseeable future.
 Note I have changed the default admin from 'phpkiadmin' to 'admin' for utilisation on KoozaliSME Server.
 You can modify this as required as per the README below.
 About this fork
 ===============
 Reasons for forking
 -------------------
 After spending a fair amount of time looking for a basic, relatively full featured internal PKI solution, I came across PHPki on Sourceforge.  However, being that I don't enjoy using Sourceforge and that there are a number of improvements I wish to make to this solution, I have forked it into a Github repository.  Hopefully others may find this useful.
 Main changes
 ------------
 * Changed hash algorithm from MD5 to SHA
 Planned changes
 ---------------
 * Remove usage of symlinks.
 * Strip out built-in password support -- this can be implemented by the webserver (htaccess) or a bolt-on like SimpleSAMLphp
 * Fix CRL subsystem (I found this to not be operational, have not yet investigated)
 Original README (0.83)
 ======================
 NOTICE:
 This application is designed to be an easy to use "certificate factory"
 requiring minimum human intervention to administer.  It is intended for
@@ -36,6 +85,7 @@ Unpack the PHPki tarball onto your web server. For example:
 	cp phpki.tar.gz /var/tmp
 	cd /var/www/html
 	tar -xzvf /var/tmp/phpki.tar.gz
 	chown <apache-user> -R phpki/
 To configure the certificate authority and create your root certificate,
 point your browser to where you unpacked PHPki. For example:
@@ -70,7 +120,7 @@ you specified during setup.
 Normal users may only manage the certificates they create.  Administrators
 can manage all certificates.  The default administrator account is 
-"pkiadmin".  The secure.sh script will attempt to add this user to your 
+"admin".  The secure.sh script will attempt to add this user to your 
 phpkipasswd file when it is first created.  Other users can be made 
 administrators by carefully editing the $PHPki_admins assignment in 
 config/config.php under your certificate store directory.
--- a/root/about.php
+++ b/root/about.php
@@ -1,44 +1,45 @@
 <?php
 include('./config.php');
 include('./include/my_functions.php');
 include('./include/common.php');
 printHeader('about');
 ?>
 <p>
 PHPki is an <a href=http://www.opensource.org target=_blank>Open Source</a>
-Web application for managing a <a href=<?=BASE_URL?>help/glossary.html#PKI target=help/glossary>
+Web application for managing a <a href=<?php echo BASE_URL?>help/glossary.html#PKI target=help/glossary>
 Public Key Infrastructure</a> within a small organizations. PHPki acts as a
 mechanism for the centralized creation and management of digital certificates.
 PHPki is capable of managing certificates for multiple organizations or user
-accounts.
+accounts.</p>
 <p>
 PHPki requires the Apache Web Server, the <href=http://www.php.net target=_blank>PHP</a> Scripting Language, and <href=http://www.openssl.org target=_blank>
 OpenSSL</a>, all of which are included with any major
 <a href=http://www.linux.org target=_blank> Linux Operating System</a>
 <a href=http://www.redhat.com target=_blank>distribution</a>.
 </p>
 <p>
 This software may be freely redistributed under the terms of the 
 <a href=http://www.gnu.org target=_blank>GNU</a> Public
 License provided this page and all copyright notices remain completely intact.
 </p>
 <p>
 <center><h4>Copyright: 2003, William E. Roadcap</h4>
 <form>
 <textarea name=gpl cols=80 rows=15 readonly>
-<?
+<?php
 readfile("./LICENSE.TXT");
 ?>
 </textarea>
 </form>
 </center>
-<p>
+</p>
-<?
+<?php
 printFooter();
 ?>
--- a/root/admin/index.php
+++ b/root/admin/index.php
@@ -18,28 +18,28 @@ case 'list_users':
        ?>
        </pre>
-	<form action=<?=$PHP_SELF?> method=post>
+        <form action="<?php echo $PHP_SELF?>" method="post">
    <input type=submit name=submit value="Back to Menu">
    </form>
-	<?
+    <?php
    printFooter(false);
        break;
    case 'add_user_form';
        printHeader('admin');
        ?>
-	<body onLoad="self.focus();document.form.login.focus();">
+        <body onLoad="self.focus();document.form.login.focus()">
-	<form action=<?=$PHP_SELF?> method=post name=form>
+        <form action="<?php echo $PHP_SELF?>" method="post" name="form">
    <table>
    <th colspan=2><h3>Add User or Change Password</h3></th>
-	<tr><td>User ID</td><td><input type=text name=login value="<?=htvar($login)?>" maxlength=15 size=15></td></tr>
+    <tr><td>User ID</td><td><input type=text name=login value="<?php echo htvar($login)?>" maxlength=15 size=15></td></tr>
    <tr><td>Password </td><td><input type=password name=passwd value=''  size=20></td></tr>
    <tr><td>Verify Password </td><td><input type=password name=passwdv value='' size=20></td></tr>
    </table>
    <input type=hidden name=stage value=add_user>
    <input type=submit name=submit value='Submit'>
    </form>
-	<?
+    <?php
    break;
    case 'add_user':
@@ -49,14 +49,13 @@ case 'add_user':
            ?>
            <p><center>
-		<form action=<?=$PHP_SELF?> method=post>
+            <form action="<?php echo $PHP_SELF?>" method="post">
        <input type=hidden name=stage value=add_user_form>
-		<input type=hidden name=login value="<?=htvar($login)?>">
+        <input type=hidden name=login value="<?php echo htvar($login)?>">
        <input type=submit name=submit value=Back>
        </form></center>
-		<?
+        <?php
-	}
+        } else {
 	else {
            $pwdfile = escapeshellarg($config['passwd_file']);
            $login = escapeshellarg($login);
            $passwd = escapeshellarg($passwd);
@@ -65,10 +64,10 @@ case 'add_user':
            system("htpasswd -bm $pwdfile $login $passwd 2>&1")
            ?>
            <p>
-		<form action=<?=$PHP_SELF?> method=post>
+            <form action="<?php echo $PHP_SELF?>" method="post">
        <input type=submit name=submit value="Back to Menu">
        </form>
-		<?
+        <?php
        }
        printFooter();
        break;
@@ -77,15 +76,15 @@ case 'del_user_form';
        printHeader('admin');
        ?>
        <body onLoad="self.focus();document.form.login.focus();">
-	<form action=<?=$PHP_SELF?> method=post name=form>
+        <form action="<?php echo $PHP_SELF?>" method="post" name="form">
    <table>
    <th colspan=2><h3>Remove User</h3></th>
-	<tr><td>User ID</td><td><input type=text name=login value="<?=htvar($login)?>" maxlength=15 size=15></td></tr>
+    <tr><td>User ID</td><td><input type=text name=login value="<?php echo htvar($login)?>" maxlength=15 size=15></td></tr>
    </table>
    <input type=hidden name=stage value=del_user>
    <input type=submit name=submit value='Submit'>
    </form>
-	<?
+    <?php
    printFooter();
    break;
    case 'del_user':
@@ -98,10 +97,10 @@ case 'del_user':
        system("htpasswd -D $pwdfile $login 2>&1")
        ?>
        <p>
-	<form action=<?=$PHP_SELF?> method=post>
+        <form action="<?php echo $PHP_SELF?>" method="post">
    <input type=submit name=submit value="Back to Menu">
    </form>
-	<?
+    <?php
    printFooter();
        break;
@@ -113,14 +112,14 @@ default:
        <center>
        <table class=menu><th class=menu>SYSADMIN MENU</th>
        <tr><td class=menu style="padding-left: 1em;"><table>
-	<tr><td class=menu-pad><a href=<?=$PHP_SELF?>?stage=add_user_form>Add User or Change Password</a></td></tr>
+        <tr><td class=menu-pad><a href=<?php echo $PHP_SELF?>?stage=add_user_form>Add User or Change Password</a></td></tr>
-	<tr><td class=menu-pad><a href=<?=$PHP_SELF?>?stage=del_user_form>Remove User</a></td></tr>
+    <tr><td class=menu-pad><a href=<?php echo $PHP_SELF?>?stage=del_user_form>Remove User</a></td></tr>
-	<tr><td class=menu-pad><a href=<?=$PHP_SELF?>?stage=list_users>List Password File Contents</a></td></tr>
+    <tr><td class=menu-pad><a href=<?php echo $PHP_SELF?>?stage=list_users>List Password File Contents</a></td></tr>
    </table></td></tr>
    </table>
    </center>
    <br><br>
-	<?
+    <?php
    printFooter();
 }
--- a/root/ca/help.php
+++ b/root/ca/help.php
@@ -364,10 +364,10 @@ PHPki glossary of terms.
 <p>
 <h2><a name="GETTING-HELP">GETTING ADDITIONAL HELP</a></h2>
 <blockquote>
-<?=$config[getting_help]?>
+<?php echo $config['getting_help']?>
 </blockquote>
 <br>
-<?
+<?php
 printFooter();
 ?>
--- a/root/ca/index.php
+++ b/root/ca/index.php
@@ -1,3 +1,2 @@
 <?php
 header("Location: ./../index.php");
 ?>
--- a/root/ca/main.php
+++ b/root/ca/main.php
@@ -9,25 +9,24 @@ include("../include/openssl_functions.php");
 $stage = gpvar('stage');
 switch ($stage) {
    case 'dl_takey':
-        upload("$config[private_dir]/takey.pem", "$config[ca_prefix]takey.pem", 'application/octet-stream');
+        upload($config['private_dir'] . '/takey.pem', $config['ca_prefix'] . 'takey.pem', 'application/octet-stream');
        break;
    case 'dl_dhparam':
-        upload("$config[private_dir]/dhparam1024.pem", "$config[ca_prefix]dhparam1024.pem", 'application/octet-stream');
+        upload($config['private_dir'] . '/dhparam2048.pem', $config['ca_prefix'] . 'dhparam2048.pem', 'application/octet-stream');
        break;
    case 'dl_root':
-	upload("$config[cacert_pem]", "$config[ca_prefix]cacert.crt", 'application/x-x509-ca-cert');
+        upload($config['cacert_pem'], $config['ca_prefix'] . 'cacert.crt', 'application/x-x509-ca-cert');
        break;
    case 'dl_crl':
-	upload("$config[cacrl_der]", "$config[ca_prefix]cacrl.crl", 'application/pkix-crl');
+        upload($config['cacrl_der'], $config['ca_prefix'] . 'cacrl.crl', 'application/pkix-crl');
        break;
    case 'dl_crl_pem':
-       upload("$config[cacrl_pem]", "$config[ca_prefix]cacrl.crl", 'application/octet-stream');
+        upload($config['cacrl_pem'], $config['ca_prefix'] . 'cacrl.crl', 'application/octet-stream');
        break;
    case 'gen_crl':
@@ -38,27 +37,26 @@ case 'gen_crl':
        if ($ret) {
            ?>
            <center><h2>Certificate Revocation List Updated</h2></center>
-                <p>
+            <br>
-                <form action=<?=$PHP_SELF?> method=post>
+            <form action="<?php echo $PHP_SELF?>" method="post">
-                <input type=submit name=submit value="Back to Menu">
+        <input type="submit" name="submit" value="Back to Menu">
        </form>
-                <?
+        <?php
        print '<pre>'.CA_crl_text().'</pre>';
-        }
+        } else {
        else {
            ?>
-                <font color=#ff0000>
+            <font color="#ff0000">
            <h2>There was an error updating the Certificate Revocation List.</h2></font><br>
            <blockquote>
            <h3>Debug Info:</h3>
-                <pre><?=$errtxt?></pre>
+            <pre><?php echo $errtxt?></pre>
        </blockquote>
-                <form action=<?=$PHP_SELF?> method=post>
+        <form action="<?php echo $PHP_SELF?>" method="post">
-                <p>
+        <br>
-                <input type=submit name=submit value="Back to Menu">
+        <input type="submit" name="submit" value="Back to Menu">
-                <p>
+        <br>
        </form>
-                <?
+        <?php
        }
        break;
@@ -67,11 +65,11 @@ case 'display_takey':
        ?>
        <center><h2>OpenVPN pre-shared Key</h2></center>
-        <p>
+        <br>
-        <form action=<?=$PHP_SELF?> method=post>
+        <form action="<?php echo $PHP_SELF?>" method="post">
-        <input type=submit name=submit value="Back to Menu">
+    <input type="submit" name="submit" value="Back to Menu">
    </form>
-        <?
+    <?php
    print '<pre>'.ta_key_text().'</pre>';
        break;
@@ -80,11 +78,11 @@ case 'display_dhparam':
        ?>
        <center><h2>OpenVPN Diffie-Helman parameters</h2></center>
-        <p>
+        <br>
-        <form action=<?=$PHP_SELF?> method=post>
+        <form action="<?php echo $PHP_SELF?>" method="post">
    <input type=submit name=submit value="Back to Menu">
    </form>
-        <?
+    <?php
    print '<pre>'.dhparam_text().'</pre>';
        break;
@@ -93,11 +91,11 @@ case 'display_root_pem':
        ?>
        <center><h2>Root certificate file (PEM Encoded)</h2></center>
-        <p>
+        <br>
-        <form action=<?=$PHP_SELF?> method=post>
+        <form action="<?php echo $PHP_SELF?>" method="post">
-        <input type=submit name=submit value="Back to Menu">
+    <input type="submit" name="submit" value="Back to Menu">
    </form>
-        <?
+    <?php
    print '<pre>'.root_pem_text().'</pre>';
        break;
@@ -108,54 +106,60 @@ default:
        <br>
        <br>
        <center>
-	<table class=menu width=600><th class=menu colspan=2><big>CERTIFICATE MANAGEMENT MENU</big></th>
+        <table class="menu" width="600px"><th class="menu" colspan="2"><big>CERTIFICATE MANAGEMENT MENU</big></th>
-
+        <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;" width="33%">
-	<tr><td style="text-align: center; vertical-align: middle; font-weight: bold;" width=33%>
+        <a href="request_cert.php">Create a New Certificate</a></td>
 	<a href=request_cert.php>Create a New Certificate</a></td>
        <td>Use the <strong><cite>Certificate Request Form</cite></strong> to create and download new digital certificates.  
        You may create certificates in succession without re-entering the entire form 
        by clicking the "<strong>Go Back</strong>" button after each certificate is created.</td></tr>
        <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
-	<a href=manage_certs.php>Manage Certificates</a></td>
+        <a href="manage_certs.php">Manage Certificates</a></td>
        <td>Conveniently view, download, revoke, and renew your existing certificates using the
        <strong><cite>Certificate Management Control Panel</cite></strong>.</td></tr>
        <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
-	<a href=<?=$PHP_SELF?>?stage=gen_crl>Update & View the Certificate Revocation List</a></td>
+        <a href="<?php echo $PHP_SELF?>?stage=gen_crl">Update & View the Certificate Revocation List</a></td>
    <td>Some applications automagically reference the Certificate Revocation List to determine
    certificate validity.  It is not necessary to perform this update function, as the CRL is 
    updated when certificates are revoked.  However, doing so is harmless.
-	<a href=../ca/help.php target=_help>Read the online help</a> to learn more about this.</td></tr>
+    <a href="../help.php" target="_help">Read the online help</a> to learn more about this.</td></tr>
    <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
-	<a href=<?=$PHP_SELF?>?stage=dl_root>Download the Root Certificate</a><br><br>
+    <a href="<?php echo $PHP_SELF?>?stage=dl_root">Download the Root Certificate</a><br><br>
-	<a href=<?=$PHP_SELF?>?stage=display_root_pem>Display the Root Certificate (PEM Encoded)</a></td>
+    <a href="<?php echo $PHP_SELF?>?stage=display_root_pem">Display the Root Certificate (PEM Encoded)</a></td>
    <td>The "Root" certificate must be installed before using any of the 
-	certificates issued here. <a href=../ca/help.php target=_help>Read the online help</a> 
+    certificates issued here. <a href="../help.php" target="_help">Read the online help</a> 
    to learn more about this.</td></tr>
    <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
-	<a href=<?=$PHP_SELF?>?stage=dl_crl>Download the Certificate Revocation List</a></td>
+    <a href="<?php echo $PHP_SELF?>?stage=dl_crl">Download the Certificate Revocation List</a><br><br>
    <a href="<?php echo $PHP_SELF?>?stage=dl_crl_pem">Download in PEM format.</a></td>
    <td>This is the official list of revoked certificates.  Using this list with your e-mail or
-	browser application is optional.  Some applications will automagically reference this list.
+    browser application is optional.  Some applications will automagically reference this list.</td></tr>
-	(<a href="<?=$PHP_SELF?>?stage=dl_crl_pem">Some will need it in PEM format.</a>)</td></tr>
+        <?php
-
+        if (file_exists($config['private_dir'] . '/takey.pem')) {
            ?>
           <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
-        <a href=<?=$PHP_SELF?>?stage=dl_takey>Download the static pre-shared key</a><br><br>
+           <a href="<?php echo $PHP_SELF?>?stage=dl_takey">Download the static pre-shared key</a><br><br>
-        <a href=<?=$PHP_SELF?>?stage=display_takey>Display the static pre-shared key</a></td>
+       <a href="<?php echo $PHP_SELF?>?stage=display_takey">Display the static pre-shared key</a></td>
-        <td>This key can be used with OpenVPN as a standalone auth mecanism, or as an additionnal TLS authentication.</td></tr>
+       <td>This key can be used with OpenVPN as a standalone auth mechanism, or as an additional TLS authentication.</td></tr>
-
+        <?php }
        ?>
        <?php if (file_exists($config['private_dir'] . '/dhparam2048.pem')) {
    ?>
    <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
-        <a href=<?=$PHP_SELF?>?stage=dl_dhparam>Download the Diffie-Hellman parameters</a><br><br>
+    <a href="<?php echo $PHP_SELF?>?stage=dl_dhparam">Download the Diffie-Hellman parameters</a><br><br>
-        <a href=<?=$PHP_SELF?>?stage=display_dhparam>Display the Diffie-Hellman parameters</a></td>
+    <a href="<?php echo $PHP_SELF?>?stage=display_dhparam">Display the Diffie-Hellman parameters</a></td>
    <td>This file is used by OpenVPN for the hand-shake. The Diffie-Hellman key agreement 
    protocol enables two communication partners to exchange a secret key safely.</td></tr>
        <?php }
    ?>
    </table>
    </center>
    <br><br>
-	<?
+    <?php
    printFooter();
 }
--- a/root/ca/manage_certs.php
+++ b/root/ca/manage_certs.php
@@ -20,35 +20,44 @@ $show_valid   = gpvar('show_valid');
 $show_revoked = gpvar('show_revoked');
 $show_expired = gpvar('show_expired');
 # Prevent handling certs that don't belong to user
 if ($serial && CAdb_issuer($serial) != $PHPki_user && ! in_array($PHPki_user, $PHPki_admins)) {
    $stage = 'goaway';
 }
 if (!($show_valid.$show_revoked.$show_expired)) {
    $show_valid   = 'V';
    $show_revoked = 'R';
    $show_expired = 'E';
 }
-$qstr_filter =	'search='.htvar($search).'&'.
+$qstr_filter =  'search='.htvar($search) . '&' . "show_valid=$show_valid&" . "show_revoked=$show_revoked&" . "show_expired=$show_expired&";
 		"show_valid=$show_valid&".
 		"show_revoked=$show_revoked&".
 		"show_expired=$show_expired&";
 $qstr_sort   = "sortfield=$sortfield&ascdec=$ascdec";
 switch ($stage) {
    case 'goaway':
        printHeader(false);
-	?> <p><center><h1><font color=red>YOU ARE A VERY BAD BOY!</font></h2></center> <?
+        ?>
        <p><center><h1><font color="red">YOU ARE A VERY BAD BOY!</font></h2></center>
        <?php
        break;
    case 'display':
        printHeader(false);
        ?>
       	<center><h2>Certificate Details</h2></center>
 	<center><font color=#0000AA><h3>(#<?=$serial?>)<br><?=htvar(CA_cert_cname($serial).' <'.CA_cert_email($serial).'>')?> </h3></font></center>
 	<?
-	if ($revoke_date = CAdb_is_revoked($serial))
+        <center><h2>Certificate Details</h2></center>
        <center><font color="#0000AA"><h3>(#<?php echo $serial?>)<br><?php echo htvar(CA_cert_cname($serial).' <'.CA_cert_email($serial).'>')?> </h3></font></center>
    <?php
    if ($revoke_date = CAdb_is_revoked($serial)) {
        print '<center><font color=red><h2>REVOKED '.$revoke_date.'</h2></font></center>';
    }
        print '<pre>'.CA_cert_text($serial).'</pre>';
        break;
@@ -59,46 +68,48 @@ case 'dl-confirm':
        $rec = CAdb_get_entry($serial);
        ?>
-	<h3>You are about to download the <font color=red>PRIVATE</font> certificate key for <?=$rec['common_name'].' &lt;'.$rec['email'].'&gt; '?></h3>
+    <h3>You are about to download the <font color=red>PRIVATE</font> certificate key for <?php echo $rec['common_name'].' &lt;'.$rec['email'].'&gt; '?></h3>
-	<h3><font color=red>DO NOT DISTRIBUTE THIS FILE TO THE PUBLIC!</font></h3>
+    <h3><font color="red">DO NOT DISTRIBUTE THIS FILE TO THE PUBLIC!</font></h3>
-	<form action="<?=$PHP_SELF.'?stage=download&serial='.$serial.'&'.$qstr_sort.'&'.$qstr_filter?>" method=post>
+    <form action="<?php echo $PHP_SELF.'?stage=download&serial='.$serial.'&'.$qstr_sort.'&'.$qstr_filter?>" method="post">
    <strong>File type: </strong>
-	<td><select name=dl_type>
+    <select name="dl_type">
    <option value="PKCS#12">PKCS#12 Bundle</option>
    <option value="PEMCERT">PEM Certificate</option>
    <option value="PEMKEY">PEM Key</option>
    <option value="PEMBUNDLE">PEM Bundle</option>
    <option value="PEMCABUNDLE">PEM Bundle w/Root</option>
    </select>
-
+    <input type="submit" name="submit" value="Download">
 	<input type=submit name=submit value="Download">
    &nbsp; or &nbsp;
-	<input type=submit name=submit value="Go Back">
+    <input type="submit" name="submit" value="Go Back">
    </form>
-	<?
