diff options
author | jim-p <jimp@pfsense.org> | 2011-11-09 15:43:49 -0500 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2011-11-09 15:45:21 -0500 |
commit | 77a888140bd834514e199757f38656cc0ab0ee94 (patch) | |
tree | 239f8ab0ee15e62d63e2df0828fe11f1f2a61753 | |
parent | 0389f03498994dbdaf47543a325b58d14b1cdbab (diff) | |
download | pfsense-77a888140bd834514e199757f38656cc0ab0ee94.zip pfsense-77a888140bd834514e199757f38656cc0ab0ee94.tar.gz |
When creating an internal certificate, offer the user a choice of what constraints to place upon the certificate (CA, Server, or User).
-rw-r--r-- | etc/inc/certs.inc | 17 | ||||
-rw-r--r-- | etc/ssl/openssl.cnf | 13 | ||||
-rw-r--r-- | usr/local/www/system_certmanager.php | 29 |
3 files changed, 54 insertions, 5 deletions
diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc index 104a9fe..50ce0ad 100644 --- a/etc/inc/certs.inc +++ b/etc/inc/certs.inc @@ -253,7 +253,7 @@ function cert_import(& $cert, $crt_str, $key_str) { return true; } -function cert_create(& $cert, $caref, $keylen, $lifetime, $dn) { +function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user") { $ca =& lookup_ca($caref); if (!$ca) @@ -266,8 +266,20 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn) { if(!$ca_res_key) return false; $ca_serial = ++$ca['serial']; + switch ($type) { + case "ca": + $cert_type = "v3_ca"; + break; + case "server": + $cert_type = "server"; + break; + default: + $cert_type = "usr_cert"; + break; + } + $args = array( - "x509_extensions" => "usr_cert", + "x509_extensions" => $cert_type, "digest_alg" => "sha1", "private_key_bits" => (int)$keylen, "private_key_type" => OPENSSL_KEYTYPE_RSA, @@ -295,6 +307,7 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn) { $cert['caref'] = $caref; $cert['crt'] = base64_encode($str_crt); $cert['prv'] = base64_encode($str_key); + $cert['type'] = $type; return true; } diff --git a/etc/ssl/openssl.cnf b/etc/ssl/openssl.cnf index a1dcfe8..4039035 100644 --- a/etc/ssl/openssl.cnf +++ b/etc/ssl/openssl.cnf @@ -189,7 +189,7 @@ basicConstraints=CA:FALSE # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" +nsComment = "OpenSSL Generated User Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash @@ -212,6 +212,17 @@ authorityKeyIdentifier=keyid,issuer:always #nsCaPolicyUrl #nsSslServerName +[ server ] + +# Make a cert with nsCertType=server +basicConstraints=CA:FALSE +nsCertType = server +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=serverAuth +keyUsage = digitalSignature, keyEncipherment + [ v3_req ] # Extensions to add to a certificate request diff --git a/usr/local/www/system_certmanager.php b/usr/local/www/system_certmanager.php index 1fd7323..54e9b8d 100644 --- a/usr/local/www/system_certmanager.php +++ b/usr/local/www/system_certmanager.php @@ -47,6 +47,9 @@ $cert_methods = array( ); $cert_keylens = array( "512", "1024", "2048", "4096"); +$cert_types = array( "ca" => "Certificate Authority", + "server" => "Server Certificate", + "user" => "User Certificate"); $pgtitle = array(gettext("System"), gettext("Certificate Manager")); @@ -101,6 +104,7 @@ if ($act == "del") { if ($act == "new") { $pconfig['method'] = $_GET['method']; $pconfig['keylen'] = "2048"; + $pconfig['type'] = "user"; $pconfig['lifetime'] = "3650"; } @@ -170,12 +174,13 @@ if ($_POST) { if ($pconfig['method'] == "internal") { $reqdfields = explode(" ", - "descr caref keylen lifetime dn_country dn_state dn_city ". + "descr caref keylen type lifetime dn_country dn_state dn_city ". "dn_organization dn_email dn_commonname"); $reqdfieldsn = array( gettext("Descriptive name"), gettext("Certificate authority"), gettext("Key length"), + gettext("Certificate Type"), gettext("Lifetime"), gettext("Distinguished name Country Code"), gettext("Distinguished name State or Province"), @@ -255,7 +260,7 @@ if ($_POST) { 'commonName' => $pconfig['dn_commonname']); if (!cert_create($cert, $pconfig['caref'], $pconfig['keylen'], - $pconfig['lifetime'], $dn)){ + $pconfig['lifetime'], $dn, $pconfig['type'])){ while($ssl_err = openssl_error_string()){ $input_errors = array(); array_push($input_errors, "openssl library returns: " . $ssl_err); @@ -579,6 +584,23 @@ function internalca_change() { </td> </tr> <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Certificate Type");?></td> + <td width="78%" class="vtable"> + <select name='type' class="formselect"> + <?php + foreach( $cert_types as $ct => $ctdesc ): + $selected = ""; + if ($pconfig['type'] == $ct) + $selected = "selected"; + ?> + <option value="<?=$ct;?>"<?=$selected;?>><?=$ctdesc;?></option> + <?php endforeach; ?> + </select> + <br/> + <?=gettext("Type of certificate to generate. Used for placing restrictions on the usage of the generated certificate.");?> + </td> + </tr> + <tr> <td width="22%" valign="top" class="vncellreq"><?=gettext("Lifetime");?></td> <td width="78%" class="vtable"> <input name="lifetime" type="text" class="formfld unknown" id="lifetime" size="5" value="<?=htmlspecialchars($pconfig['lifetime']);?>"/> @@ -897,6 +919,9 @@ function internalca_change() { <?=$name;?> </td> </tr> + <?php if ($cert['type']): ?> + <tr><td colspan="2"><em><?php echo $cert_types[$cert['type']]; ?></em></td></tr> + <?php endif; ?> </table> </td> <td class="listr"><?=$caname;?> </td> |