+
    <?php
        break;
    case 'download':
-	if (strstr($submit, "Back"))  $dl_type = '';
+        if (strstr($submit, "Back")) {
            $dl_type = '';
        }
        $rec = CAdb_get_entry($serial);
        switch ($dl_type) {
            case 'PKCS#12':
-		upload("$config[pfx_dir]/$serial.pfx", "$rec[common_name].p12", 'application/x-pkcs12');
+                upload($config['pfx_dir'] . "/$serial.pfx", "$rec[common_name].p12", 'application/x-pkcs12');
                break;
            case 'PEMCERT':
-		upload("$config[new_certs_dir]/$serial.pem", "$rec[common_name]-cert.pem",'application/pkix-cert');
+                upload($config['new_certs_dir'] . "/$serial.pem", "$rec[common_name]-cert.pem", 'application/pkix-cert');
                break;
            case 'PEMKEY':
-		upload("$config[private_dir]/$serial-key.pem", "$rec[common_name]-key.pem",'application/octet-stream');
+                upload($config['private_dir'] . "/$serial-key.pem", "$rec[common_name]-key.pem", 'application/octet-stream');
                break;
            case 'PEMBUNDLE':
-		upload(array("$config[private_dir]/$serial-key.pem","$config[new_certs_dir]/$serial.pem"), "$rec[common_name]-bundle.pem",'application/octet-stream');
+                upload(array($config['private_dir'] . "/$serial-key.pem",$config['new_certs_dir'] . "/$serial.pem"), $rec['common_name'] . "-Bundle.pem", 'application/octet-stream');
                break;
            case 'PEMCABUNDLE':
-		upload(array("$config[private_dir]/$serial-key.pem","$config[new_certs_dir]/$serial.pem",$config['cacert_pem']), "$rec[common_name]-bundle-root.pem",'application/octet-stream');
+                upload(array($config['private_dir'] . "/$serial-key.pem",$config['new_certs_dir'] . "/$serial.pem", $config['cacert_pem']), $rec['common_name'] . "-CABundle.pem", 'application/octet-stream');
                break;
            default:
                header("Location: ${PHP_SELF}?$qstr_sort&$qstr_filter");
@@ -111,10 +122,11 @@ case 'revoke-form':
        printHeader('ca');
        ?>
-	<h4>You are about to <font color=red>REVOKE</font> the following certificate:</hr>
+        <h4>You are about to <font color=red>REVOKE</font> the following certificate:
-       	<table width=500><tr>
+        <hr>
-       	<td width=25% style='white-space: nowrap'>
+        <table width="500px"><tr>
-       	<p align=right>
+        <td width="25%" style="white-space: nowrap">
        <p align="right">
        Serial Number<br>
        User's Name<br>
        Email Address<br>
@@ -125,18 +137,18 @@ case 'revoke-form':
        Country<br>
        </p>
        </td>
-	<?
+        <?php
        print '
         <td>
-	'.htvar($rec[serial]).'<br>
+            '.htvar($rec['serial']).'<br>
-       	'.htvar($rec[common_name]).'<br>
+            '.htvar($rec['common_name']).'<br>
-       	'.htvar($rec[email]).'<br>
+            '.htvar($rec['email']).'<br>
-       	'.htvar($rec[organization]).'<br>
+            '.htvar($rec['organization']).'<br>
-       	'.htvar($rec[unit]).'<br>
+            '.htvar($rec['unit']).'<br>
-       	'.htvar($rec[locality]).'<br>
+            '.htvar($rec['locality']).'<br>
-       	'.htvar($rec[province]).'<br>
+            '.htvar($rec['province']).'<br>
-       	'.htvar($rec[country]).'<br>
+            '.htvar($rec['country']).'<br>
         </td>
       </tr></table>
      <h4>Are you sure?</h4>
@@ -151,8 +163,9 @@ case 'revoke-form':
    case 'revoke':
        $ret = true;
-	if ($submit == 'Yes') 
+        if ($submit == 'Yes') {
            list($ret, $errtxt) = CA_revoke_cert($serial);
        }
        if (! $ret) {
            printHeader('ca');
@@ -160,20 +173,19 @@ case 'revoke':
            print "<form action=\"$PHP_SELF?stage=revoke-form&serial=$serial&$qstr_sort&$qstr_filter\" method=post>";
            ?>
            <font color=#ff0000>
-		<h2>There was an error revoking your certificate
+            <h2>There was an error revoking your certificate.</h2></font><br>
 .</h2></font><br>
            <blockquote>
            <h3>Debug Info:</h3>
-		<pre><?=$errtxt?></pre>
+            <pre><?php echo $errtxt?></pre>
            </blockquote>
            <p>
            <input type=submit name=submit value=Back>
            <p>
            </form>
-		<?
+        <?php
-	}
+        } else {
 	else
            header("Location: ${PHP_SELF}?$qstr_sort&$qstr_filter");
        }
        break;
    case 'renew-form':
@@ -182,9 +194,9 @@ case 'renew-form':
        # need the expiry value, but the old cert values will override
        # the rest.
        #
-	if (! $submit and file_exists("config/user-${PHPki_user}.php"))
+        if (! $submit and file_exists("config/user-${PHPki_user}.php")) {
            include("config/user-${PHPki_user}.php");
-
+        }
        #
        # Get values from the old certificate.
        #
@@ -201,84 +213,90 @@ case 'renew-form':
        ?>
        <body onLoad="self.focus();document.form.passwd.focus();">
-	<form action="<?=$PHP_SELF.'?'.$qstr_sort.'&'.$qstr_filter?>" method=post name=form>
+        <form action="<?php echo $PHP_SELF.'?'.$qstr_sort.'&'.$qstr_filter?>" method=post name=form>
        <table width=99%>
-	<th colspan=2><h3>Certificate Renewal Form</h3></th>
+        <th colspan="2"><h3>Certificate Renewal Form</h3></th>
        <tr>
-	<td width=25%>Common Name </td>
+        <td colspan="2" style="text-align:center">This will Revoke the old Certificate and Create a new one<br>
-	<td><input type=text name=common_name value="<?= htvar($common_name)?>" size=50 maxlength=60 disabled></td>
+        <font color=red>If a password was used to create the original certificate you must use it below</font></td>
        </tr>
        <tr>
        <td width="25%">Common Name </td>
        <td><input type="text"" name="common_name" value="<?php echo  htvar($common_name)?>" size="50" maxlength="60" disabled></td>
        </tr>
        <tr>
        <td>E-mail Address </td>
-	<td><input type=text name=email value="<?=htvar($email)?>" size=50 maxlength=60 disabled></td>
+        <td><input type="text" name="email" value="<?php echo htvar($email)?>" size="50" maxlength="60" disabled></td>
        </tr>
        <tr>
        <td>Organization </td>
-	<td><input type=text name=organization value="<?=htvar($organization)?>" size=60 maxlength=60 disabled></td>
+        <td><input type="text" name="organization" value="<?php echo htvar($organization)?>" size="60" maxlength="60" disabled></td>
        </tr>
        <tr>
-	<td>Department/Unit </td><td><input type=text name=unit value="<?= htvar($unit) ?>" size=40 maxlength=60 disabled></td>
+        <td>Department/Unit </td><td><input type="text" name="unit" value="<?php echo  htvar($unit) ?>" size="40" maxlength="60" disabled></td>
        </tr>
        <tr>
-	<td>Locality</td><td><input type=text name=locality value="<?= htvar($locality) ?>" size=30 maxlength=30 disabled></td>
+        <td>Locality</td><td><input type="text" name="locality" value="<?php echo  htvar($locality) ?>" size="30" maxlength="30" disabled></td>
        </tr>
        <tr>
-	<td>State/Province</td><td><input type=text name=province value="<?= htvar($province) ?>" size=30 maxlength=30 disabled></td>
+        <td>State/Province</td><td><input type="text" name="province" value="<?php echo  htvar($province) ?>" size="30" maxlength="30" disabled></td>
        </tr>
        <tr>
        <td>Country</td>
-	<td><input type=text name=country value="<?= htvar($country) ?>" size=2 maxlength=2 disabled></td>
+        <td><input type="text" name="country" value="<?php echo  htvar($country) ?>" size="2" maxlength="2" disabled></td>
        </tr>
        <tr>
-	<td>Certificate Password </td>
+        <td>Certificate Password <font color=red>- might be required</font></td>
-	<td><input type=password name=passwd value="<?= htvar($passwd) ?>" size=30></td>
+        <td><input type="password" name="passwd" value="<?php echo  htvar($passwd) ?>" size="30"></td>
        </tr>
        <tr>
        <td>Certificate Life </td>
        <td><select name=expiry>
 	<?
-	print "<option value=0.25 ". ($expiry == 0.25 ? "selected='selected'" : "") . " >3 Months</option>\n" ;
+        <?php
-        print "<option value=0.5 ". ($expiry == 0.5 ? "selected='selected'" : "") . " >6 Months</option>\n" ;
+        print "<option value=0.083 " . ($expiry == 1 ? "selected='selected'" : "") . " >1 Month</option>\n" ;
        print "<option value=0.25 " . ($expiry == 1 ? "selected='selected'" : "") . " >3 Months</option>\n" ;
        print "<option value=0.5 " . ($expiry == 1 ? "selected='selected'" : "") . " >6 Months</option>\n" ;
        print "<option value=1 " . ($expiry == 1 ? "selected='selected'" : "") . " >1 Year</option>\n" ;
        for ($i = 2; $i <= 5; $i++) {
            print "<option value=$i " . ($expiry == $i ? "selected='selected'" : "") . " >$i Years</option>\n" ;
        }
        ?>
        </select></td>
        </tr>
        <tr>
        <td>&nbsp</td>
        <td>
-	<center><input type=submit name=submit value="Submit Request">&nbsp
+            <input type="submit" name="submit" value="Submit Request">&nbsp
-	<input type=submit name=submit value="Back"></center>
+            <input type="submit" name="submit" value="Back">
-	</td>
+            <input type="hidden" name="stage" value="renew">
-	<td>
+            <input type="hidden" name="serial" value="<?php echo $serial ?>" >
 	<input type=hidden name=stage value=renew>
 	<input type=hidden name=serial value=<?=$serial?>>
        </td>
        </tr>
        </table>
        </form>
-	<?
+
    <?php
    printFooter();
        break;
    case 'renew':
        $ret = true;
-	if ($submit == "Submit Request")
+        if ($submit == "Submit Request") {
            list($ret, $errtxt) = CA_renew_cert($serial, $expiry, $passwd);
        }
        if (! $ret) {
            printHeader('ca');
@@ -286,42 +304,46 @@ case 'renew':
            print "<form action=\"$PHP_SELF?stage=renew-form&serial=$serial&$qstr_sort&$qstr_filter\" method=post>";
            ?>
            <font color=#ff0000>
-		<h2>There was an error creating your certificate.</h2></font><br>
+            <h2>There was an error creating your certificate.</h2>
            </font><br>
            <blockquote>
            <h3>Debug Info:</h3>
-		<pre><?=$errtxt?></pre>
+            <pre><?php echo $errtxt?></pre>
            </blockquote>
            <p>
-		<input type=submit name=submit value=Back>
+            <input type="submit" name="submit" value="Back">
            <p>
            </form>
-		<?
+            <?php
-	}
+        } else {
 	else {
            header("Location: $PHP_SELF?$qstr_sort&$qstr_filter");
        }
        break;
    default:
        printHeader('ca');
        ?>
        <body onLoad="self.focus();document.filter.search.focus();">
-	<table>
+        <table style="margin:0 auto">
-	<tr><th colspan=8><big>CERTIFICATE MANAGEMENT CONTROL PANEL</big></th></tr>
+        <tr><th colspan=9><big>CERTIFICATE MANAGEMENT CONTROL PANEL</big></th></tr>
-	<tr><td colspan=8><center>
+        <tr><td colspan=9><center>
-	<form action="<?="$PHP_SELF?$qstr_sort"?>" method=get name=filter>
+        <form action="<?php echo "$PHP_SELF?$qstr_sort"?>" method="get" name="filter">
-        Search: <input type=text name=search value="<?=htvar($search)?>" style="font-size: 11px;" maxlength=60 size=30>
+        Search: <input type="text" name=search" value="<?php echo htvar($search)?>" style="font-size: 11px;" maxlength="60" size="30">
-        &nbsp&nbsp&nbsp&nbsp&nbsp&nbsp<input type=checkbox name=show_valid value="V" <?=($show_valid?'checked':'')?>>Valid
+        &nbsp&nbsp&nbsp&nbsp&nbsp&nbsp
-        &nbsp&nbsp<input type=checkbox name=show_revoked value="R" <?=($show_revoked?'checked':'')?>>Revoked
+        <input type="checkbox" name="show_valid" value="V" <?php echo ($show_valid?'checked':'')?>>Valid
-        &nbsp&nbsp<input type=checkbox name=show_expired value="E" <?=($show_expired?'checked':'')?>>Expired
+        &nbsp&nbsp
-        &nbsp&nbsp&nbsp&nbsp&nbsp<input type=submit name=submit value="Apply Filter" style="font-size: 11px;">
+        <input type="checkbox" name="show_revoked" value="R" <?php echo ($show_revoked?'checked':'')?>>Revoked
        &nbsp&nbsp
        <input type="checkbox" name="show_expired" value="E" <?php echo ($show_expired?'checked':'')?>>Expired
        &nbsp&nbsp&nbsp&nbsp&nbsp
        <input type="submit" name="submit" value="Apply Filter" style="font-size: 11px;">
        </form>
    </center></td>
    </tr>
-	<?
+
    <?php
    if (! $sortfield) {
        $sortfield = 'email' ;
@@ -331,18 +353,18 @@ default:
    if ($ascdec == 'A') {
        $arrow_gif = '../images/uparrow-blue.gif';
        $ht_ascdec = 'D';
-	}
+    } else {
 	else {
        $arrow_gif = '../images/downarrow-blue.gif';
        $ht_ascdec = 'A';
    }
    print '<tr>';
    $headings = array(
-		status=>"Status", issued=>"Issued", expires=>"Expires",
+        'status'=>"Status", 'issued'=>"Issued", 'expires'=>"Expires",
-		common_name=>"User's Name", email=>"E-mail", 
+        'common_name'=>"User's Name", 'email'=>"E-mail",
-		organization=>"Organization", unit=>"Department", 
+        'organization'=>"Organization", 'unit'=>"Department",
-		locality=>"Locality"
+        'locality'=>"Locality"
        );
    foreach ($headings as $field => $head) {
@@ -355,40 +377,45 @@ default:
        print '</th>';
    }
        print '<th><font color=green>Actions</font></th>';
        print '</tr>';
        $x = "^[$show_valid$show_revoked$show_expired]";
    if (in_array($PHPki_user, $PHPki_admins)) {
        $x = "$x.*$search";
    } else {
        $x = "$x.*$search.*$PHPki_user|$x.*$PHPki_user.*$search";
    }
        $db = csort(CAdb_to_array($x), $sortfield, ($ascdec=='A'?SORT_ASC:SORT_DESC));
-	$stcolor = array(Valid=>'green',Revoked=>'red',Expired=>'orange');
+        $stcolor = array('Valid'=>'green','Revoked'=>'red','Expired'=>'orange');
    foreach ($db as $rec) {
        print '<tr style="font-size: 11px;">
-			 <td><font color='.$stcolor[$rec['status']].'><b>' .$rec[status].'</b></font></td>
+       <td><font color='. $stcolor[$rec['status']] . '><b>' . $rec['status'] . '</b></font></td>
-			 <td style="white-space: nowrap">'.$rec[issued].'</td>
+       <td style="white-space: nowrap">'.$rec['issued'].'</td>
-			 <td style="white-space: nowrap">'.$rec[expires].'</td>
+       <td style="white-space: nowrap">'.$rec['expires'].'</td>
-			 <td>'.$rec[common_name].'</td>
+       <td>' . $rec['common_name'] . '</td>
       <td style="white-space: nowrap"><a href="mailto:' . htvar($rec['common_name']) . ' <' . htvar($rec['email']) . '>" >' . htvar($rec['email']) . '</a></td>
-			 <td>'.htvar($rec[organization]).'</td>
+       <td>' . htvar($rec['organization']) . '</td>
-			 <td>'.htvar($rec[unit]).'</td>
+       <td>' . htvar($rec['unit']) . '</td>
-			 <td>'.htvar($rec[locality]).'</td>
+       <td>' . htvar($rec['locality']) . '</td>
-			 <td><a href="'.$PHP_SELF.'?stage=display&serial='.$rec[serial].'" target=_certdisp>'.
+       <td><a href="' . $PHP_SELF . '?stage=display&serial=' . $rec['serial'] . '" target=_certdisp>'.
         '<img src=../images/display.png alt="Display" title="Display complete certificate details."></a>';
        if ($rec['status'] == 'Valid') {
            print '
-			<a href="'.$PHP_SELF.'?stage=dl-confirm&serial='.$rec[serial].'&'.$qstr_sort.'&'.$qstr_filter.'">'.
+      <a href="' . $PHP_SELF . '?stage=dl-confirm&serial=' . $rec['serial'] . '&' . $qstr_sort . '&' . $qstr_filter . '">' .
            '<img src=../images/download.png alt="Download" title="Download the PRIVATE certificate. DO NOT DISTRIBUTE THIS TO THE PUBLIC!"></a>
-			<a href="'.$PHP_SELF.'?stage=revoke-form&serial='.$rec[serial].'&'.$qstr_sort.'&'.$qstr_filter.'">'.
+      <a href="' . $PHP_SELF . '?stage=revoke-form&serial=' . $rec['serial'] . '&' . $qstr_sort . '&' . $qstr_filter . '">' .
            '<img src=../images/revoke.png alt="Revoke" title="Revoke the certificate when the e-mail address is no longer valid or the certificate password or private key has been compromised."></a>';
        }
        print '
-		<a href="'.$PHP_SELF.'?stage=renew-form&serial='.$rec[serial].'&'.$qstr_sort.'&'.$qstr_filter.'">'.
+      <a href="' . $PHP_SELF . '?stage=renew-form&serial=' . $rec['serial'] . '&' . $qstr_sort . '&' . $qstr_filter . '">' .
-		'<img src=../images/renew.png alt="Renew" title="Renew the certificate by revoking it, if necessary, and creating a replacement with a new expiration date."></a></td></tr>';
+        '<img src=../images/renew.png alt="Renew" title="Renew the certificate by revoking it, if necessary, and creating a replacement with a new expiration date."></a>
-		
+      </td></tr>';
    }
        print '</table>';
--- a/root/ca/policy.html
+++ b/root/ca/policy.html
@@ -1,78 +1,34 @@
-<html>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2//EN">
 <html>
 <head>
  <title>Certificate Authority Agreement</title>
 </head>
 <body>
  <h2 align="center">Certificate Authority Agreement</h2>
-<h2 align=center>Certificate Authority Agreement</h2>
+  <h3 align="center">Policy and Practices</h3><br>
-<h3 align=center>Policy and Practices</h3>
+  <br>
-<br><br>
+  <p>This is a statement of practices by this Digital Certificate Authority. Your use of this Certificate Authority constitutes your and/or your agency's understanding and full acceptance of these practices and all associated risks. <strong>Please have an authorized person at your agency sign this document and fax it to 000-000-0000</strong></p>
 <p>This is a statement of practices by this Digital Certificate Authority.  
 Your use of this Certificate Authority constitutes your and/or your agency's 
 understanding and full acceptance of these practices and all associated risks.
 <strong>Please have an authorized person at your agency sign this document and fax it to 000-000-0000</strong>
-<p>This document may not be all encompassing, and we reserve the right to modify it at any time. 
+  <p>This document may not be all encompassing, and we reserve the right to modify it at any time.</p>
  <ul>
-<li> The sole role of this Certificate Authority is
+    <li>The sole role of this Certificate Authority is to provide and maintain a password protected software application for the easy and instant creation and management of standard x.509 personal digital certificates for e-mail encryption. We assume no responsibility for verifying the identity of any persons other than that of the limited number of authorized users of the software. We accept no liability for damages resulting from the use, misuse, or compromise of the software application or its host server.</li>
 to provide and maintain a password protected software application for the easy
 and instant creation and management of standard x.509 personal digital
 certificates for e-mail encryption. We assume no responsibility for
 verifying the identity of any persons other than that of the limited number of
 authorized users of the software.
 We accept no liability for damages resulting from the use, misuse,
 or compromise of the software application or its host server.
-<p><li>As an authorized user of the software, you are in effect <strong>THE</strong> Certificate Authority for your
+    <li>As an authorized user of the software, you are in effect <strong>THE</strong> Certificate Authority for your agency. As such, you are solely responsible for authenticating the identity of the persons for whom you obtain certificates. We accept no responsibility or liability for non-repudiation in any digital certificate created by this software. You agree that password protection to the application by authorized certificate managers, and personal identity management by those managers is sufficient to create a chain of trust for non-repudiation in all digital certificates created using the software.</li>
 agency. As such, you are solely
 responsible for authenticating the identity of the persons for whom you obtain
 certificates. We accept no
 responsibility or liability for non-repudiation in any digital certificate
 created by this software. You agree that
 password protection to the application by authorized certificate managers,
 and personal identity management by
 those managers is sufficient to create a chain of trust for non-repudiation
 in all digital certificates created using the software.
-<p><li>No more than two(2)
+    <li>No more than two(2) users at your agency should have access to your agency's Certificate Authority password. We should be notified immediately, via e-mail, when the employment of any authorized user at your agency is terminated so that a new password can be issued.</li>
 users at your agency should have access to your agency's Certificate Authority
 password. We should be notified
 immediately, via e-mail, when the employment of any
 authorized user at your agency is terminated so that a new password can be
 issued.
-<p><li>This Certificate
+    <li>This Certificate Authority software application is accessed via the Internet using standard SSL or Secure Server encryption mechanisms. Although steps have been taken to protect the security and availability of the host server and application, its exposure to the Internet as well as any presently unknown security flaws could lead to potential compromise of the software and your certificates.</li>
 Authority software application is accessed via the Internet using standard SSL
 or Secure Server encryption mechanisms.
 Although steps have been taken to protect the security and availability
 of the host server and application, its exposure to the Internet as well as any
 presently unknown security flaws could lead to potential compromise of the
 software and your certificates.
-<p><li>No promise is made as
+    <li>No promise is made as to the availability of the software in the event of hardware, software, or telecommunications failure or maintenance.&nbsp; No advanced notice will be given when the software must be temporarily taken off line for service.</li>
 to the availability of the software in the event of hardware, software, or
 telecommunications failure or maintenance.<2E>
 No advanced notice will be given when the software must be temporarily
 taken off line for service.
-<p><li>In order to provide
+    <li>In order to provide software which can easily create "instant" certificates it is necessary to store all private keys on the host server. As such, all private keys are potentially exposed to the Internet and suffer some risk of unauthorized access. However, since all private keys <strong>ARE ENCRYPTED</strong> using a password provided by you, they are unlikely to be usable by any intruder.</li>
 software which can easily create &quot;instant&quot; certificates it is
 necessary to store all private keys on the host server.  As such, all private keys are potentially exposed
 to the Internet and suffer some risk of unauthorized access. However, since all private keys <strong>ARE
 ENCRYPTED</strong> using a password provided by you, they are unlikely to be usable by
 any intruder.
 <p><li>A publicly accessible
 web page is provided for interested Internet users to download the Certificate
 Authority root certificate, certificate revocation list, and search for the
 e-mail addresses and public certificates of users. So as to avoid e-mail address scraping by spammers, no static
 content with users' e-mail addresses is available.
    <li>A publicly accessible web page is provided for interested Internet users to download the Certificate Authority root certificate, certificate revocation list, and search for the e-mail addresses and public certificates of users. So as to avoid e-mail address scraping by spammers, no static content with users' e-mail addresses is available.</li>
  </ul>
 </body>
 </html>
--- a/root/ca/request_cert.php
+++ b/root/ca/request_cert.php
@@ -7,7 +7,7 @@ include('../include/common.php') ;
 include('../include/openssl_functions.php') ;
 # User's preferences file
-$user_cnf = "$config[home_dir]/config/user-".strtr($PHPki_user,'/\\','|#').'.php';
+$user_cnf = $config['home_dir'] . "/config/user-".strtr($PHPki_user, '/\\', '|#').'.php';
 # Retrieve GET/POST values
 $form_stage   = gpvar('form_stage');
@@ -25,7 +25,8 @@ $passwdv      = gpvar('passwdv');
 $expiry       = gpvar('expiry');
 $keysize      = gpvar('keysize');
 $cert_type    = gpvar('cert_type');
-
+$dns_names    = gpvar('dns_names');
 $ip_addr      = gpvar('ip_addr');
 # To repopulate form after error.
 $hidden_fields = '
@@ -41,59 +42,94 @@ $hidden_fields = '
    <input type=hidden name=expiry value="' . htvar($expiry) . '">
    <input type=hidden name=keysize value="' . htvar($keysize) . '">
    <input type=hidden name=cert_type value="' . htvar($cert_type) . '">
    <input type=hidden name=dns_names value="' . htvar($dns_names) . '">
    <input type=hidden name=ip_addr value="' . htvar($ip_addr) . '">
 ';
 switch ($form_stage) {
    case 'validate':
        $er = '';
-	if (! $country)      $er .= 'Missing Country<br>';
+        if (! $country) {
-	if (! $province)     $er .= 'Missing State/Province<br>';
+            $er .= 'Missing Country<br>';
-	if (! $locality)     $er .= 'Missing Locality (City/County)<br>';
+        }
-	if (! $organization) $er .= 'Missing Organization (Company/Agency)<br>';
+        if (! $province) {
-	if (! $unit)         $er .= 'Missing Unit/Department<br>';
+            $er .= 'Missing State/Province<br>';
-	if (! $common_name)  $er .= 'Missing E-mail User\'s Full Name<br>';
+        }
-	if (! $email)        $er .= 'Missing E-mail Address<br>';
+        if (! $locality) {
            $er .= 'Missing Locality (City/County)<br>';
        }
        if (! $organization) {
            $er .= 'Missing Organization (Company/Agency)<br>';
        }
        if (! $unit) {
            $er .= 'Missing Unit/Department<br>';
        }
        if (! $common_name) {
            $er .= 'Missing E-mail User\'s Full Name<br>';
        }
        if (! $email) {
            $er .= 'Missing E-mail Address<br>';
        }
-	if (($cert_type == 'email' || $cert_type == 'email_signing') && ! $passwd)       $er .= 'Missing Certificate Password<br>';
+        if (($cert_type == 'email' || $cert_type == 'email_signing') && ! $passwd) {
-	if (($cert_type == 'email' || $cert_type == 'email_signing') && ! $passwdv)      $er .= 'Missing Certificate Password Verification "Again"<br>';
+            $er .= 'Missing Certificate Password<br>';
        }
        if (($cert_type == 'email' || $cert_type == 'email_signing') && ! $passwdv) {
            $er .= 'Missing Certificate Password Verification "Again"<br>';
        }
-	if ( $passwd && strlen($passwd) < 8 )
+        if ($passwd && strlen($passwd) < 8) {
            $er .= 'Certificate password is too short.<br>';
        }
-	if ( $passwd and $passwd != $passwdv )
+        if ($passwd and $passwd != $passwdv) {
            $er .= 'Password and password verification do not match.<br>';
        }
        //if ( ! is_alnum($passwd) or ! is_alnum($passwdv) )
        //  $er .= 'Password contains invalid characters.<br>';
-	if ( $email && ! is_email($email) )
+        if ($email && ! is_email($email)) {
            $er .= 'E-mail address ('. htvar($email) . ') may be invalid.<br>';
        }
-	if ( $er )
+        $ip_ar=explode("\n", $ip_addr);
        foreach ($ip_ar as $value) {
            if ($value && ! is_ip($value)) {
                $er .= 'IP address ('. htvar($value) . ') may be invalid.<br>';
            }
        }
        $dns_n=explode("\n", $dns_names);
        foreach ($dns_n as $value) {
            if ($value && ! is_fqdn(trim($value))) {
                $er .= 'DNS Name ('. htvar($value) . ') may be invalid.<br>';
            }
        }
        if ($er) {
            $er = '<h2>ERROR(S) IN FORM:</h2><h4><blockquote>' . $er . '</blockquote></h4>';
-
+        }
        if ($email && ($serial = CAdb_in($email, $common_name))) {
            $er = '';
            $certtext = CA_cert_text($serial);
            $er .= '<h2>A valid certificate already exists for ' . htvar("$common_name  <$email>") . '</h2>';
            $er .= '</font><blockquote><pre> ' . htvar($certtext) . ' </pre></blockquote>';
        }
        if ($er) {
            printHeader();
            ?>
-		<form action='<?=$PHP_SELF?>' method=post>
+        <form action='<?php echo $PHP_SELF?>' method=post>
        <input type=submit name=submit value='Go Back'>
-		<font color=#ff0000><?=$er?></font>
+        <font color=#ff0000><?php echo $er?></font>
        <br><input type=submit name=submit value='Go Back'>
-		<?
+        <?php
        print $hidden_fields;
        print "</form>";
@@ -119,10 +155,17 @@ case 'confirm':
        Certificate Life<br>
        Key Size<br>
        Certificate Use<br>
        <?php
        if ($cert_type == 'server') {
            print 'DNS Alt Names<br>';
            print 'IP Addresses<br>';
        }
        ?>
        </p>
        </td>
        <td>
-    	<?
+        <?php
        print htvar($common_name) . '<br>';
        print htvar($email) . '<br>';
        print htvar($organization) . '<br>';
@@ -132,20 +175,46 @@ case 'confirm':
        print htvar($country) . '<br>';
        print htvar($expiry). ' Year'.($expiry == 1 ? '' : 's').'<br>';
        print htvar($keysize). ' bits<br>';
-	print htvar($cert_type). '<br>';
+
        switch ($cert_type) {
            case 'email':
                print 'E-mail, SSL Client' . '<br>';
                break;
            case 'email_signing':
                print 'E-mail, SSL Client, Code Signing' . '<br>';
                break;
            case 'server':
                print 'SSL Server' . '<br>';
                print htvar($dns_names). '<br>';
                print htvar($ip_addr). '<br>';
                break;
            case 'vpn_client':
                print 'VPN Client Only' . '<br>';
                break;
            case 'vpn_server':
                print 'VPN Server Only' . '<br>';
                break;
            case 'vpn_client_server':
                print 'VPN Client, VPN Server' . '<br>';
                break;
            case 'time_stamping':
                print 'Time Stamping' . '<br>';
        }
        ?>
        </td>
        </tr></table>
-	<h4>Are you sure?</h4>
+
-	<p><form action='<?=$PHP_SELF?>' method=post>
+        <h4>Are you sure? After creation you will be returned to the Create Certificate dialogue.</h4>
-	<?= $hidden_fields ?>
+        <p><form action='<?php echo $PHP_SELF?>' method=post>
        <?php echo  $hidden_fields ?>
        <input type=hidden name=form_stage value=final>
-  	<input type=submit name=submit value='Yes' >&nbsp;
+        <!-- <input type=submit name=submit value='Yes. Create and Download' >&nbsp; -->
        <input type=submit name=submit value='Yes. Just Create' >&nbsp;
        <input type=submit name=submit value='Go Back'>
        </form>
-	<?
+        <?php
        printFooter();
        # Save user's defaults
@@ -165,106 +234,171 @@ case 'confirm':
        break;
    case 'final':
-	if ($submit == "Yes") {
+        if ($submit == "Yes. Create and Download" || $submit == "Yes. Just Create") {
            if (! $serial = CAdb_in($email, $common_name)) {
-			list($ret,$errtxt) = CA_create_cert($cert_type,$country, $province, $locality, $organization, $unit, $common_name, $email, $expiry, $passwd, $keysize);
+                list($ret,$errtxt) = CA_create_cert($cert_type, $country, $province, $locality, $organization, $unit, $common_name, $email, $expiry, $passwd, $keysize, $dns_names, $ip_addr);
                if (! $ret) {
                        printHeader();
                    ?>
-				<form action=<?=$PHP_SELF?> method=post>
+                    <form action="<?php echo $PHP_SELF?>" method="post">
                    <font color=#ff0000>
                    <h2>There was an error creating your certificate.</h2></font><br>
                    <blockquote>
                    <h3>Debug Info:</h3>
-				<pre><?=$errtxt?></pre>
+                    <pre><?php echo $errtxt?></pre>
                    </blockquote>
                    <p>
-				<?=$hidden_fields?>
+                    <?php echo $hidden_fields?>
                    <input type=submit name=submit value=Back>
                    <p>
                </form>
-				<?
+                <?php
                printFooter();
                break;
-        		}
+                } else {
        		else {
                    $serial = $errtxt;
                    // We could add 'return to index or create another certificate'
                }
            }
-		# CLear common_name fiels
+        }
        // This section is disabled in the form above
        // If we do Download it does not return to Create New cert
        // I believe this is because the upload function messes the http headers
        // There may be a solution but I haven't got one
        if ($submit == "Yes. Create and Download") {
            switch ($cert_type) {
                case 'server':
                    # upload(array("$config[private_dir]/$serial-key.pem","$config[new_certs_dir]/$serial.pem",$config['cacert_pem']), "$common_name ($email).pem",'application/pkix-cert');
                    upload(array($config['private_dir'] . "/$serial-key.pem",$config['new_certs_dir'] . "/$serial.pem",$config['cacert_pem']), $rec['common_name'] . "-Bundle.pem", 'application/pkix-cert');
                    break; # << Here
                case 'email':
                case 'email_signing':
                case 'time_stamping':
                case 'vpn_client_server':
                case 'vpn_client':
                case 'vpn_server':
                    # upload("$config[pfx_dir]/$serial.pfx", "$common_name ($email).p12", 'application/x-pkcs12');
                    upload($config['pfx_dir'] . "/$serial.pfx", $rec['common_name'] . ".p12", 'application/x-pkcs12');
                    break; # << here
            }
            # Clear common_name fields
            $common_name = '';
            break;
        }
    # Clear common_name fields
        $common_name = '';
-	}
+    // We could add 'return to index or create another certificate'
    default:
        #
        # Default fields to reasonable values if necessary.
        #
-	if (! $submit and file_exists($user_cnf)) include($user_cnf);
+        if (! $submit and file_exists($user_cnf)) {
            include($user_cnf);
        }
-	if (! $country)       $country = $config['country'];
+        if (! $country) {
-	if (! $province)      $province = $config['province'];
+            $country = $config['country'];
-	if (! $locality)      $locality = "";
+        }
-	if (! $organization)  $organization = "";
+        if (! $province) {
-	if (! $unit)          $unit = "";
+            $province = $config['province'];
-	if (! $email)         $email = "";
+        }
-	if (! $expiry)        $expiry = 1;
+        if (! $locality) {
-	if (! $keysize)       $keysize = 1024;
+            $locality = "";
-	if (! $cert_type)     $cert_type = 'email';
+        }
        if (! $organization) {
            $organization = "";
        }
        if (! $unit) {
            $unit = "";
        }
        if (! $email) {
            $email = "";
        }
        if (! $expiry) {
            $expiry = 1;
        }
        if (! $keysize) {
            $keysize = 2048;
        }
        if (! $cert_type) {
            $cert_type = 'email';
        }
        if (! $dns_names) {
            $dns_names = "";
        }
        if (! $ip_addr) {
            $ip_addr = "";
        }
        printHeader();
        ?>
-	<body onLoad="self.focus();document.request.common_name.focus();">
+
-	<form action="<?=$PHP_SELF?>" method=post name=request>
+        <body onLoad="self.focus();document.request.common_name.focus();document.request.cert_type.onchange();">
        <form action="<?php echo $PHP_SELF?>" method=post name=request>
        <table width=99%>
        <th colspan=2><h3>Certificate Request Form</h3></th>
-
+        <?php
        if ($serial) {
            echo "<tr><td><h4><font color=red>Previous Certificate Created successfully</font></h4></td><td></h4><font color=red>$serial</font></h4></td></tr>";
            echo "<tr><td><h4>Create another or go to back to the Menu</h4></td><td><a href='index.php'>Menu</a></td></tr>";
        }
        ?>
        <tr>
-	<td width=30%>Common Name<br>(i.e. User real name or computer hostname) </td>
+        <td width=30%>Common Name<font color=red size=3> *</font><br>(i.e. User real name or computer hostname - used as SubjectAltName)</td>
-	<td><input type=text name=common_name value="<?= htvar($common_name)?>" size=50 maxlength=60></td>
+        <td><input type=text name=common_name value="<?php echo  htvar($common_name)?>" size=50 maxlength=60></td>
        </tr>
        <tr>
-	<td>E-mail Address </td>
+        <td>E-mail Address<font color=red size=3> *</font></td>
-	<td><input type=text name=email value="<?=htvar($email)?>" size=50 maxlength=60></td>
+        <td><input type=text name=email value="<?php echo htvar($email)?>" size=50 maxlength=60></td>
        </tr>
        <tr>
-	<td>Organization (Company/Agency)</td>
+        <td>Organization(Company/Agency)<font color=red size=3> *</font></td>
-	<td><input type=text name=organization value="<?=htvar($organization)?>" size=60 maxlength=60></td>
+        <td><input type=text name=organization value="<?php echo htvar($organization)?>" size=60 maxlength=60></td>
        </tr>
        <tr>
-	<td>Department/Unit </td><td><input type=text name=unit value="<?= htvar($unit) ?>" size=40 maxlength=60></td>
+        <td>Department/Unit<font color=red size=3> *</font> </td><td><input type=text name=unit value="<?php echo  htvar($unit) ?>" size=40 maxlength=60></td>
        </tr>
        <tr>
-	<td>Locality (City/County)</td><td><input type=text name=locality value="<?= htvar($locality) ?>" size=30 maxlength=30></td>
+        <td>Locality(City/County)<font color=red size=3> *</font></td><td><input type=text name=locality value="<?php echo  htvar($locality) ?>" size=30 maxlength=30></td>
        </tr>
        <tr>
-	<td>State/Province</td><td><input type=text name=province value="<?= htvar($province) ?>" size=30 maxlength=30></td>
+        <td>State/Province<font color=red size=3> *</font></td><td><input type=text name=province value="<?php echo  htvar($province) ?>" size=30 maxlength=30></td>
        </tr>
        <tr>
-	<td>Country</td>
+        <td>Country<font color=red size=3> *</font></td>
-	<td><input type=text name=country value="<?= htvar($country) ?>" size=2 maxlength=2></td>
+        <td><input type=text name=country value="<?php echo  htvar($country) ?>" size=2 maxlength=2></td>
        </tr>
        <tr>
-	<td>Certificate Password </td>
+        <td>Certificate Password<font color=red size=3> *</font><br>(Min 8 chars - Mandatory for Email,SSL Client,Code signing)</td>
-	<td><input type=password name=passwd value="<?= htvar($passwd) ?>" size=30>&nbsp;&nbsp; Again <input type=password name=passwdv  value="<?= htvar($passwdv) ?>" size=30></td>
+        <td>
            <input type=password name=passwd value="<?php echo  htvar($passwd) ?>" size=30>&nbsp;&nbsp;&nbsp;Again
            <input type=password name=passwdv value="<?php echo  htvar($passwdv) ?>" size=30>
        </td>
        </tr>
        <tr>
-	<td>Certificate Life </td>
+        <td>Certificate Life<font color=red size=3>*</font> </td>
        <td><select name=expiry>
 	<?
-	print "<option value=0.25 ". ($expiry == 0.25 ? "selected='selected'" : "") . " >3 Months</option>\n" ;
+        <?php
-        print "<option value=0.5 ". ($expiry == 0.5 ? "selected='selected'" : "") . " >6 Months</option>\n" ;
+        print "<option value=0.083 " . ($expiry == 1 ? "selected='selected'" : "") . " >1 Month</option>\n" ;
        print "<option value=0.25 " . ($expiry == 1 ? "selected='selected'" : "") . " >3 Months</option>\n" ;
        print "<option value=0.5 " . ($expiry == 1 ? "selected='selected'" : "") . " >6 Months</option>\n" ;
        print "<option value=1 " . ($expiry == 1 ? "selected='selected'" : "") . " >1 Year</option>\n" ;
        for ($i = 2; $i <= 5; $i++) {
            print "<option value=$i " . ($expiry == $i ? "selected='selected'" : "") . " >$i Years</option>\n" ;
@@ -276,21 +410,22 @@ default:
        </tr>
        <tr>
-	<td>Key Size </td>
+        <td>Key Size<font color=red size=3>*</font> </td>
        <td><select name=keysize>
-	<?
+        <?php
        for ($i = 512; $i <= 4096; $i+= 512) {
            print "<option value=$i " . ($keysize == $i ? "selected='selected'" : "") . ">$i bits</option>\n" ;
        }
        ?>
        </select></td>
        </tr>
        <tr>
-	<td>Certificate Use: </td>
+        <td>Certificate Use:<font color=red size=3>*</font> </td>
-	<td><select name=cert_type>
+        <td><select name=cert_type onchange="if (this.value=='server')
-	<?
+            {setVisibility('testrow1',true);setVisibility('testrow2',true);} else {setVisibility('testrow1',false);setVisibility('testrow2',false);}">
        <?php
        print '<option value="email" '.($cert_type=='email'?'selected':'').'>E-mail, SSL Client</option>';
        print '<option value="email_signing" '.($cert_type=='email_signing'?'selected':'').'>E-mail, SSL Client, Code Signing</option>';
        print '<option value="server" '.($cert_type=='server'?'selected':'').'>SSL Server</option>';
@@ -302,13 +437,23 @@ default:
        </select></td>
        </tr>
        <tr id="testrow2" name="testrow2" style="visibility:hidden;display:none;">
        <td>Alternative DNS Names<br>(only one per Line)</td><td><textarea name=dns_names cols=30 rows=5><?php echo htvar($dns_names) ?></textarea></td>
        </tr>
        <tr id="testrow1" name="testrow1" style="visibility:hidden;display:none;">
        <td>IP's<br>(only one per Line)</td><td><textarea name=ip_addr cols=30 rows=5><?php echo htvar($ip_addr) ?></textarea></td>
        </tr>
        <tr>
-	<td><center><input type=submit name=submit value='Submit Request'></center><input type=hidden name=form_stage value='validate'></td><td><font color=red size=3>* All fields are required</td>
+            <td>&nbsp</td>
            <td>&nbsp</td>
        </tr>
        <tr>
        <td><font color=red size=3>* Fields are required</td><td><input type=submit name=submit value='Submit Request'><input type=hidden name=form_stage value='validate'></td>
        </tr>
        </table>
        </form>
-	<?
+    <?php
    printFooter();
 }
--- a/root/config.php
+++ b/root/config.php
@@ -1,3 +1,2 @@
 <?php
-define(PHPKI_VERSION, "0.82");
+define("PHPKI_VERSION", "0.84");
 ?>
--- a/root/css/style.css
+++ b/root/css/style.css
@@ -15,7 +15,7 @@ body {
  padding: 0;
  background: #fafaff;
  font-family: Arial, Veranda, Helvetica, sans-serif;
-	font-size: 12px; 
+  font-size: 14px;
 }
 img {
@@ -44,6 +44,9 @@ form {
  margin: 0;
 }
 input[type='submit']:active{
  background-color:green;
 }
 fieldset {
  border: 2px solid black;
@@ -108,26 +111,25 @@ td {
  border-bottom: 2px solid #808080;
  color: #000000;
 }
 .menu a {
  vertical-align: bottom;
  text-decoration: none;
  font-size: 13px;
 }
 .headermenu-ie {
-	text-align: right;
+  text-align: center;
  margin-right: 0.1in;
-        margin-top: -0.20in;
+  margin-top: 0.20in;
 }
 .headermenu-konq {
-	text-align: right;
+  text-align: center;
  margin-right: 0.1in;
-        margin-top: -0.25in;
+  margin-top: 0.25in;
 }
 .logo-ie {
  font-family: 'impact', sans-serif;
  font-size: 60pt;
@@ -147,7 +149,8 @@ td {
  margin-right: 0.4in;
  margin-top: -0.52in;
  margin-bottom: 0;
-  text-align: left; }
+  text-align: left;
 }
 .logo-konq {
  font-family: 'impact', sans-serif;
--- a/root/gen_crl.php
+++ b/root/gen_crl.php
@@ -1,4 +1,7 @@
 <?php
 /* Generate CRLs from cron
 * Add a link to your cron to automagically update the CRL
 */
 include('../html/config.php');
 include(STORE_DIR.'/config/config.php');
@@ -7,6 +10,3 @@ include('../html/include/common.php') ;
 include('../html/include/openssl_functions.php') ;
 CA_generate_crl();
 ?>
--- a/root/help.php
+++ b/root/help.php
@@ -5,12 +5,14 @@ include('./include/common.php');
 printHeader(about);
 ?>
-<center><h1>PHPki HELP FILES</h1>
+<center>
-<a href=<?=BASE_URL?>help/PKI_basics.html><h3>PKI and E-mail Encryption - A Brief Explanation</h3></a>
+  <h1>PHPki HELP FILES</h1>
-<a href=<?=BASE_URL?>help/cacert_install_ie.html><h3>Installing Our Root Certificate For Use With Outlook and Outlook Express</h3></a>
+  <p><a href="<?php echo BASE_URL?>help/PKI_basics.html"><h3>PKI and E-mail Encryption - A Brief Explanation</h3></a></p>
-<p><a href=<?=BASE_URL?>help/usercert_install_ie.html><h3>Installing Your Personal E-mail Certificate For Use With Outlook and Outlook Express</h3></a>
+  <p><a href="<?php echo BASE_URL?>help/cacert_install_ie.html"><h3>Installing Our Root Certificate For Use With Outlook and Outlook Express</h3></a></p>
-<p><a href=<?=BASE_URL?>help/glossary.html><h3>Glossary</h3></a>
+  <p><a href="<?php echo BASE_URL?>help/usercert_install_ie.html"><h3>Installing Your Personal E-mail Certificate For Use With Outlook and Outlook Express</h3></a></p>
  <p><a href="<?php echo BASE_URL?>help/glossary.html"><h3>Glossary</h3></a></p>
 </center>
-<?
+<?php
 printFooter();
 ?>
--- a/root/help/PKI_basics.html
+++ b/root/help/PKI_basics.html
@@ -1,64 +1,28 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <link rel='stylesheet' type='text/css' href='../css/style.css'>
  <title>PKI and E-mail Encryption - A Brief Explanation</title>
 </head>
 <body>
-<center><h1>PKI and E-mail Encryption - A Brief Explanation</h2></center>
+  <center>
    <h1>PKI and E-mail Encryption - A Brief Explanation</h1>
  </center>
-PKI stands for <cite>Public Key Infrastructure</cite>. PKI is Information 
+  <p>PKI stands for <cite>Public Key Infrastructure</cite>. PKI is Information Technology infrastructure that enables users of a basically unsecure public network (such as the Internet) to securely and privately exchange data through the use of a <a href="glossary.html#KEYS" target="glossary">public and a private cryptographic key pair</a> that is obtained and shared through a <a href="glossary.html#CA" target="glossary">trusted Authority</a>.</p>
 Technology infrastructure that enables users of a basically unsecure public 
 network (such as the Internet) to securely and privately exchange data through 
 the use of a <a href=glossary.html#KEYS target=glossary>public and a private 
 cryptographic key pair</a> that is obtained and shared through a 
 <a href=glossary.html#CA target=glossary>trusted Authority</a>.
-<p>
+  <p>Public and private keys are like two halves of a single key. PKI encryption algorithms are designed such that a public key is used to encrypt or "lock" a message, and only the complementary private key can "unlock" that message. Think of a bank vault or safe that can only be unlocked by two individuals using two different but complementary keys. Neither of those keys can be used by itself to unlock the vault.</p>
 Public and private keys are like two halves of a single key.  PKI encryption
 algorithms are designed such that a public key is used to encrypt or
 "lock" a message, and only the complementary private key can "unlock" that
 message.
 Think of a bank vault or safe that can only be unlocked by two individuals 
 using two different but complementary keys. Neither of those keys can be used
 by itself to unlock the vault.
-<p>
+  <p>In practice, individuals wishing to exchange encrypted e-mail will agree to mutually trust one or more <a href="glossary.html#CA" target="glossary">Certificate Authorities(CA)</a> by downloading and installing each trusted Authority's <a href="glossary.html#ROOT-CERT" target="glossary">root certificate</a> on their computers. They will each obtain their own personal <a href="glossary.html#CERTIFICATE" target="glossary">digital certificate</a> from a trusted Certificate Authority, and install them on their respective computers. Because they mutually trust the Certificate Authorities, they trust each other's digital certificates. More specifically, they trust the <a href="glossary.html#KEYS" target="glossary">public keys</a> contained within their personal digital certificates which have been <a href="glossary.html#SIGNATURE" target="glossary">digitally signed</a> by a trusted Certificate Authority. They will then exchange their trusted public keys by sending each other digitally
-In practice, individuals wishing to exchange encrypted e-mail
+  signed e-mail messages. Once each party has the other's public key, they may exchange trusted and encrypted messsages.</p>
 will agree to mutually trust one or more <a href=glossary.html#CA target=glossary>
 Certificate Authorities(CA)</a> by downloading and installing each trusted Authority's 
 <a href=glossary.html#ROOT-CERT target=glossary>root certificate</a> on their computers.
 They will each obtain their own personal 
 <a href=glossary.html#CERTIFICATE target=glossary>digital certificate</a>
 from a trusted Certificate Authority, and install them on their
 respective computers.
 Because they mutually trust the Certificate Authorities, they trust each other's
 digital certificates.  More specifically, they trust the 
 <a href=glossary.html#KEYS target=glossary>public keys</a> contained within
 their personal digital certificates which have been 
 <a href=glossary.html#SIGNATURE target=glossary>digitally signed</a> by a
 trusted Certificate Authority.
 They will then exchange their trusted public keys by sending each other 
 digitally signed e-mail messages.  Once each party has the other's public key,
 they may exchange trusted and encrypted messsages.  
-<p>
+  <p>Public key exchange and encryption is like exchanging notarized documents. One trusts a notarized document because a trusted third party, the Notary Public, has signed it. The Certificate Authority is the Notary Public, and the public keys are the documents.</p>
 Public key exchange and encryption is like exchanging notarized documents.
 One trusts a notarized document because a trusted third party, the Notary 
 Public, has signed it.  The Certificate Authority is the Notary Public, and
 the public keys are the documents.
-<p>
+  <p>Remember, having a personal digital certificate alone does <strong>not</strong> give one the ability to send encrypted e-mail to others, but only allows the <strong>receipt</strong> of encrypted e-mail. PKI is a cooperative encryption standard. Both parties who are exchanging encrypted messages must have personal digital certificates, they must trust the Certificate Authority which issued the other persons certificate, and they must exchange public keys with each other, as described above.</p>
 Remember, having a personal digital certificate alone does <strong>not</strong> 
 give one the ability to send encrypted e-mail to others, but only allows the 
 <strong>receipt</strong> of encrypted e-mail.  PKI is a cooperative encryption
 standard.  Both parties who are exchanging encrypted messages must have
 personal digital certificates, they must trust the Certificate Authority 
 which issued the other persons certificate, and they must exchange
 public keys with each other, as described above.
 <p>
 The process of installing certificates and exchanging public keys is dependent
 upon the e-mail application one uses, and is beyond the scope of this document.
  <p>The process of installing certificates and exchanging public keys is dependent upon the e-mail application one uses, and is beyond the scope of this document.</p>
 </body>
 </html>
--- a/root/help/cacert_install_ie.html
+++ b/root/help/cacert_install_ie.html
@@ -1,29 +1,47 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-<title>Root Certificate Installation for Outlook & Outlook Express</title> 
+  <title>Root Certificate Installation for Outlook &amp; Outlook Express</title>
  <link rel='stylesheet' type='text/css' href='../css/style.css'>
 </head>
 <body>
 <center><h1>Root Certificate Installation for Outlook & Outlook Express</h1>
 <h2>A Step-by-Step Guide</h2></center><br>
 <h4>
 <p><img src=../images/right-click-install-cacert.jpg>
 <p>Open the folder which holds the certificates you have downloaded.<br>
 Right-click on the certificate you wish to install, and select
 <cite>Install Certificate</cite> from the context menu.
 <p><br><img src=../images/cert-wizard1-welcome.jpg >
 <p>Click the <cite>Next</cite> button in the <cite>Certificate Wizard</cite> 
 welcome window.
 <p><br><img src=../images/cert-wizard4-select-store.jpg>
 <p>Click the <cite>Next</cite> button in the <cite>Select a Certificate Store</cite> window.
 <p><br><img src=../images/cert-wizard5-root-final.jpg>
 <p>Click the <cite>Finish</cite> button in the <cite>Complete the Certificate..</cite> window.
 <p><br><img src=../images/confirm-install-cacert.jpg>
 <p>You may be asked to confirm the root certificate installation.  Click the <cite>Yes</cite> button if a window like this appears.
 <p><br><img src=../images/import-successful.jpg>
 <p>Windows confirms the root certificate was successfully imported.<br>
 You may now <a href=usercert_install_ie.html>install your personal e-mail certificate</a>.
-</h4>
+<body>
  <center>
    <h1>Root Certificate Installation for Outlook &amp; Outlook Express</h1>
    <h2>A Step-by-Step Guide</h2>
  </center><br>
  <p><img src="../images/right-click-install-cacert.jpg"></p>
  <p>Open the folder which holds the certificates you have downloaded.<br>
  Right-click on the certificate you wish to install, and select <cite>Install Certificate</cite> from the context menu.</p>
  <p><br>
  <img src="../images/cert-wizard1-welcome.jpg"></p>
  <p>Click the <cite>Next</cite> button in the <cite>Certificate Wizard</cite> welcome window.</p>
  <p><br>
  <img src="../images/cert-wizard4-select-store.jpg"></p>
  <p>Click the <cite>Next</cite> button in the <cite>Select a Certificate Store</cite> window.</p>
  <p><br>
  <img src="../images/cert-wizard5-root-final.jpg"></p>
  <p>Click the <cite>Finish</cite> button in the <cite>Complete the Certificate..</cite> window.</p>
  <p><br>
  <img src="../images/confirm-install-cacert.jpg"></p>
  <p>You may be asked to confirm the root certificate installation. Click the <cite>Yes</cite> button if a window like this appears.</p>
  <p><br>
  <img src="../images/import-successful.jpg"></p>
  <p>Windows confirms the root certificate was successfully imported.<br>
  You may now <a href="usercert_install_ie.html">install your personal e-mail certificate</a>.</p>
 </body>
 </html>
--- a/root/help/glossary.html
+++ b/root/help/glossary.html
@@ -1,144 +1,169 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <title>PHPki Glossary</title>
  <link rel='stylesheet' type='text/css' href='../css/style.css'>
 </head>
 <body>
  <a name="TOP" id="TOP"></a> <a name="PKI" id="PKI"></a>
 <a name=TOP></a>
 <a name=PKI></a><p>
  <table>
-<th><h2>PUBLIC KEY INFRASTRUCTURE</h2></th>
+    <tr>
-<tr><td>
+      <th>
-PKI stands for <cite>Public Key Infrastructure</cite>. PKI is IT infrastructure that enables users of a basically unsecure public network (such as the Internet) to securely and privately exchange data through the use of a public and a private <a href=#KEYS>cryptographic key pair</a> that is obtained and shared through a trusted authority. 
+        <h2>PUBLIC KEY INFRASTRUCTURE</h2>
      </th>
    </tr>
-PKI is not only software or hardware. It is an infrastructure.  So, PKI is a combination of products, services, facilities, policies, procedures, agreements, and people.  All of these elements work together to provide for secure interactions on the Internet and other open networks. PKI is not a single monolithic entity, but a distributed system.   The component elements may include multiple organization-specific public key infrastructures that are interoperable and interconnected.
+    <tr>
-</td></tr>
+      <td>PKI stands for <cite>Public Key Infrastructure</cite>. PKI is IT infrastructure that enables users of a basically unsecure public network (such as the Internet) to securely and privately exchange data through the use of a public and a private <a href="#KEYS">cryptographic key pair</a> that is obtained and shared through a trusted authority. PKI is not only software or hardware. It is an infrastructure. So, PKI is a combination of products, services, facilities, policies, procedures, agreements, and people. All of these elements work together to provide for secure interactions on the Internet and other open networks. PKI is not a single monolithic entity, but a distributed system. The component elements may include multiple organization-specific public key infrastructures that are interoperable and interconnected.</td>
-</table>
+    </tr>
  </table><a name="CERTIFICATE" id="CERTIFICATE"></a>
 <a name=CERTIFICATE></a><p>
  <table>
-<th><h2>DIGITAL CERTIFICATE</h2></th>
+    <tr>
-<tr><td>
+      <th>
-<p>
+        <h2>DIGITAL CERTIFICATE</h2>
-An attachment to an electronic message used for security purposes. The most common use of a digital certificate is to verify that a user sending a message is who he or she claims to be, and to provide the receiver with the means to encode a reply. 
+      </th>
    </tr>
-<p>An individual wishing to send an encrypted message applies for a digital certificate from a <a href=#CA>Certificate Authority (CA)</a>. The CA issues an encrypted digital certificate containing the applicant's <a href=#KEYS>public key</a> and a variety of other identification information. The CA makes its own public key readily available through print publicity or perhaps on the Internet. 
+    <tr>
      <td>
        <p>An attachment to an electronic message used for security purposes. The most common use of a digital certificate is to verify that a user sending a message is who he or she claims to be, and to provide the receiver with the means to encode a reply.</p>
-<p>The recipient of an encrypted message uses the CA's public key to decode the digital certificate attached to the message, verifies it as issued by the CA and then obtains the sender's public key and identification information held within the certificate. With this information, the recipient can send an encrypted reply. 
+        <p>An individual wishing to send an encrypted message applies for a digital certificate from a <a href="#CA">Certificate Authority (CA)</a>. The CA issues an encrypted digital certificate containing the applicant's <a href="#KEYS">public key</a> and a variety of other identification information. The CA makes its own public key readily available through print publicity or perhaps on the Internet.</p>
-<p>The most widely used standard for digital certificates is X.509. 
+        <p>The recipient of an encrypted message uses the CA's public key to decode the digital certificate attached to the message, verifies it as issued by the CA and then obtains the sender's public key and identification information held within the certificate. With this information, the recipient can send an encrypted reply.</p>
-</td></tr>
+
-</table>
+        <p>The most widely used standard for digital certificates is X.509.</p>
      </td>
    </tr>
  </table><a name="CA" id="CA"></a>
 <a name=CA></a><p>
  <table>
-<th><h2>CERTIFICATE AUTHORITY</h2></th>
+    <tr>
-<tr><td>
+      <th>
-A trusted third-party organization or company that issues digital certificates used to create digital signatures and <a href=#KEYS>public-private key pairs</a>. The role of the CA in this process is to guarantee that the individual granted the unique certificate is, in fact, who he or she claims to be. Usually, this means that the CA has an arrangement with a financial institution, such as a credit card company, which provides it with information to confirm an individual's claimed identity. CAs are a critical component in data security and electronic commerce because they guarantee that the two parties exchanging information are really who they claim to be. 
+        <h2>CERTIFICATE AUTHORITY</h2>
-</td></tr>
+      </th>
-</table>
+    </tr>
    <tr>
      <td>A trusted third-party organization or company that issues digital certificates used to create digital signatures and <a href="#KEYS">public-private key pairs</a>. The role of the CA in this process is to guarantee that the individual granted the unique certificate is, in fact, who he or she claims to be. Usually, this means that the CA has an arrangement with a financial institution, such as a credit card company, which provides it with information to confirm an individual's claimed identity. CAs are a critical component in data security and electronic commerce because they guarantee that the two parties exchanging information are really who they claim to be.</td>
    </tr>
  </table><a name="KEYS" id="KEYS"></a>
 <a name=KEYS></a><p>
  <table>
-<th><h2>PUBLIC KEY ENCRYPTION</h2></th>
+    <tr>
-<tr><td>
+      <th>
-A cryptographic system that uses two keys -- a public key known to everyone and a private or secret key known only to the recipient of the message. When John wants to send a secure message to Jane, he uses Jane's public key to encrypt the message. Jane then uses her private key to decrypt it. 
+        <h2>PUBLIC KEY ENCRYPTION</h2>
      </th>
    </tr>
-<p>An important element to the public key system is that the public and private keys are related in such a way that only the public key can be used to encrypt messages and only the corresponding private key can be used to decrypt them. Moreover, it is virtually impossible to deduce the private key if you know the public key. 
+    <tr>
-</td></tr>
+      <td>
-</table>
+        <p>A cryptographic system that uses two keys -- a public key known to everyone and a private or secret key known only to the recipient of the message. When John wants to send a secure message to Jane, he uses Jane's public key to encrypt the message. Jane then uses her private key to decrypt it.</p>
        <p>An important element to the public key system is that the public and private keys are related in such a way that only the public key can be used to encrypt messages and only the corresponding private key can be used to decrypt them. Moreover, it is virtually impossible to deduce the private key if you know the public key.</p>
      </td>
    </tr>
  </table><a name="SMIME" id="SMIME"></a>
 <a name=SMIME></a><p>
  <table>
-<th><h2>S/MIME</h2></th>
+    <tr>
-<tr><td>
+      <th>
-S/MIME (Secure Multi-Purpose Internet Mail Extensions) is a secure method of sending e-mail that uses the <a href=#RSA>RSA</a> encryption system. S/MIME is included in the latest versions of the Web browsers from Microsoft and Netscape and has also been endorsed by other vendors that make messaging products. RSA has proposed S/MIME as a standard to the Internet Engineering Task Force (IETF). 
+        <h2>S/MIME</h2>
-</td></tr>
+      </th>
-</table>
+    </tr>
    <tr>
      <td>S/MIME (Secure Multi-Purpose Internet Mail Extensions) is a secure method of sending e-mail that uses the <a href="#RSA">RSA</a> encryption system. S/MIME is included in the latest versions of the Web browsers from Microsoft and Netscape and has also been endorsed by other vendors that make messaging products. RSA has proposed S/MIME as a standard to the Internet Engineering Task Force (IETF).</td>
    </tr>
  </table><a name="RSA" id="RSA"></a>
 <a name=RSA></a><p>
  <table>
-<th><h2>RSA</h2></th>
+    <tr>
-<tr><td>
+      <th>
-RSA is an Internet encryption and authentication system that uses an algorithm developed in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman. The RSA algorithm is the most commonly used encryption and authentication algorithm and is included as part of the Web browsers from Microsoft and Netscape. It's also part of Lotus Notes, Intuit's Quicken, and many other products. The encryption system was owned by RSA Security, but a recent patent expiration placed it into the public domain. The technologies are part of existing or proposed Web, Internet, and computing standards. 
+        <h2>RSA</h2>
-</td></tr>
+      </th>
-</table>
+    </tr>
    <tr>
      <td>RSA is an Internet encryption and authentication system that uses an algorithm developed in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman. The RSA algorithm is the most commonly used encryption and authentication algorithm and is included as part of the Web browsers from Microsoft and Netscape. It's also part of Lotus Notes, Intuit's Quicken, and many other products. The encryption system was owned by RSA Security, but a recent patent expiration placed it into the public domain. The technologies are part of existing or proposed Web, Internet, and computing standards.</td>
    </tr>
  </table><a name="ROOT-CERT" id="ROOT-CERT"></a>
 <a name=ROOT-CERT></a><p>
  <table>
-<th><h2>ROOT CERTIFICATE</h2></th>
+    <tr>
-<tr><td>
+      <th>
-A root certificate is like a MASTER
+        <h2>ROOT CERTIFICATE</h2>
-<a href=#CERTIFICATE>digital certificate</a>.
+      </th>
-You must install a <a href=#CA>certificate authority's</a> root certificate
+    </tr>
-before you can trust other certificates issued by that same certificate
+
-authority.  Root certificates are used to "sign" other certificates.  
+    <tr>
-A signature by a root certificate is somewhat analogous to "notarizing" a
+      <td>A root certificate is like a MASTER <a href="#CERTIFICATE">digital certificate</a>. You must install a <a href="#CA">certificate authority's</a> root certificate before you can trust other certificates issued by that same certificate authority. Root certificates are used to "sign" other certificates. A signature by a root certificate is somewhat analogous to "notarizing" a document in the physical world. When you install a root certificate on your computer, you are saying you "trust" that certification authority and all certificates it signs.</td>
-document in the physical world.  When you install a root certificate on your
+    </tr>
-computer, you are saying you "trust" that certification authority and all
+  </table><a name="SIGNATURE" id="SIGNATURE"></a>
 certificates it signs.
 </td></tr>
 </table>
 <a name=SIGNATURE></a><p>
  <table>
-<th><h2>DIGITAL SIGNATURE</h2></th>
+    <tr>
-<tr><td>
+      <th>
-A digital code that can be attached to an electronically transmitted message 
+        <h2>DIGITAL SIGNATURE</h2>
-that uniquely identifies the sender. Like a written signature, the purpose of
+      </th>
-a digital signature is to guarantee that the individual sending the message
+    </tr>
-really is who he or she claims to be.  Digital certificates inherently provide
+
-digital signature capability to most S/MIME enable e-mail clients. Digitally
+    <tr>
-signing an e-mail usually provides the recipient the with the sender's public
+      <td>A digital code that can be attached to an electronically transmitted message that uniquely identifies the sender. Like a written signature, the purpose of a digital signature is to guarantee that the individual sending the message really is who he or she claims to be. Digital certificates inherently provide digital signature capability to most S/MIME enable e-mail clients. Digitally signing an e-mail usually provides the recipient the with the sender's public key, so the recipient may then send encrypted e-mail back to the sender.</td>
-key, so the recipient may then send encrypted e-mail back to the sender.
+    </tr>
-</td></tr>
+  </table><a name="X509" id="X509"></a>
 </table>
 <a name=X509></a><p>
  <table>
-<th><h2>X.509</h2></th>
+    <tr>
-<tr><td>
+      <th>
-The most widely used standard for defining digital certificates. X.509 is 
+        <h2>X.509</h2>
-actually an ITU Recommendation, which means that has not yet been officially 
+      </th>
-defined or approved. As a result, companies have implemented the standard in 
+    </tr>
-different ways. For example, both Netscape and Microsoft use X.509 certificates
+
-to implement SSL in their web servers and browsers. But an X.509 certificate 
+    <tr>
-generated by Netscape may not be readable by Microsoft products, and vice 
+      <td>The most widely used standard for defining digital certificates. X.509 is actually an ITU Recommendation, which means that has not yet been officially defined or approved. As a result, companies have implemented the standard in different ways. For example, both Netscape and Microsoft use X.509 certificates to implement SSL in their web servers and browsers. But an X.509 certificate generated by Netscape may not be readable by Microsoft products, and vice versa.</td>
-versa.
+    </tr>
-</td></tr>
+  </table><a name="PEM" id="PEM"></a>
 </table>
 <a name=PEM></a><p>
  <table>
-<th><h2>PEM</h2></th>
+    <tr>
-<tr><td>
+      <th>
-PEM is a widely used standard for storing digital certificates.  
+        <h2>PEM</h2>
-A PEM encoded file can contain all of private keys, public keys, and 
+      </th>
-<a href=#X509>(x.509)</a> certificates. It is the default format for OpenSSL.
+    </tr>
-It stores data in Base64 encoded format, surrounded by ascii headers, so it is 
+
-suitable for text mode transfers between systems. PEM files usually end with
+    <tr>
-a <cite>.PEM</cite> extension.
+      <td>PEM is a widely used standard for storing digital certificates. A PEM encoded file can contain all of private keys, public keys, and <a href="#X509">(x.509)</a> certificates. It is the default format for OpenSSL. It stores data in Base64 encoded format, surrounded by ascii headers, so it is suitable for text mode transfers between systems. PEM files usually end with a <cite>.PEM</cite> extension.</td>
-</td></tr>
+    </tr>
-</table>
+  </table><a name="DER" id="DER"></a>
 <a name=DER></a><p>
  <table>
-<th><h2>DER</h2></th>
+    <tr>
-<tr><td>
+      <th>
-DER is a widely used standard for storing digital certificates. A DER encoded
+        <h2>DER</h2>
-file can contain all of private keys, public keys, and <a href=#X509>(x.509)</a>
+      </th>
-certificates.  DER is a binary encoded headerless format.  DER files usually
+    </tr>
-end with a <cite>.CRT</cite> or <cite>.CER</cite> extension.
+
-</td></tr>
+    <tr>
-</table>
+      <td>DER is a widely used standard for storing digital certificates. A DER encoded file can contain all of private keys, public keys, and <a href="#X509">(x.509)</a> certificates. DER is a binary encoded headerless format. DER files usually end with a <cite>.CRT</cite> or <cite>.CER</cite> extension.</td>
    </tr>
  </table><a name="PKCS12" id="PKCS12"></a>
 <a name=PKCS12></a><p>
  <table>
-<th><h2>PKCS #12</h2></th>
+    <tr>
-<tr><td>
+      <th>
-PKCS #12 (a.k.a. Personal Information Exchange Standard) is a standard for storing private keys and certificates securely (well sort of). It is used in (among other things) Netscape and Microsoft Internet Explorer with their import and export options. PKCS12 files usually end with a <cite>.PFX</cite> extension.
+        <h2>PKCS #12</h2>
-</td></tr>
+      </th>
-</table>
+    </tr>
-<br><br></body></html>
+    <tr>
      <td>PKCS #12 (a.k.a. Personal Information Exchange Standard) is a standard for storing private keys and certificates securely (well sort of). It is used in (among other things) Netscape and Microsoft Internet Explorer with their import and export options. PKCS12 files usually end with a <cite>.PFX</cite> extension.</td>
    </tr>
  </table><br>
  <br>
 </body>
 </html>
--- a/root/help/usercert_install_ie.html
+++ b/root/help/usercert_install_ie.html
@@ -1,40 +1,51 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-<title>Personal E-mail Certificate Installation for Outlook & Outlook Express</title> 
+  <title>Personal E-mail Certificate Installation for Outlook &amp; Outlook Express</title>
  <link rel='stylesheet' type='text/css' href='../css/style.css'>
 </head>
 <body>
 <center><h1>Personal E-mail Certificate Installation for Outlook & Outlook Express</h1>
 <h2>A Step-by-Step Guide</h2></center><br>
 <h4>
 <p><img src=../images/right-click-install-usercert.jpg>
 <p>Open the folder which holds the certificates you have downloaded.<br>
 Right-click on the certificate you wish to install, and select
 <cite>Install PFX</cite> from the context menu.
 <p><br><img src=../images/cert-wizard1-welcome.jpg >
 <p>Click the <cite>Next</cite> button in the <cite>Certificate Wizard</cite> 
 welcome window.
 <p><br><img src=../images/cert-wizard2-select-file.jpg>
 <p>Click the <cite>Next</cite> button in the <cite>Select File to Import</cite> window.
 <p><br><img src=../images/cert-wizard3-password.jpg>
 <p>The personal e-mail certificate files created by PHPki contain an encrypted
 copy of your private key. When your certficate was created, a password was
 given to PHPki to encrypt the private key.  The same password is used to
 decrypt your private key and install the certificate.  Do not forget or lose 
 this password as it cannot be recovered under any circumstance.
 Select the <cite>Enable strong private key protection</cite> option if you
 would like Windows to add an additional layer of password protection to use 
 your certificate.  This is not necessary, and will not be covered further here.
 There is no need to select the <cite>Mark the private key as exportable</cite> 
 option.  Enter your certificate password and click the <cite>Next</cite> button
 in the <cite>Password Protection for Private Keys</cite> window. 
 <p><br><img src=../images/cert-wizard4-select-store.jpg>
 <p>Click the <cite>Next</cite> button in the <cite>Select a Certificate Store</cite> window.
 <p><br><img src=../images/cert-wizard5-user-final.jpg>
 <p>Click the <cite>Finish</cite> button in the <cite>Complete the Certificate..</cite> window.
 <p><br><img src=../images/import-successful.jpg>
 <p>Windows confirms the root certificate was successfully imported.<br>
-</h4>
+<body>
  <center>
    <h1>Personal E-mail Certificate Installation for Outlook &amp; Outlook Express</h1>
    <h2>A Step-by-Step Guide</h2>
  </center><br>
  <p><img src="../images/right-click-install-usercert.jpg"></p>
  <p>Open the folder which holds the certificates you have downloaded.<br>
  Right-click on the certificate you wish to install, and select <cite>Install PFX</cite> from the context menu.</p>
  <p><br>
  <img src="../images/cert-wizard1-welcome.jpg"></p>
  <p>Click the <cite>Next</cite> button in the <cite>Certificate Wizard</cite> welcome window.</p>
  <p><br>
  <img src="../images/cert-wizard2-select-file.jpg"></p>
  <p>Click the <cite>Next</cite> button in the <cite>Select File to Import</cite> window.</p>
  <p><br>
  <img src="../images/cert-wizard3-password.jpg"></p>
  <p>The personal e-mail certificate files created by PHPki contain an encrypted copy of your private key. When your certficate was created, a password was given to PHPki to encrypt the private key. The same password is used to decrypt your private key and install the certificate. Do not forget or lose this password as it cannot be recovered under any circumstance. Select the <cite>Enable strong private key protection</cite> option if you would like Windows to add an additional layer of password protection to use your certificate. This is not necessary, and will not be covered further here. There is no need to select the <cite>Mark the private key as exportable</cite> option. Enter your certificate password and click the <cite>Next</cite> button in the <cite>Password Protection for Private Keys</cite> window.</p>
  <p><br>
  <img src="../images/cert-wizard4-select-store.jpg"></p>
  <p>Click the <cite>Next</cite> button in the <cite>Select a Certificate Store</cite> window.</p>
  <p><br>
  <img src="../images/cert-wizard5-user-final.jpg"></p>
  <p>Click the <cite>Finish</cite> button in the <cite>Complete the Certificate..</cite> window.</p>
  <p><br>
  <img src="../images/import-successful.jpg"></p>
  <p>Windows confirms the root certificate was successfully imported.<br></p>
 </body>
 </html>
--- a/root/include/common.php
+++ b/root/include/common.php
@@ -2,14 +2,17 @@
 umask(0007);
-if ($HTTP_SERVER_VARS['REMOTE_USER'])
+if (isset($_SERVER['PHP_AUTH_USER'])) {
-	$PHPki_user = md5($HTTP_SERVER_VARS['REMOTE_USER']);
+    $PHPki_user = md5($_SERVER['PHP_AUTH_USER']);
-else
+} else {
    $PHPki_user = md5('default');
 }
-$PHP_SELF = htmlspecialchars($HTTP_SERVER_VARS['PHP_SELF'], ENT_QUOTES, "utf-8");
+$PHP_SELF = htmlspecialchars($_SERVER['PHP_SELF'], ENT_QUOTES, "utf-8");
-function printHeader($withmenu="default") {
+
 function printHeader($withmenu = "default")
 {
    global $config;
    $title = ($config['header_title']?$config['header_title']:'PHPki Certificate Authority');
@@ -33,29 +36,46 @@ function printHeader($withmenu="default") {
        header("Pragma: no-cache");
    ?>
-	<html>
+    <!DOCTYPE html>
    <head>
-	<title>PHPki: <?=$title?> </title>
+    <meta http-equiv="content-type" content="text/html; charset=utf-8" />
-	<link rel="stylesheet" type="text/css" href="<?=$style_css?>">
+    <title>PHPki: <?php echo $title?> </title>
    <link rel="stylesheet" type="text/css" href="<?php echo $style_css?>">
    <script type="text/javascript" language="javascript">
    function setVisibility(rowName, show) {
        // Tabellenzelle ermitteln
        var actualVisibility=document.getElementById(rowName).style.visibility;
        if(show==false) {
                document.getElementById(rowName).style.visibility = "hidden";
                document.getElementById(rowName).style.display = "none";
        } else {
                document.getElementById(rowName).style.visibility = "visible";
                document.getElementById(rowName).style.display = "";
        }
    }
    </script>
    </head>
    <body>
-	<?
+    <?php
    if (isKonq()) {
        $logoclass  = 'logo-konq';
        $titleclass = 'title-konq';
        $menuclass  = 'headermenu-konq';
-	}
+    } else {
 	else {
        $logoclass  = 'logo-ie';
        $titleclass = 'title-ie';
        $menuclass  = 'headermenu-ie';
    }
    ?>
-	<div class=<?=$logoclass?>>PHPki</div>
+    <div class="<?php echo $logoclass?>">PHPki</div>
-	<div class=<?=$titleclass?>><?=$title?></div>
+    <div class="<?php echo $titleclass?>"><?php echo $title?></div>
-	<?
+    <?php
    switch ($withmenu) {
        case false:
@@ -63,67 +83,66 @@ function printHeader($withmenu="default") {
            break;
        case 'setup':
            ?>
-		<div class=<?=$menuclass?>>
+            <div class="<?php echo $menuclass?>">
-		<a class=<?=$menuclass?> href=readme.php>ReadMe</a>
+        <a class="<?php echo $menuclass?>" href="readme.php">ReadMe</a>
-		<a class=<?=$menuclass?> href=setup.php>Setup</a>
+        <a class="<?php echo $menuclass?>" href="setup.php">Setup</a>
-		<a class=<?=$menuclass?> href=about.php target=_about>About</a>
+        <a class="<?php echo $menuclass?>" href="about.php" target="_about">About</a>
        </div>
-		<?
+        <?php
            break;
        case 'public':
            print "<div class=$menuclass>";
            if (DEMO) {
-			print "<a class=$menuclass href=index.php>Public</a>";
+                print "<a class=$menuclass href=\"index.php\">Public</a>";
-			print "<a class=$menuclass href=ca/ >Manage</a>";
+                print "<a class=$menuclass href=\"ca/\">Manage</a>";
-		}
+            } else {
-		else {
+                print "<a class=$menuclass href=\"index.php\">Menu</a>";
 			print "<a class=$menuclass href=index.php>Menu</a>";
            }
            if (file_exists('policy.html')) {
-			print '<a class='.$menuclass.' style="color: red" href=policy.html target=help>Policy</a>';
+                print '<a class='.$menuclass.' style="color: red;" href="policy.html" target="help">Policy</a>';
            }
            ?>
-		<a class=<?=$menuclass?> href=help.php target=_help>Help</a>
+            <a class="<?php echo $menuclass?>" href="help.php" target="_help">Help</a>
-		<a class=<?=$menuclass?> href=about.php target=_about>About</a>
+        <a class="<?php echo $menuclass?>" href="about.php" target="_about">About</a>
        </div>
-		<?
+        <?php
            break;
        case 'ca':
        default:
            print "<div class=$menuclass>";
            if (DEMO) {
-			print "<a class=$menuclass href=../index.php>Public</a>";
+                print "<a class=$menuclass href=\"../index.php\">Public</a>";
-			print "<a class=$menuclass href=../ca/index.php>Manage</a>";
+                print "<a class=$menuclass href=\"../ca/index.php\">Manage</a>";
-		}
+            } else {
-		else {
+                print "<a class=$menuclass href=\"index.php\">Menu</a>";
 			print "<a class=$menuclass href=index.php>Menu</a>";
            }
            if (file_exists('../policy.html')) {
-			print '<a class='.$menuclass.' style="color: red" href=../policy.html target=help>Policy</a>';
+                print '<a class='.$menuclass.' style="color: red;" href="../policy.html" target="help">Policy</a>';
            }
            ?>
-		<a class=<?=$menuclass?> href=../help.php target=_help>Help</a>
+            <a class="<?php echo $menuclass?>" href="../help.php" target="_help">Help</a>
-		<a class=<?=$menuclass?> href=../about.php target=_about>About</a>
+        <a class="<?php echo $menuclass?>" href="../about.php" target="_about">About</a>
        </div>
-		<?
+        <?php
    }
-	?><hr width=99% align=left color=#99caff><?
+    ?><hr style="width:99%; color:#99caff;" /><?php
 }
-function printFooter() {
+function printFooter()
 {
    ?>
-	<br>
+    <br />
-	<hr width=99% align=left color=#99caff>
+    <hr style="width:99%; color:#99caff;" />
-	<center style='margin-top: -5px; font-size: 8pt'>PHPki v<?=PHPKI_VERSION?> - Copyright 2003 - William E. Roadcap</center><br>
+    <p style="margin-top: -5px; font-size: 8pt; text-align:center;">PHPki v<?php echo PHPKI_VERSION?> - Copyright 2003 - William E. Roadcap</p>
    </body>
    </html>
-	<?
+    <?php
 }
 ?>
--- a/root/include/my_functions.php
+++ b/root/include/my_functions.php
@@ -1,30 +1,34 @@
 <?php
-$PHP_SELF = htmlspecialchars($HTTP_SERVER_VARS['PHP_SELF'], ENT_QUOTES, "utf-8");
+$PHP_SELF = htmlspecialchars($_SERVER['PHP_SELF'], ENT_QUOTES, "utf-8");
 #
 # Returns TRUE if browser is Internet Explorer.
 #
-function isIE() {
+function isIE()
-	global $HTTP_SERVER_VARS;
+{
-	return strstr($HTTP_SERVER_VARS['HTTP_USER_AGENT'], 'MSIE');
+    global $_SERVER;
    return strstr($_SERVER['HTTP_USER_AGENT'], 'MSIE');
 }
-function isKonq() {
+function isKonq()
-	global $HTTP_SERVER_VARS;
+{
-	return strstr($HTTP_SERVER_VARS['HTTP_USER_AGENT'], 'Konqueror');
+    global $_SERVER;
    return strstr($_SERVER['HTTP_USER_AGENT'], 'Konqueror');
 }
-function isMoz() {
+function isMoz()
-	global $HTTP_SERVER_VARS;
+{
-	return strstr($HTTP_SERVER_VARS['HTTP_USER_AGENT'], 'Gecko');
+    global $_SERVER;
    return strstr($_SERVER['HTTP_USER_AGENT'], 'Gecko');
 }
 #
 # Force upload of specified file to browser.
 #
-function upload($source, $destination, $content_type="application/octet-stream") {
+function upload($source, $destination, $content_type = "application/octet-stream")
 {
    header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
    header("Expires: -1");
 #   header("Cache-Control: no-store, no-cache, must-revalidate");
@@ -34,9 +38,10 @@ function upload($source, $destination, $content_type="application/octet-stream")
    if (is_array($source)) {
        $fsize = 0;
-		foreach($source as $f) $fsize += filesize($f);
+        foreach ($source as $f) {
            $fsize += filesize($f);
        }
-	else {
+    } else {
        $fsize = filesize($source);
    }
@@ -44,10 +49,13 @@ function upload($source, $destination, $content_type="application/octet-stream")
 #        header("Content-Disposition: attachment; filename=\"" . $destination ."\"");
        header("Content-Disposition: filename=\"" . $destination ."\"");
-	if (is_array($source))
+    if (is_array($source)) {
-		foreach($source as $f) $ret = readfile($f);
+        foreach ($source as $f) {
-	else 
+            $ret = readfile($f);
        }
    } else {
        $ret=readfile($source);
    }
 #        $fd=fopen($source,'r');
 #        fpassthru($fd);
@@ -60,12 +68,19 @@ function upload($source, $destination, $content_type="application/octet-stream")
 # by field name.  POST fields have precedence over GET fields.
 # Quoting/Slashes are stripped if magic quotes gpc is on.
 #
-function gpvar($v) {
+function gpvar($v)
-	global $HTTP_GET_VARS, $HTTP_POST_VARS;
+{
    global $_GET, $_POST;
    $x = "";
-	if ($HTTP_GET_VARS[$v])  $x = $HTTP_GET_VARS[$v];
+    if (isset($_GET[$v])) {
-	if ($HTTP_POST_VARS[$v]) $x = $HTTP_POST_VARS[$v];
+        $x = $_GET[$v];
-	if (get_magic_quotes_gpc()) $x = stripslashes($x);
+    }
    if (isset($_POST[$v])) {
        $x = $_POST[$v];
    }
    if (get_magic_quotes_gpc()) {
        $x = stripslashes($x);
    }
    return $x;
 }
@@ -73,13 +88,20 @@ function gpvar($v) {
 #
 # Sort a two multidimensional array by one of it's columns
 #
-function csort($array, $column, $ascdec=SORT_ASC){    
+function csort($array, $column, $ascdec = SORT_ASC)
 {
-    if (sizeof($array) == 0) return $array;
+    if (sizeof($array) == 0) {
        return $array;
    }
    // Sort by digital date rather than text date
-    if ($column == 'issued') $column = "issuedSort";
+    if ($column == 'issued') {
-    if ($column == 'expires') $column = 'expiresSort';
+        $column = "issuedSort";
    }
    if ($column == 'expires') {
        $column = 'expiresSort';
    }
    if ($column == 'status') {
        foreach ($array as $x) {
@@ -88,7 +110,9 @@ function csort($array, $column, $ascdec=SORT_ASC){
        }
        array_multisort($sortarr, $ascdec, $sortdate, SORT_ASC, $array);
    } else {
-        foreach($array as $x) $sortarr[]=$x[$column];
+        foreach ($array as $x) {
            $sortarr[]=$x[$column];
        }
        array_multisort($sortarr, $ascdec, $array);
    }
    return $array;
@@ -99,12 +123,13 @@ function csort($array, $column, $ascdec=SORT_ASC){
 # Returns a value suitable for display in the browser.
 # Strips slashes if second argument is true.
 #
-function htvar($v, $strip=false) {
+function htvar($v, $strip = false)
-	if ($strip) 
+{
-		return  htmlentities(stripslashes($v));
+    if ($strip) {
-	else
+        return  htmlentities(stripslashes($v), 0, "UTF-8");
-		return  htmlentities($v);
+    } else {
-	
+        return  htmlentities($v, 0, "UTF-8");
    }
 }
@@ -114,35 +139,39 @@ function htvar($v, $strip=false) {
 # provided strings with single-quotes and quotes any
 # other dangerous characters.
 #
-function escshellarg($v, $strip=false) {
+function escshellarg($v, $strip = false)
-	if ($strip)
+{
    if ($strip) {
        return escapeshellarg(stripslashes($v));
-	else
+    } else {
        return escapeshellarg($v);
    }
 }
 #
 # Similar to escshellarg(), but doesn't surround provided
 # string with single-quotes.
 #
-function escshellcmd($v, $strip=false) {
+function escshellcmd($v, $strip = false)
-	if ($strip)
+{
    if ($strip) {
        return escapeshellcmd(stripslashes($v));
-	else
+    } else {
        return escapeshellarg($v);
    }
 }
 #
 # Recursively strips slashes from a string or array.
 #
-function stripslashes_array(&$a) {
+function stripslashes_array(&$a)
 {
    if (is_array($a)) {
        foreach ($a as $k => $v) {
            my_stripslashes($a[$k]);
        }
-	}
+    } else {
 	else {
        $a = stripslashes($a);
    }
 }
@@ -151,7 +180,8 @@ function stripslashes_array(&$a) {
 #
 # Don't use this.
 #
-function undo_magic_quotes(&$a) {
+function undo_magic_quotes(&$a)
 {
    if (get_magic_quotes_gpc()) {
        global $HTTP_POST_VARS, $HTTP_GET_VARS;
@@ -171,7 +201,8 @@ function undo_magic_quotes(&$a) {
 #
 # Returns TRUE if argument contains only alphabetic characters.
 #
-function is_alpha($v) {
+function is_alpha($v)
 {
    #return (eregi('[^A-Z]',$v) ? false : true) ;
    #return (preg_match('/[^A-Z]'.'/i',$v,PCRE_CASELESS) ? false : true) ; # Replaced eregi() with preg_match()
    return (preg_match('/[^A-Z]/i', $v) ? false : true) ;
@@ -180,8 +211,8 @@ function is_alpha($v) {
 #
 # Returns TRUE if argument contains only numeric characters.
 #
-
+function is_num($v)
-function is_num($v) {
+{
    #return (eregi('[^0-9]',$v) ? false : true) ;
    return (preg_match('/[^0-9]/', $v) ? false : true) ; # Replaced eregi() with preg_match()
 }
@@ -189,8 +220,8 @@ function is_num($v) {
 #
 # Returns TRUE if argument contains only alphanumeric characters.
 #
-
+function is_alnum($v)
-function is_alnum($v) {
+{
    #return (eregi('[^A-Z0-9]',$v) ? false : true) ;
    return (preg_match('/[^A-Z0-9]/i', $v) ? false : true) ; # Replaced eregi() with preg_match()
 }
@@ -198,33 +229,103 @@ function is_alnum($v) {
 #
 # Returns TRUE if argument is in proper e-mail address format.
 #
-function is_email($v) {
+function is_email($v)
 {
    #return (eregi('^[^@ ]+\@[^@ ]+\.[A-Z]{2,4}$',$v) ? true : false);
    return (preg_match('/^[^@ ]+\@[^@ ]+\.[A-Z]{2,4}$'.'/i', $v) ? true : false); # Replaced eregi() with preg_match()
 }
 #
 # Returns True if the given string is a IP address
 #
 function is_ip($ip = null)
 {
    if (!$ip or strlen(trim($ip)) == 0) {
        return false;
    }
    $ip=trim($ip);
    if (preg_match("/^[0-9]{1,3}(.[0-9]{1,3}){3}$/", $ip)) {
        foreach (explode(".", $ip) as $block) {
            if ($block<0 || $block>255) {
                return false;
            }
        }
        return true;
    }
    return false;
 }
 #
 # Returns True if the given string is a valid FQDN
 #
 function is_fqdn($FQDN)
 {
    // remove leading wildcard characters if exist
    $FQDN = preg_replace('/^\*\./', '', $FQDN, 1);
    return (!empty($FQDN) && preg_match('/^(?=.{1,254}$)((?=[a-z0-9-]{1,63}\.)(xn--+)?[a-z0-9]+(-[a-z0-9]+)*\.)+(xn--+)?[a-z0-9]{2,63}$/i', $FQDN) > 0);
 }
 #
 # Checks regexp in every element of an array, returns TRUE as soon
 # as a match is found.
 #
-function eregi_array($regexp, $arr) {
+function preg_match_array($regexp, $arr)
 {
    foreach ($arr as $elem) {
        #if (eregi($regexp,$elem))
-		if (! preg_match('/^\/.*\/$/', $regexp)) # if it doesn't begin and end with '/'
+        if (! preg_match('/^\/.*\/$/', $regexp)) { # if it doesn't begin and end with '/'
            $regexp = '/'.$regexp.'/'; # pad the $regexp with '/' to prepare for preg_match()
-		if (preg_match($regexp.'i',$elem)) # Replaced eregi() with preg_match()
+        }
        if (preg_match($regexp.'i', $elem)) { # Replaced eregi() with preg_match()
            return true;
        }
    }
    return false;
 }
 #
 # Reads entire file into a string
 # Same as file_get_contents in php >= 4.3.0
 #
-function my_file_get_contents($f) {
+function my_file_get_contents($f)
 {
    return implode('', file($f));
 }
-?>
+function getOSInformation()
 {
    if (false == function_exists("shell_exec")) {
        return null;
    }
    $os = shell_exec('cat /etc/redhat-release');
    if (preg_match('/^SME Server/', $os)) {
        return true;
    } else {
        return null;
    }
 }
 # Used in setup
 function flush_exec($command, $line_length = 200)
 {
        $handle = popen("$command 2>&1", 'r');
        $line = '';
    while (! feof($handle)) {
            $chr = fread($handle, 1);
            $line .= $chr;
        if ($chr == "\n") {
                print str_replace("\n", "<br>\n", $line);
                $line = '';
                flush();
        } elseif (strlen($line) > $line_length) {
                print $line."<br>\n";
                $line = '';
                flush();
        }
    }
        print $line."<br>\n";
    flush();
    return;
 }
--- a/root/include/openssl_functions.php
+++ b/root/include/openssl_functions.php
@@ -5,29 +5,88 @@
 // File name is placed in ./tmp with a random name. It lingers unless
 // removed manually.
 //
-function CA_create_cnf($country='',$province='',$locality='',$organization='',$unit='',$common_name='',$email='',$keysize=1024) {
+function CA_create_cnf($country = '', $province = '', $locality = '', $organization = '', $unit = '', $common_name = '', $email = '', $keysize = 2048, $dns_names = '', $ip_addr = '', $serial = '')
 {
    global $config, $PHPki_user;
    $issuer = $PHPki_user;
    $count_dns = 0;
    $count_ip = 0;
    $alt_names = "";
    if (! $dns_names == '') {
        $dns_n=explode("\n", $dns_names);
        $count_dns  = $count_dns + 1;
        $alt_names .= "DNS.$count_dns = $common_name\n";
        foreach ($dns_n as $value) {
            if (! $value == '') {
                $count_dns  = $count_dns + 1;
                $alt_names .= "DNS.$count_dns = ".trim($value)."\n";
            }
        }
    }
    if (! $ip_addr == '') {
        $ip_ar=explode("\n", $ip_addr);
        foreach ($ip_ar as $value) {
            if (! $value == '') {
                $count_dns  = $count_dns + 1;
                $count_ip   = $count_ip + 1;
                # reetp IP should not be added to a DNS entry
                #$alt_names .= "DNS.$count_dns = ".trim($value)."\n";
                $alt_names .= "IP.$count_ip = ".trim($value)."\n";
            }
        }
    }
    if (($count_dns > 0) || ($count_ip > 0)) {
        $server_altnames = "@alt_names";
    } else {
        $server_altnames = "DNS:$common_name,email:copy";
    }
    $configHOME             = $config['home_dir'];
    $configRANDFILE         = $config['random'];
    $configCa_dir           = $config['ca_dir'];
    $configCert_dir         = $config['cert_dir'];
    $configCrl_dir          = $config['crl_dir'];
    $configDatabase         = $config['index'];
    $configNew_certs_dir    = $config['new_certs_dir'];
    $configPrivate_dir      = $config['private_dir'];
    $configSerial           = $config['serial'];
    $configCacert_pem       = $config['cacert_pem'];
    $configCacrl_pem        = $config['cacrl_pem'];
    $configCakey            = $config['cakey'];
    $configDefault_md       = $config['default_md'];
    $configBase_url         = $config['base_url'];
    $configCrl_dist         = $config['crl_distrib'];
    $configComment_root     = $config['comment_root'];
    $configPolicy_url       = $config['policy_url'];
    $configRevoke_url       = $config['revoke_url'];
    $configComment_email    = $config['comment_email'];
    $configComment_sign     = $config['comment_sign'];
    $configComment_srv      = $config['comment_srv'];
    $cnf_contents = "
-HOME             = $config[home_dir] 
+HOME             = $configHOME
-RANDFILE         = $config[random]
+RANDFILE         = $configRANDFILE
-dir              = $config[ca_dir]
+dir              = $configCa_dir
-certs            = $config[cert_dir]
+certs            = $configCert_dir
-crl_dir	         = $config[crl_dir]
+crl_dir          = $configCrl_dir
-database         = $config[index]
+database         = $configDatabase
-new_certs_dir    = $config[new_certs_dir]
+new_certs_dir    = $configNew_certs_dir
-private_dir      = $config[private_dir]
+private_dir      = $configPrivate_dir
-serial           = $config[serial]
+serial           = $configSerial
-certificate      = $config[cacert_pem]
+certificate      = $configCacert_pem
-crl              = $config[cacrl_pem]
+crl              = $configCacrl_pem
-private_key      = $config[cakey]
+private_key      = $configCakey
 crl_extentions   = crl_ext
 default_days     = 365
 default_crl_days = 30
 preserve         = no
-default_md       = sha1
+default_md       = $configDefault_md
 [ req ]
 default_bits        = $keysize
@@ -102,10 +161,10 @@ keyUsage               = cRLSign, keyCertSign
 nsCertType             = sslCA, emailCA, objCA
 subjectKeyIdentifier   = hash
 subjectAltName         = email:copy
-crlDistributionPoints  = URI:$config[base_url]index.php?stage=dl_crl
+crlDistributionPoints  = URI:$configBase_url$configCrl_dist
-nsComment              = \"PHPki/OpenSSL Generated Root Certificate\"
+nsComment              = $configComment_root
-#nsCaRevocationUrl      = ns_revoke_query.php?
+#nsCaRevocationUrl     =
-nsCaPolicyUrl          = $config[base_url]policy.html
+nsCaPolicyUrl          = $configBase_url$configPolicy_url
 [ email_ext ]
 basicConstraints       = critical, CA:false
@@ -116,11 +175,11 @@ subjectKeyIdentifier   = hash
 authorityKeyIdentifier = keyid:always, issuer:always
 subjectAltName         = email:copy
 issuerAltName          = issuer:copy
-crlDistributionPoints  = URI:$config[base_url]index.php?stage=dl_crl
+crlDistributionPoints  = URI:$configBase_url$configCrl_dist
-nsComment              = \"PHPki/OpenSSL Generated Personal Certificate\"
+nsComment              = $configComment_email
-nsBaseUrl              = $config[base_url]
+nsBaseUrl              = $configBase_url
-nsRevocationUrl        = ns_revoke_query.php?
+nsRevocationUrl        = $configBase_url$configRevoke_url$serial
-nsCaPolicyUrl          = $config[base_url]policy.html
+nsCaPolicyUrl          = $configBase_url$configPolicy_url
 [ email_signing_ext ]
 basicConstraints       = critical, CA:false
@@ -131,26 +190,26 @@ subjectKeyIdentifier   = hash
 authorityKeyIdentifier = keyid:always, issuer:always
 subjectAltName         = email:copy
 issuerAltName          = issuer:copy
-crlDistributionPoints  = URI:$config[base_url]index.php?stage=dl_crl
+crlDistributionPoints  = URI:$configBase_url$configCrl_dist
-nsComment              = \"PHPki/OpenSSL Generated Personal Certificate\"
+nsComment              = $configComment_sign
-nsBaseUrl              = $config[base_url]
+nsBaseUrl              = $configBase_url
-nsRevocationUrl        = ns_revoke_query.php?
+nsRevocationUrl        = $configBase_url$configRevoke_url$serial
-nsCaPolicyUrl          = $config[base_url]policy.html
+nsCaPolicyUrl          = $configBase_url$configPolicy_url
 [ server_ext ]
 basicConstraints        = critical, CA:false
 keyUsage                = critical, digitalSignature, keyEncipherment
-nsCertType              = critical, server
+nsCertType              = server
 extendedKeyUsage        = critical, serverAuth
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid:always, issuer:always
-subjectAltName          = DNS:$common_name,email:copy
+subjectAltName          = $server_altnames
 issuerAltName           = issuer:copy
-crlDistributionPoints   = URI:$config[base_url]index.php?stage=dl_crl
+crlDistributionPoints   = URI:$configBase_url$configCrl_dist
-nsComment               = \"PHPki/OpenSSL Generated Server Certificate\"
+nsComment               = $configComment_srv
-nsBaseUrl               = $config[base_url]
+nsBaseUrl               = $configBase_url
-nsRevocationUrl         = ns_revoke_query.php?
+nsRevocationUrl         = $configBase_url$configRevoke_url$serial
-nsCaPolicyUrl           = $config[base_url]policy.html
+nsCaPolicyUrl           = $configBase_url$configPolicy_url
 [ time_stamping_ext ]
 basicConstraints       = CA:false
@@ -160,10 +219,10 @@ subjectKeyIdentifier   = hash
 authorityKeyIdentifier = keyid:always, issuer:always
 subjectAltName         = DNS:$common_name,email:copy
 issuerAltName          = issuer:copy
-crlDistributionPoints   = URI:$config[base_url]index.php?stage=dl_crl
+crlDistributionPoints   = URI:$configBase_url$configCrl_dist
-nsComment              = \"PHPki/OpenSSL Generated Time Stamping Certificate\"
+nsComment              = $config[comment_stamp]
-nsBaseUrl              = $config[base_url]
+nsBaseUrl              = $configBase_url
-nsRevocationUrl        = ns_revoke_query.php?
+nsRevocationUrl        = $configBase_url$configRevoke_url$serial
 [ vpn_client_ext ]
 basicConstraints        = critical, CA:false
@@ -191,10 +250,14 @@ nsCertType              = critical, server, client
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid:always, issuer:always
 subjectAltName          = DNS:$common_name,email:copy
 [alt_names]
 $alt_names
 ";
    # Write out the config file.
-	$cnf_file  = tempnam('../../tmp','cnf-');
+    $cnf_file  = tempnam('../../tmp', 'cnf-');  // Why is this not in the phpki dir ? why ../../ ?
    $handle = fopen($cnf_file, "w");
    fwrite($handle, $cnf_contents);
    fclose($handle);
@@ -208,21 +271,30 @@ subjectAltName          = DNS:$common_name,email:copy
 // Fields: serial, country, province, locality, organization,
 //         issuer, unit, common_name, email
 //
-function CAdb_to_array($search = '.*') {
+function CAdb_to_array($search = '.*')
 {
    global $config;
    # Prepend a default status to search string if missing.
    #if (! ereg('^\^\[.*\]', $search)) $search = '^[VRE].*'.$search;
-	if (! preg_match("/^\^\[.*\]/", $search)) $search = '^[VRE].*'.$search;
+    if (! preg_match("/^\^\[.*\]/", $search)) {
        $search = '^[VRE].*'.$search;
    }
    # Include valid certs?
    #if (ereg('^\^\[.*V.*\]',$search)) $inclval = true;
-	if (preg_match('/^\^\[.*V.*\]/',$search)) $inclval = true;
+    if (preg_match('/^\^\[.*V.*\]/', $search)) {
        $inclval = true;
    }
    # Include revoked certs?
    #if (ereg('^\^\[.*R.*\]',$search)) $inclrev = true;
-	if (preg_match('/^\^\[.*R.*\]/',$search)) $inclrev = true;
+    if (preg_match('/^\^\[.*R.*\]/', $search)) {
        $inclrev = true;
    }
    # Include expired certs?
    #if (ereg('^\^\[.*E.*\]',$search)) $inclexp = true;
-	if (preg_match('/^\^\[.*E.*\]/',$search)) $inclexp = true;
+    if (preg_match('/^\^\[.*E.*\]/', $search)) {
        $inclexp = true;
    }
    # There isn't really a status of 'E' in the openssl index.
    # Change (E)xpired to (V)alid within the search string.
@@ -233,9 +305,10 @@ function CAdb_to_array($search = '.*') {
    exec('egrep -i '.escshellarg($search).' '.$config['index'], $x);
    foreach ($x as $y) {
        $i = CAdb_explode_entry($y);
-		if (($i['status'] == "Valid" && $inclval) || ($i['status'] == "Revoked" && $inclrev) || ($i['status'] == "Expired" && $inclexp))
+        if (($i['status'] == "Valid" && $inclval) || ($i['status'] == "Revoked" && $inclrev) || ($i['status'] == "Expired" && $inclexp)) {
            $db[$i['serial']] = $i;
        }
    }
    return($db);
 }
@@ -245,13 +318,14 @@ function CAdb_to_array($search = '.*') {
 // Returns an array containing the index record for
 // certificate $serial.
 //
-function CAdb_get_entry($serial) {
+function CAdb_get_entry($serial)
 {
    global $config;
    $regexp = "^[VR]\t.*\t.*\t$serial\t.*\t.*$";
    $x = exec('egrep '.escshellarg($regexp).' '.$config['index']);
-	if ($x)
+    if ($x) {
        return CAdb_explode_entry($x);
-	else {
+    } else {
        return false;
    }
 }
@@ -261,32 +335,36 @@ function CAdb_get_entry($serial) {
 // Returns the serial number of a VALID certificate matching
 // $email and/or $name. Returns FALSE if no match is found.
 //
-function CAdb_in($email="", $name="") {
+function CAdb_in($email = "", $name = "")
 {
    global $config;
    $email = escshellcmd($email);
    $name = escshellcmd($name);
    $regexp = "^[V].*CN=$name/(Email|emailAddress)=$email";
-        $x =exec("egrep '$regexp' $config[index]");
+    $x = exec('egrep '.escshellarg($regexp).' '.$config['index']);
    if ($x) {
        list($j,$j,$j,$serial,$j,$j) = explode("\t", $x);
        return "$serial";
-	}
+    } else {
 	else
        return false;
    }
 }
 //
 // Alias for CAdb_in()
 //
-function CAdb_serial($email, $name='') {
+function CAdb_serial($email, $name = '')
 {
    return CAdb_in($email, $name = '');
 }
 //
 // Alias for CAdb_in()
 //
-function CAdb_exists($email, $name='') {
+function CAdb_exists($email, $name = '')
 {
    return CAdb_in($email, $name = '');
 }
@@ -294,7 +372,8 @@ function CAdb_exists($email, $name='') {
 //
 // Returns the certificate 'issuer'
 //
-function CAdb_issuer($serial) {
+function CAdb_issuer($serial)
 {
    global $config;
    $rec = CAdb_get_entry($serial);
    return $rec['issuer'];
@@ -306,7 +385,8 @@ function CAdb_issuer($serial) {
 // Fields: serial, country, province locality, organization,
 //         issuer, unit, common_name, email
 //
-function CAdb_explode_entry($dbentry) {
+function CAdb_explode_entry($dbentry)
 {
    $a = explode("\t", $dbentry);
    $b  = preg_split('/\/([A-Z]|[a-z])+=/', $a[5]);
@@ -347,8 +427,7 @@ function CAdb_explode_entry($dbentry) {
        $db['unit']         = $b[4];
        $db['common_name']  = $b[5];
        $db['email']        = $b[6];
-        }
+    } // Compatibility with renewed certs from openvpn-bridge
 	// Compatibility with renewed certs from openvpn-bridge
    elseif (count($b) == 8) {
        $db['serial']       = $a[3];
        $db['country']      = $b[1];
@@ -359,8 +438,7 @@ function CAdb_explode_entry($dbentry) {
        $db['unit']         = $b[5];
        $db['common_name']  = $b[6];
        $db['email']        = $b[7];
-        }
+    } // Else, it's a certificate created with phpki
 	// Else, it's a certificate created with phpki
    else {
        $db['serial']       = $a[3];
        $db['country']      = $b[1];
@@ -380,40 +458,46 @@ function CAdb_explode_entry($dbentry) {
 // Returns the date & time a specified certificate is revoked,
 // Returns FALSE if the certificate is not revoked.
 //
-function CAdb_is_revoked($serial) {
+function CAdb_is_revoked($serial)
 {
    global $config;
    $regexp = "^R\t.*\t.*\t$serial\t.*\t.*$";
    $x = exec('egrep '.escshellarg($regexp).' '.$config['index']);
    if ($x) {
        list($j,$j,$revoke_date,$j,$j,$j) = explode("\t", $x);
        // Revoke date = 'R' + start date and is in this format
        // 200227162209Z
        sscanf($revoke_date, "%2s%2s%2s", $yy, $mm, $dd);
        return strftime("%b %d, %Y", strtotime("$yy-$mm-$dd"));
-	}
+    } else {
 	else
        return false;
    }
 }
 //
 // Returns TRUE if a certificate is valid, otherwise FALSE.
 //
-function CAdb_is_valid($serial) {
+function CAdb_is_valid($serial)
 {
    global $config;
    $regexp = "^V\t.*\t.*\t$serial\t.*\t.*$";
-        if  (exec('egrep '.escshellarg($regexp).' '.$config['index']))
+    if (exec('egrep '.escshellarg($regexp).' '.$config['index'])) {
        return true;
-	else
+    } else {
        return false;
    }
 }
 //
 // Returns the long-form certificate description as output by
 // openssl x509 -in certificatefile -text -purpose
 //
-function CA_cert_text($serial) {
+function CA_cert_text($serial)
 {
    global $config;
-	$certfile = $config['new_certs_dir'] . '/' . $serial . '.pem';
+    $certfile = $config['new_certs_dir'] . "/$serial.pem";
    return(shell_exec(X509.' -in '.escshellarg($certfile).' -text -purpose 2>&1'));
 }
@@ -421,26 +505,30 @@ function CA_cert_text($serial) {
 // Returns the long-form text of the Certificate Revocation List
 // openssl crl -in crlfile -text
 //
-function CA_crl_text() {
+function CA_crl_text()
 {
    global $config;
    $crlfile = $config['cacrl_pem'];
    return(shell_exec(CRL.' -in '.escshellarg($crlfile).' -text 2>&1'));
 }
 // Returns the static takey.pem file
-function ta_key_text() {
+function ta_key_text()
 {
        global $config;
        return(shell_exec('cat '.escshellarg($config['private_dir']).'/takey.pem 2>&1'));
 }
 // Returns the dhparam file
-function dhparam_text() {
+function dhparam_text()
 {
        global $config;
-        return(shell_exec('cat '.escshellarg($config['private_dir']).'/dhparam1024.pem 2>&1'));
+        return(shell_exec('cat '.escshellarg($config['private_dir']).'/dhparam2048.pem 2>&1'));
 }
 // Returns the root CA certificate file (PEM Encoded)
-function root_pem_text() {
+function root_pem_text()
 {
        global $config;
        return(shell_exec('cat '.escshellarg($config['cacert_pem']).' 2>&1'));
 }
@@ -448,9 +536,10 @@ function root_pem_text() {
 //
 // Returns the subject of a certificate.
 //
-function CA_cert_subject($serial) {
+function CA_cert_subject($serial)
 {
    global $config;
-	$certfile = $config['new_certs_dir'] . '/' . $serial . '.pem';
+    $certfile = $config['new_certs_dir'] . "/$serial.pem";
    $x = exec(X509.' -in '.escshellarg($certfile).' -noout -subject 2>&1');
    return(str_replace('subject=', '', $x));
 }
@@ -458,19 +547,20 @@ function CA_cert_subject($serial) {
 //
 // Returns the common name of a certificate.
 //
-function CA_cert_cname($serial) {
+function CA_cert_cname($serial)
 {
    global $config;
    #return(ereg_replace('^.*/CN=(.*)/.*','\\1',CA_cert_subject($serial)));
    return(preg_replace('/^.*\/CN=(.*)\/.*/', '${1}', CA_cert_subject($serial)));
 }
 //
 // Returns the email address of a certificate.
 //
-function CA_cert_email($serial) {
+function CA_cert_email($serial)
 {
    global $config;
-	$certfile = $config['new_certs_dir'] . '/' . $serial . '.pem';
+    $certfile = $config['new_certs_dir'] . "/$serial.pem";
    $x = exec(X509.' -in '.escshellarg($certfile).' -noout -email 2>&1');
    return($x);
 }
@@ -478,9 +568,10 @@ function CA_cert_email($serial) {
 //
 // Returns the effective date of a certificate.
 //
-function CA_cert_startdate($serial) {
+function CA_cert_startdate($serial)
 {
    global $config;
-	$certfile = $config['new_certs_dir'] . '/' . $serial . '.pem';
+    $certfile = $config['new_certs_dir'] . "/$serial.pem";
    $x = exec(X509.' -in '.escshellarg($certfile).' -noout -startdate 2>&1');
    return(str_replace('notBefore=', '', $x));
 }
@@ -488,9 +579,10 @@ function CA_cert_startdate($serial) {
 //
 // Returns the expiration date of a certificate.
 //
-function CA_cert_enddate($serial) {
+function CA_cert_enddate($serial)
 {
    global $config;
-	$certfile = $config['new_certs_dir'] . '/' . $serial . '.pem';
+    $certfile = $config['new_certs_dir'] . "/$serial.pem";
    $x = exec(X509.' -in '.escshellarg($certfile).' -noout -enddate  2>&1');
    return(str_replace('notAfter=', '', $x));
 }
@@ -498,16 +590,18 @@ function CA_cert_enddate($serial) {
 //
 // Revokes a specified certificate.
 //
-function CA_revoke_cert($serial) {
+function CA_revoke_cert($serial)
 {
    global $config;
    $fd = fopen($config['index'], 'a');
    flock($fd, LOCK_EX);
-	$certfile     = "$config[new_certs_dir]/$serial.pem";
+    $certfile     = $config['new_certs_dir'] . "/$serial.pem";
    $cmd_output[] = 'Revoking the certificate.';
-	exec(CA." -config '$config[openssl_cnf]' -revoke ".escshellarg($certfile)." -passin pass:'$config[ca_pwd]' 2>&1", $cmd_output, $ret);
+    $configCa_pwd = $config['ca_pwd'];
    $configOpenssl_cnf = $config['openssl_cnf'];
    exec(CA." -config $configOpenssl_cnf -revoke ".escshellarg($certfile)." -passin pass:$configCa_pwd 2>&1", $cmd_output, $ret);
    if ($ret == 0) {
        unset($cmd_output);
@@ -526,7 +620,8 @@ function CA_revoke_cert($serial) {
 //
 // Returns an array containing the output of failed openssl commands.
 //
-function CA_create_cert($cert_type='email',$country,$province,$locality,$organization,$unit,$common_name,$email,$expiry,$passwd,$keysize=1024) {
+function CA_create_cert($cert_type = 'email', $country, $province, $locality, $organization, $unit, $common_name, $email, $expiry, $passwd, $keysize = 2048, $dns_names, $ip_addr)
 {
    global $config;
    # Wait here if another user has the database locked.
@@ -536,58 +631,63 @@ function CA_create_cert($cert_type='email',$country,$province,$locality,$organiz
    # Get the next available serial number
    $serial = trim(implode('', file($config['serial'])));
-	$userkey   = $config['private_dir'].'/'.$serial.'-key.pem';
+    $userkey   = $config['private_dir'] . "/$serial-key.pem";
-	$userreq   = $config['req_dir'].'/'.$serial.'-req.pem';
+    $userreq   = $config['req_dir'] ."/$serial-req.pem";
-	$usercert  = $config['new_certs_dir'].'/'.$serial.'.pem';
+    $usercert  = $config['new_certs_dir'] . "/$serial.pem";
-	$userder   = $config['cert_dir'].'/'.$serial.'.der';
+    $userder   = $config['cert_dir'] . "/$serial.der";
-	$userpfx   = $config['pfx_dir'].'/'.$serial.'.pfx';
+    $userpfx   = $config['pfx_dir'] . "/$serial.pfx";
    $expiry_days = round($expiry * 365.25, 0);
-	$cnf_file = CA_create_cnf($country,$province,$locality,$organization,$unit,$common_name,$email,$keysize);
+    $cnf_file = CA_create_cnf($country, $province, $locality, $organization, $unit, $common_name, $email, $keysize, $dns_names, $ip_addr, $serial);
    # Escape certain dangerous characters in user input
    $email         = escshellcmd($email);
-	$passwd        = escshellarg($passwd);
+    $_passwd       = escshellarg($passwd);
    $friendly_name = escshellarg($common_name);
    $extensions    = escshellarg($cert_type.'_ext');
    # Create the certificate request
    unset($cmd_output);
-	$cmd_output[] = 'Creating certifcate request.';
+    $cmd_output[] = 'Creating certificate request.';
-	if (($passwd) && ($passwd != "''")) {
+    if (($_passwd) && ($_passwd != "''")) {
-		exec(REQ." -new -newkey rsa:$keysize -keyout '$userkey' -out '$userreq' -config '$cnf_file' -days '$expiry_days' -passout pass:$passwd  2>&1", $cmd_output, $ret);
+        exec(REQ." -new -newkey rsa:$keysize -keyout '$userkey' -out '$userreq' -config '$cnf_file' -days '$expiry_days' -passout pass:$_passwd  2>&1", $cmd_output, $ret);
-	}
+    } else {
 	else {
        exec(REQ." -new -newkey rsa:$keysize -keyout '$userkey' -out '$userreq' -config '$cnf_file' -days '$expiry_days' -nodes  2>&1", $cmd_output, $ret);
    }
    # Sign the certificate request and create the certificate
    if ($ret == 0) {
        unset($cmd_output);
-		$cmd_output[] = "Signing $cert_type certifcate request.";
+        $cmd_output[] = "Signing $cert_type certificate request.";
-		exec(CA." -config '$cnf_file' -in '$userreq' -out /dev/null -notext -days '$expiry_days' -passin pass:'$config[ca_pwd]' -batch -extensions $extensions 2>&1", $cmd_output, $ret);
+        $configCa_pwd = $config['ca_pwd'];
        exec(CA." -config '$cnf_file' -in '$userreq' -out /dev/null -notext -days '$expiry_days' -passin pass:'$configCa_pwd' -batch -extensions $extensions 2>&1", $cmd_output, $ret);
    };
    # Create DER format certificate
    if ($ret == 0) {
        unset($cmd_output);
-		$cmd_output[] = "Creating DER format certifcate.";
+        $cmd_output[] = "Creating DER format certificate.";
        exec(X509." -in '$usercert' -out '$userder' -inform PEM -outform DER 2>&1", $cmd_output, $ret);
    };
    # Create a PKCS12 certificate file for download to Windows
    if ($ret == 0) {
        unset($cmd_output);
-		$cmd_output[] = "Creating PKCS12 format certifcate.";
+        $cmd_output[] = "Creating PKCS12 format certificate.";
-		if ($passwd) {
+        $configCacert_pem = $config['cacert_pem'];
-			$cmd_output[] = "infile: $usercert   keyfile: $userkey   outfile: $userpfx  pass: $passwd";
+        $configOrganization = $config['organization'];
-			exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$config[cacert_pem]' -caname '$config[organization]' -out '$userpfx' -name $friendly_name -rand '$config[random]' -passin pass:$passwd -passout pass:$passwd  2>&1", $cmd_output, $ret);
+        $configRandom = $config['random'];
-		}
+
-		else {
+        if (($_passwd) && ($_passwd != "''")) {
            $cmd_output[] = "infile: $usercert   keyfile: $userkey   outfile: $userpfx  pass: $_passwd";
            exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$configCacert_pem' -caname '$configOrganization' -out '$userpfx' -name $friendly_name -rand '$configRandom' -passin pass:$_passwd -passout pass:$_passwd  2>&1", $cmd_output, $ret);
        } else {
            $cmd_output[] = "infile: $usercert   keyfile: $userkey   outfile: $userpfx";
-			exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$config[cacert_pem]' -caname '$config[organization]' -out '$userpfx' -name $friendly_name  -passout pass: 2>&1", $cmd_output, $ret);
+            // reetp - this needs looking at
            exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$configCacert_pem' -caname '$configOrganization' -out '$userpfx' -name $friendly_name -nodes -passout pass: 2>&1", $cmd_output, $ret);
            //exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$config[cacert_pem]' -caname '$config[organization]' -out '$userpfx' -name $friendly_name  -nodes 2>&1", $cmd_output, $ret);
        }
    };
@@ -595,15 +695,15 @@ function CA_create_cert($cert_type='email',$country,$province,$locality,$organiz
    fclose($fd);
    #Remove temporary openssl config file.
-	if (file_exists($cnf_file)) unlink($cnf_file);
+    if (file_exists($cnf_file)) {
        unlink($cnf_file);
    }
    if ($ret == 0) {
        # Successful!
        # Return status=true and serial number of issued certificate.
        return array(true, $serial);
-	
+    } else {
 	}
 	else {
        # Not successful. :-(
        # Clean up our loose ends.
        # Return status=false and openssl output/errors for debug.
@@ -623,20 +723,25 @@ function CA_create_cert($cert_type='email',$country,$province,$locality,$organiz
 // FIXME: Yes, I know... This functions contains much duplicative code
 //        from CA_create_cert().  Bleh!
 //
-function CA_renew_cert($old_serial,$expiry,$passwd) {
+function CA_renew_cert($old_serial, $expiry, $passwd)
 {
    global $config;
-	# Don't renew a revoked certificate if a valid one exists for this
+    # Do not renew a revoked certificate if a valid one exists for this
    # URL.  Find and renew the valid certificate instead.
    if (CAdb_is_revoked($old_serial)) {
        $ret = CAdb_in(CA_cert_email($old_serial), CA_cert_cname($old_serial));
-		if ($ret && $old_serial != $ret) $old_serial = $ret;
+        if ($ret && $old_serial != $ret) {
            $old_serial = $ret;
        }
    }
    # Valid certificates must be revoked prior to renewal.
    if (CAdb_is_valid($old_serial)) {
        $ret = CA_revoke_cert($old_serial);
-		if (! $ret[0]) return $ret;
+        if (! $ret[0]) {
            return $ret;
        }
    }
    $cert_type  = CA_cert_type($old_serial);
@@ -648,7 +753,7 @@ function CA_renew_cert($old_serial,$expiry,$passwd) {
    $country      = $rec['country'];
    $province     = $rec['province'];
    $locality     = $rec['locality'];
-	$organization = $rec['organiztion'];
+    $organization = $rec['organization'];
    $unit         = $rec['unit'];
    $common_name  = $rec['common_name'];
    $email        = $rec['email'];
@@ -660,13 +765,14 @@ function CA_renew_cert($old_serial,$expiry,$passwd) {
    # Get the next available serial number
    $serial = trim(implode('', file($config['serial'])));
-	$old_userkey = $config['private_dir'].'/'.$old_serial.'-key.pem';
+    $old_userkey = $config['private_dir'] . "/$old_serial-key.pem";
-	$old_userreq = $config['req_dir'].'/'.$old_serial.'-req.pem';
+    $old_userreq = $config['req_dir'] . "/$old_serial-req.pem";
-	$userkey     = $config['private_dir'].'/'.$serial.'-key.pem';
+    $userkey     = $config['private_dir'] . "/$serial-key.pem";
-	$userreq     = $config['req_dir'].'/'.$serial.'-req.pem';
+    $userreq     = $config['req_dir'] . "/$serial-req.pem";
-	$usercert    = $config['new_certs_dir'].'/'.$serial.'.pem';
+    $usercert    = $config['new_certs_dir'] . "/$serial.pem";
-	$userder     = $config['cert_dir'].'/'.$serial.'.der';
+    $userder     = $config['cert_dir'] . "/$serial.der";
-	$userpfx     = $config['pfx_dir'].'/'.$serial.'.pfx';
+    $userpfx     = $config['pfx_dir'] . "/$serial.pfx";
    $expiry_days = round($expiry * 365.25, 0);
@@ -691,13 +797,18 @@ function CA_renew_cert($old_serial,$expiry,$passwd) {
    $friendly_name = escshellarg($rec['common_name']);
    # Escape dangerous characters in user input.
-	$passwd    = escshellarg($passwd);
+    $_passwd    = escshellarg($passwd);
    $configCa_pwd = $config['ca_pwd'];
    $configCacert_pem = $config['cacert_pem'];
    $configOrganization = $config['organization'];
    $configRandom = $config['random'];
    # Sign the certificate request and create the certificate.
    if ($ret == 0) {
        unset($cmd_output);
        $cmd_output[] = "Signing the $cert_type certificate request.";
-		exec(CA." -config '$cnf_file' -in '$userreq' -out /dev/null -notext -days '$expiry_days' -passin pass:'$config[ca_pwd]' -batch -extensions $extensions 2>&1", $cmd_output, $ret);
+        exec(CA." -config '$cnf_file' -in '$userreq' -out /dev/null -notext -days '$expiry_days' -passin pass:'$configCa_pwd' -batch -extensions $extensions 2>&1", $cmd_output, $ret);
    };
    # Create DER format certificate
@@ -711,41 +822,46 @@ function CA_renew_cert($old_serial,$expiry,$passwd) {
    if ($ret == 0) {
        unset($cmd_output);
        $cmd_output[] = "Creating PKCS12 format certificate.";
-		if ($passwd) {
+        if (($_passwd) && ($_passwd != "''")) {
-			$cmd_output[] = "infile: $usercert   keyfile: $userkey   outfile: $userpfx  pass: $passwd";
+            $cmd_output[] = "infile: $usercert   keyfile: $userkey   outfile: $userpfx  pass: $_passwd";
-			exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$config[cacert_pem]' -caname '$config[organization]' -out '$userpfx' -name $friendly_name -rand '$config[random]' -passin pass:$passwd -passout pass:$passwd  2>&1", $cmd_output, $ret);
+            exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$configCacert_pem' -caname '$configOrganization' -out '$userpfx' -name $friendly_name -rand '$configRandom' -passin pass:$_passwd -passout pass:$_passwd  2>&1", $cmd_output, $ret);
-		}
+        } else {
 		else {
            $cmd_output[] = "infile: $usercert   keyfile: $userkey   outfile: $userpfx";
-			exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$config[cacert_pem]' -caname '$config[organization]' -out '$userpfx' -name $friendly_name  -passout pass: 2>&1", $cmd_output, $ret);
+            // reetp - this needs looking at
            exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$configCacert_pem' -caname '$configOrganization' -out '$userpfx' -name $friendly_name  -nodes -passout pass: 2>&1", $cmd_output, $ret);
            //exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$config[cacert_pem]' -caname '$config[organization]' -out '$userpfx' -name $friendly_name  -nodes 2>&1", $cmd_output, $ret);
        }
    };
    #Unlock the CA database
    fclose($fd);
-	# https://github.com/radicand/phpki/issues/14
+    // Why is this here?
-	if (preg_match('E-mail Protection', $certtext) && preg_match('Code Signing', $certtest)) {
+    
-	$cert_type = 'email_signing';
+    //# https://github.com/radicand/phpki/issues/14 - but ereg is deprecated
-	}
+    if (preg_match('/E-mail Protection/', $certtext)) {
 	if (preg_match('E-mail Protection', $certtext)) {
        $cert_type = 'email';
    }
    if (preg_match('/E-mail Protection/', $certtext) && preg_match('/Code Signing/', $certtext)) {
        $cert_type = 'email_signing';
    }
    #Remove temporary openssl config file.
-	if (file_exists($cnf_file)) unlink($cnf_file);
+    if (file_exists($cnf_file)) {
        unlink($cnf_file);
    }
    if ($ret == 0) {
        return array(true, $serial);
-	}
+    } else {
 	else {
        # Not successful, so clean up before exiting.
        CA_remove_cert($serial);
-		if (eregi_array('.*private key.*',$cmd_output))
+        if (preg_match_array('.*private key.*', $cmd_output)) {
            $cmd_output[] = '<strong>This was likely caused by entering the wrong certificate password.</strong>';
-		else
+        } else {
            $cmd_output[] = '<strong>Click on the "Help" link above for information on how to report this problem.</strong>';
        }
        return array(false, implode('<br>', $cmd_output));
    }
@@ -755,18 +871,23 @@ function CA_renew_cert($old_serial,$expiry,$passwd) {
 // Creates a new Certificate Revocation List and copies it the the approriate
 // locations. Returns error messages from failed commands.
 //
-function CA_generate_crl() {
+function CA_generate_crl()
 {
    global $config;
    $configOpenssl_cnf = $config['openssl_cnf'];
    $configCacrl_pem = $config['cacrl_pem'];
    $configCa_pwd = $config['ca_pwd'];
    $configCacrl_der = $config['cacrl_der'];
    $ret = 0;
    $cmd_output[] = "Generating Certificate Revocation List.";
-	exec(CA. " -gencrl -config '$config[openssl_cnf]' -out '$config[cacrl_pem]' -passin pass:'$config[ca_pwd]' 2>&1", $cmd_output, $ret);
+    exec(CA. " -gencrl -config '$configOpenssl_cnf' -out '$configCacrl_pem' -passin pass:'$configCa_pwd' 2>&1", $cmd_output, $ret);
    if ($ret == 0) {
        unset($cmd_output);
        $cmd_output[] = "Creating DER format Certificate Revocation List.";
-		exec(CRL." -in '$config[cacrl_pem]' -out '$config[cacrl_der]' -inform PEM -outform DER 2>&1", $cmd_output, $ret);
+        exec(CRL." -in '$configCacrl_pem' -out '$configCacrl_der' -inform PEM -outform DER 2>&1", $cmd_output, $ret);
    }
    return array(($ret == 0 ? true : false), implode('<br>', $cmd_output));
@@ -776,78 +897,80 @@ function CA_generate_crl() {
 // Removes a specified certificate from the certificate index,
 // and all traces of it from the file system.
 //
-function CA_remove_cert($serial) {
+function CA_remove_cert($serial)
 {
    global $config;
-	$userreq  = $config['req_dir'].'/'.$serial.'-req.pem';
+    $userreq  = $config['req_dir'] . "/$serial-req.pem";
-	$userkey  = $config['private_dir'].'/'.$serial.'-key.pem';
+    $userkey  = $config['private_dir'] . "/$serial-key.pem";
-	$usercert = $config['new_certs_dir'].'/'.$serial.'.pem';
+    $usercert = $config['new_certs_dir'] . "/$serial.pem";
-	$userder  = $config['cert_dir'].'/'.$serial.'.der';
+    $userder  = $config['cert_dir'] . "/$serial.der";
-	$userpfx  = $config['pfx_dir'].'/'.$serial.'.pfx';
+    $userpfx  = $config['pfx_dir'] ."/$serial.pfx";
    $configIndex = $config['index'];
    # Wait here if another user has the database locked.
-	$fd = fopen($config['index'],'a');
+    $fd = fopen($configIndex, 'a');
    flock($fd, LOCK_EX);
-	if( file_exists($userreq))  unlink($userreq);
+    if (file_exists($userreq)) {
-	if( file_exists($userkey))  unlink($userkey);
+        unlink($userreq);
-	if( file_exists($usercert)) unlink($usercert);
+    }
-	if( file_exists($userder))  unlink($userder);
+    if (file_exists($userkey)) {
-	if( file_exists($userpfx))  unlink($userpfx);
+        unlink($userkey);
    }
    if (file_exists($usercert)) {
        unlink($usercert);
    }
    if (file_exists($userder)) {
        unlink($userder);
    }
    if (file_exists($userpfx)) {
        unlink($userpfx);
    }
-	$tmpfile = $config['index'].'.tmp';
+    $tmpfile = $configIndex .'.tmp';
-	copy($config['index'], $tmpfile);
+    copy($configIndex, $tmpfile);
    $regexp = "^[VR]\t.*\t.*\t".$serial."\t.*\t.*$";
-	exec('egrep -v '.escshellarg($regexp)." $tmpfile > $config[index] 2>/dev/null");
+    exec('egrep -v '.escshellarg($regexp)." $tmpfile > $configIndex 2>/dev/null");
    unlink($tmpfile);
    fclose($fd);
 }
 //
 // Returns the likely intended use for a specified certificate
 // (email, server, vpn).
 //
-function CA_cert_type($serial) {
+function CA_cert_type($serial)
 {
    $certtext = CA_cert_text($serial);
-	#if (ereg('OpenSSL.* (E.?mail|Personal) .*Certificate', $certtext) && ereg('Code Signing', $certtest)) {
+    if (preg_match('~OpenSSL.* (E.?mail|Personal) .*Certificate~', $certtext) && preg_match('~Code Signing~', $certtext)) {
-	if (preg_match('~OpenSSL.* (E.?mail|Personal) .*Certificate~', $certtext) && preg_match('~Code Signing~', $certtest)) {
+        $cert_type = 'email_signing'; // Was 'codesigning' but can't see that anywhere
-		$cert_type = 'email_codesigning';
+    } elseif (preg_match('~OpenSSL.* (E.?mail|Personal) .*Certificate~', $certtext)) {
 	}
 	#if (ereg('OpenSSL.* (E.?mail|Personal) .*Certificate', $certtext)) {
 	if (preg_match('~OpenSSL.* (E.?mail|Personal) .*Certificate~', $certtext)) {
        $cert_type = 'email';
-	}
+    } elseif (preg_match('~OpenSSL.* Server .*Certificate~', $certtext)) {
 	#elseif (ereg('OpenSSL.* Server .*Certificate', $certtext)) {
 	elseif (preg_match('~OpenSSL.* Server .*Certificate~', $certtext)) {
        $cert_type = 'server';
-	}
+    } elseif (preg_match('~timeStamping|Time Stamping~', $certtext)) {
 	#elseif (ereg('timeStamping|Time Stamping', $certtext)) {
 	elseif (preg_match('~timeStamping|Time Stamping~', $certtext)) {
        $cert_type = 'time_stamping';
-	}
+    } elseif (preg_match('~TLS Web Client Authentication~', $certtext) && preg_match('~TLS Web Server Authentication~', $certtext)) {
 	#elseif (ereg('TLS Web Client Authentication', $certtext) && ereg('TLS Web Server Authentication', $certtext)) {
 	elseif (preg_match('~TLS Web Client Authentication~', $certtext) && preg_match('~TLS Web Server Authentication~', $certtext)) {
        $cert_type = 'vpn_client_server';
-	}
+    } elseif (preg_match('~TLS Web Client Authentication~', $certtext)) {
 	#elseif (ereg('TLS Web Client Authentication', $certtext)) {
 	elseif (preg_match('~TLS Web Client Authentication~', $certtext)) {
        $cert_type = 'vpn_client';
-	}
+    } elseif (preg_match('~TLS Web Server Authentication~', $certtext)) {
 	#elseif (ereg('TLS Web Server Authentication', $certtext)) {
 	elseif (preg_match('~TLS Web Server Authentication~', $certtext)) {
        $cert_type = 'vpn_server';
-	}
+    } else {
 	else {
        $cert_type = 'vpn_client_server';
    }
    return $cert_type;
 }
-?>
+function CA_get_root_pem()
 {
    global $config;
    return(file_get_contents($config['cacert_pem']));
 }
--- a/root/index.php
+++ b/root/index.php
@@ -1 +0,0 @@
 readme.php
--- a/root/index.php
+++ b/root/index.php
@@ -0,0 +1 @@
 readme.php
--- a/root/main.php
+++ b/root/main.php
@@ -4,21 +4,34 @@ include('./config.php');
 include(STORE_DIR.'/config/config.php');
 include('./include/common.php');
 include('./include/my_functions.php');
 include('./include/openssl_functions.php');
 $stage = gpvar('stage');
 switch ($stage) {
    case 'dl_root':
-	upload("$config[cacert_pem]", "$config[ca_prefix]cacert.crt", 'application/x-x509-ca-cert');
+        upload($config['cacert_pem'], $config['ca_prefix'] . "cacert.crt", 'application/x-x509-ca-cert');
        break;
    case 'display_root':
        printHeader('public');
        ?>
        <center><h2>Root Certificate (PEM Encoded)</h2></center>
        <p><pre><?php echo  CA_get_root_pem() ?></pre></p>
        <p>
        <form action="<?php echo $PHP_SELF?>" method="post">
            <input type=submit name=submit value="Back to Menu">
        </form>
    <?php
        break;
    case 'dl_crl':
-	upload("$config[cacrl_der]", "$config[ca_prefix]cacrl.crl", 'application/pkix-crl');
+        upload($config['cacrl_der'], $config['ca_prefix'] . "cacrl.crl", 'application/pkix-crl');
        break;
    case 'dl_crl_pem':
-       upload("$config[cacrl_pem]", "$config[ca_prefix]cacrl.crl", 'application/octet-stream');
+           upload($config['cacrl_pem'], $config['ca_prefix'] . "cacrl.crl", 'application/octet-stream');
        break;
    default:
@@ -29,27 +42,30 @@ default:
        <br>
        <center>
        <table class=menu width=500><th class=menu colspan=2><big>PUBLIC CONTENT MENU<big></th>
            <tr>
                <td style="text-align: center; vertical-align: middle; font-weight: bold;" width=35%> <a href=search.php>Search for a Certificate</a></td>
                <td>Find a digital certificate to download and install in your e-mail or browser application.</td>
            </tr>
-	<tr><td style="text-align: center; vertical-align: middle; font-weight: bold;" width=35%>
+            <tr>
-	<a href=search.php>Search for a Certificate</a></td>
+                <td style="text-align: center; vertical-align: middle; font-weight: bold;"> <a href=<?php echo $PHP_SELF?>?stage=dl_root>Download Our Root Certificate</a> </td>
-	<td>Find a digital certificate to download and install in your e-mail or browser application.</td></tr>
+                <td>You must install our "Root" certificate before you can use any of the certificates issued here. <a href=help.php target=_help>Read the online help</a> to learn more about this.</td>
            </tr>
-	<tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
+            <tr>
-	<a href=<?=$PHP_SELF?>?stage=dl_root>Download Our Root Certificate</a></td>
+                <td style="text-align: center; vertical-align: middle; font-weight: bold;"> <a href=<?php echo $PHP_SELF?>?stage=display_root>Display Our Root Certificate (PEM Encoded)</a></td>
-	<td>You must install our "Root" certificate before you can use any of the 
+                <td>This option provides the "Root" certificate PEM encoded text for advanced users to manually install via copy and paste. <a href=help.php target=_help>Read the online help</a> to learn more about this.</td>
 	certificates issued here. <a href=help.php target=_help>Read the online help</a> 
 	to learn more about this.</td></tr>
 	<tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
 	<a href=<?=$PHP_SELF?>?stage=dl_crl>Download Our Certificate Revocation List</a></td>
 	<td>The official list of certificates revoked by this site.  Installation and use of 
 	this list is optional. Some e-mail programs will reference this list automagically.
 	(<a href="<?=$PHP_SELF?>?stage=dl_crl_pem">Some will need it in PEM format.</a>)</td></tr>
            <tr>
                <td style="text-align: center; vertical-align: middle; font-weight: bold;"> <a href=<?php echo $PHP_SELF?>?stage=dl_crl>Download Our Certificate Revocation List</a></td>
                <td>The official list of certificates revoked by this site.  Installation and use of this list is optional. Some e-mail programs will reference this list automagically. (<a href="<?php echo $PHP_SELF?>?stage=dl_crl_pem">Some will need it in PEM format.</a>)</td>
            </tr>
        </table>
        </center>
-	<br><br>
+        <br>
-	<?
+        <br>
    <?php
    printFooter();
 }
--- a/root/ns_revoke_query.php
+++ b/root/ns_revoke_query.php
@@ -14,14 +14,19 @@
 # application/x-netscape-revocation containing a single character
 # '1' if the certificate is revoked, '0' if it is valid.
 #
-include('./config.in.php');
+include('./config.php');
 include(STORE_DIR.'/config/config.php');
-$serial = escapeshellcmd(trim($HTTP_SERVER_VARS['QUERY_STRING']));
+$serial = escapeshellcmd(trim($_SERVER['QUERY_STRING']));
-header("Content-type: application/x-netscape-revocation");
+#header("Content-type: application/x-netscape-revocation");
-$regexp = "^R\t.*\t.*\t$serial\t.*\t.*$";
+
-if (exec("egrep '$regexp' ca/$config[index]"))
+# old Reg Ex doesnt work, new should do the work
 #$regexp = "^R\t.*\t.*\t$serial\t.*\t.*$";
 $regexp = "^R.*$serial.*$";
 $configIndex = $config['index'];
 if (exec("egrep '$regexp' '$configIndex'")) {
    print '1';
-else
+} else {
    print '0';
-?>
+}
--- a/root/openssl.cnf
+++ b/root/openssl.cnf
@@ -14,7 +14,7 @@ crl_extensions		= crl_ext
 default_days		= 365
 default_crl_days	= 30
 preserve	 	= no
-default_md	 	= sha1
+default_md	 	= sha256
 [ ca ]
 default_ca		= email_cert
@@ -147,7 +147,7 @@ issuerAltName=issuer:copy
 authorityKeyIdentifier=keyid:always,issuer:always
 [ req ]
-default_bits		= 1024
+default_bits		= 2048
 default_keyfile		= privkey.pem
 distinguished_name	= req_name
 string_mask		= nombstr
--- a/root/policy.html
+++ b/root/policy.html
@@ -1,14 +1,15 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2//EN">
 <html>
 <head>
  <title>Certificate Authority Issuer's Statement</title>
 </head>
 <body>
-<h1 align=center>Certificate Authority Issuer's Statement</h2>
+  <h1 align="center">Certificate Authority Issuer's Statement</h1>
-<p>
+
-This is a private Limited Liability certificate authority for use by member
+  <p>This is a private Limited Liability certificate authority for use by member non-profit agencies.</p>
-non-profit agencies.
+
-<p>
+  <p>Certificate non-repudiation is achieved via identity verification by password authorized certificate managers from each member agency.</p>
 Certificate non-repudiation is achieved via identity verification by password
 authorized certificate managers from each member agency.
 </body>
 </html>
--- a/root/readme.php
+++ b/root/readme.php
@@ -7,7 +7,6 @@ include('./include/common.php');
 printHeader('setup');
 print '<center><font color=red><h1>READ ME</h1></font></center>';
 print '<pre>';
-readfile('./README');
+readfile('./README.md');
 print '</pre>';
 printFooter();
 ?>
--- a/root/search.php
+++ b/root/search.php
@@ -15,54 +15,59 @@ $show_revoked = gpvar('show_revoked');
 $show_expired = gpvar('show_expired');
 # Force stage back to search form if search string is empty.
-if ($stage == "search" && ! $search) $stage = "";
+if ($stage == "search" && ! $search) {
    $stage = "";
 }
 # Force filter to (V)alid certs if no search status is selected.
-if ( !($show_valid.$show_revoked.$show_expired) ) $show_valid = 'V';
+if (!($show_valid.$show_revoked.$show_expired)) {
    $show_valid = 'V';
 }
 switch ($stage) {
-case display:
+    case 'display':
        printHeader('about');
        print '
  <center><h2>Certificate Details</h2></center>
  <center><font color=#0000AA><h3>(#'.htvar($serial).')<br>'.htvar(CA_cert_cname($serial).' <'.CA_cert_email($serial).'>').'</h3></font></center>';
-	if ($revoke_date = CAdb_is_revoked($serial))
+        if ($revoke_date = CAdb_is_revoked($serial)) {
            print '<center><font color=red><h2>REVOKED '.htvar($revoke_date).'</h2></font></center>';
        }
        print '<pre>'.htvar(CA_cert_text($serial)).'</pre>';
        break;
    case 'download':
        $rec = CAdb_get_entry($serial);
-	upload("$config[cert_dir]/$serial.der", "$rec[common_name].cer", 'application/pkix-cert');
+        upload($config['cert_dir'] . "/$serial.der", $rec['common_name'] . ".cer", 'application/pkix-cert');
        break;
    case 'download_pem':
        $rec = CAdb_get_entry($serial);
-        upload("$config[new_certs_dir]/$serial.pem", "$rec[common_name].pem", 'application/pkix-cert');
+        upload($config['new_certs_dir'] . "/$serial.pem", $rec['common_name'] . ".pem", 'application/pkix-cert');
        break;
-case search:
+    case 'search':
        printHeader('public');
        $db = CAdb_to_array("^[${show_valid}${show_revoked}${show_expired}].*$search");
-	print '<body onLoad="self.focus();document.form.submit.focus();">';
+        print '<body onLoad="self.focus();document.form.submit.focus()">';
        if (sizeof($db) == 0) {
            ?>
            <center>
            <h2>Nothing Found</h2>
-		<form action=<?=$PHP_SELF?> method=post name=form>
+            <form action="<?php echo htmlentities($_SERVER['SCRIPT_NAME'])?>" method="post" name="form">
-		<input type=hidden name=search value="<?=htvar($search)?>">
+        <input type=hidden name=search value="<?php echo htvar($search)?>">
-		<input type=hidden name=show_valid value="<?=htvar($show_valid)?>">
+        <input type=hidden name=show_valid value="<?php echo htvar($show_valid)?>">
-		<input type=hidden name=show_revoked value="<?=htvar($show_revoked)?>">
+        <input type=hidden name=show_revoked value="<?php echo htvar($show_revoked)?>">
-		<input type=hidden name=show_expired value="<?=htvar($show_expired)?>">
+        <input type=hidden name=show_expired value="<?php echo htvar($show_expired)?>">
        <input type=submit name=submit value="Go Back">
        </form>
        </center>
-		<?
+        <?php
        printFooter();
        break;
        }
@@ -88,22 +93,22 @@ case search:
            ?>
            <tr style="font-size: 11px;">
-		<td style="color: <?=$stcolor[$rec['status']]?>; font-weight: bold"><?=htvar($rec['status'])?></td>
+            <td style="color: <?php echo $stcolor[$rec['status']]?>; font-weight: bold"><?php echo htvar($rec['status'])?></td>
-		<td style="white-space: nowrap"><?=htvar($rec['issued'])?></td>
+        <td style="white-space: nowrap"><?php echo htvar($rec['issued'])?></td>
-		<td style="white-space: nowrap"><?=htvar($rec['expires'])?></td>
+        <td style="white-space: nowrap"><?php echo htvar($rec['expires'])?></td>
-		<td><?=htvar($rec[common_name])?></td>
+        <td><?php echo htvar($rec['common_name'])?></td>
-		<td style="white-space: nowrap"><a href="mailto:<?=htvar($rec['common_name']).' <'.htvar($rec['email']).'>"'?>><?=htvar($rec['email'])?></a></td>
+        <td style="white-space: nowrap"><a href="mailto: <?php echo htvar($rec['common_name']).'<'.htvar($rec['email']).'>' ?> "> <?php echo htvar($rec['email'])?></a></td>
-		<td><?=htvar($rec['organization'])?></td>
+        <td><?php echo htvar($rec['organization'])?></td>
-		<td><?=htvar($rec['unit'])?></td>
+        <td><?php echo htvar($rec['unit'])?></td>
-		<td><?=htvar($rec['locality'])?></td>
+        <td><?php echo htvar($rec['locality'])?></td>
-		<td><?=htvar($rec['province'])?></td>
+        <td><?php echo htvar($rec['province'])?></td>
-		<td><a href=<?=$PHP_SELF?>?stage=display&serial=<?=htvar($rec['serial'])?> target=_certdisp><img src=images/display.png alt="Display" title="Display the certificate in excruciating detail"></a>
+        <td><a href="<?php echo htmlentities($_SERVER['SCRIPT_NAME'])?> ?stage=display&serial=<?php echo htvar($rec['serial'])?>" target=_certdisp><img src=images/display.png alt="Display" title="Display the certificate in excruciating detail"></a>
-		<?
+        <?php
        if ($rec['status'] != 'Revoked') {
            ?>
-			<a href=<?=$PHP_SELF?>?stage=download&serial=<?=htvar($rec['serial'])?>><img src=images/download.png alt="Download" title="Download the certificate so that you may send encrypted e-mail"></a>
+            <a href="<?php echo htmlentities($_SERVER['SCRIPT_NAME'])?>?stage=download&serial=<?php echo htvar($rec['serial'])?>"><img src=images/download.png alt="Download" title="Download the certificate so that you may send encrypted e-mail"></a>
-			<a href=<?=$PHP_SELF?>?stage=download_pem&serial=<?=htvar($rec['serial'])?>><img src=images/download.png alt="Download (in PEM format)" title="Download in PEM format"></a>
+            <a href="<?php echo htmlentities($_SERVER['SCRIPT_NAME'])?>?stage=download_pem&serial=<?=htvar($rec['serial'])?>"><img src=images/download.png alt="Download (in PEM format)" title="Download in PEM format"></a>
-			<?
+            <?php
        }
        print '</td></tr>';
        }
@@ -111,14 +116,14 @@ case search:
        ?>
        </table>
-	<form action=<?=$PHP_SELF?> method=post name=form>
+        <form action="<?php echo htmlentities($_SERVER['SCRIPT_NAME'])?>" method="post" name="form">
    <input type=submit name=submit value="Another Search">
-	<input type=hidden name=search value="<?=htvar($search)?>">
+    <input type=hidden name=search value="<?php echo htvar($search)?>">
-	<input type=hidden name=show_valid value="<?=htvar($show_valid)?>">
+    <input type=hidden name=show_valid value="<?php echo htvar($show_valid)?>">
-	<input type=hidden name=show_revoked value="<?=htvar($show_revoked)?>">
+    <input type=hidden name=show_revoked value="<?php echo htvar($show_revoked)?>">
-	<input type=hidden name=show_expired value="<?=htvar($show_expired)?>">
+    <input type=hidden name=show_expired value="<?php echo htvar($show_expired)?>">
    </form>
-	<?
+    <?php
    printFooter();
        break;
@@ -129,17 +134,17 @@ default:
        ?>
        <body onLoad="self.focus();document.search.search.focus();">
        <center><h2>Certificate Search</h2>
-	<form action=<?=$PHP_SELF?> method=post name=search>
+        <form action="<?php echo $PHP_SELF?>" method="post" name="search">
-	<input type=text name=search value="<?=htvar($search)?>" maxlength=60 size=40>
+    <input type=text name=search value="<?php echo htvar($search)?>" maxlength=60 size=40>
    <input type=submit name=submit value="Find It!"><br>
-	<input type=checkbox name=show_valid value="V" <?=($show_valid?'checked':'')?>>Valid
+    <input type=checkbox name=show_valid value="V" <?php echo ($show_valid?'checked':'')?>>Valid
-	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input type=checkbox name=show_revoked value="R" <?=($show_revoked?'checked':'')?>>Revoked
+    &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input type=checkbox name=show_revoked value="R" <?php echo ($show_revoked?'checked':'')?>>Revoked
-	&nbsp;&nbsp;&nbsp;&nbsp;<input type=checkbox name=show_expired value="E" <?=($show_expired?'checked':'')?>>Expired
+    &nbsp;&nbsp;&nbsp;&nbsp;<input type=checkbox name=show_expired value="E" <?php echo ($show_expired?'checked':'')?>>Expired
    <input type=hidden name=stage value=search>
    </form></center>
    <br><br>
-	<?
+    <?php
    printFooter();
 }
--- a/root/secure.sh
+++ b/root/secure.sh
@@ -27,15 +27,16 @@ then
    echo "The file you specified does not yet exist."
    echo "Let's create it and add your first user."
    echo
-    read -p "Enter a user id: " $user_id
+    read -p "Enter a user id: " user_id
-    echo "Creating the '$user_id' user account..."
+    echo "Creating the $user_id user account..."
-    htpasswd -m "$passwd_file" "$user_id" || exit
+
    htpasswd -c -m "$passwd_file" "$user_id" || exit
    echo "Creating the administrator account..."
 	echo "See the README file for more information about the"
 	echo "'pkiadmin' user."
-    htpasswd -c -m "$passwd_file" 'pkiadmin' || exit
+    htpasswd -m "$passwd_file" 'pkiadmin' || exit
 fi
 echo
--- a/root/setup.php
+++ b/root/setup.php
@@ -1 +0,0 @@
 setup.php-presetup
--- a/root/setup.php
+++ b/root/setup.php
@@ -0,0 +1 @@
 setup.php-presetup
--- a/root/setup.php-presetup
+++ b/root/setup.php-presetup