diff options
author | jim-p <jimp@pfsense.org> | 2014-10-21 14:42:43 -0400 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2014-10-21 14:43:22 -0400 |
commit | a376c57de58765dbd469cb07ee3108da49a2657d (patch) | |
tree | a92cefa3ab93e3d1695afe4c1a3eada57d97b1cb /etc/inc/certs.inc | |
parent | 5b473705fac4e128070fcc009864b97624f38b03 (diff) | |
download | pfsense-a376c57de58765dbd469cb07ee3108da49a2657d.zip pfsense-a376c57de58765dbd469cb07ee3108da49a2657d.tar.gz |
Teach the certificate generation code how to make a self-signed certificate, and
change the GUI cert generation code to use it. Also, move the GUI cert
generation code to its own function so we can add a GUI option to regenerate it
later. Also use some more sane defaults for the contents of the default self-
signed certificate's fields so it will be more unique and
less likely to trigger problems in browser certificate storage handling.
Also add a CLI script to regenerate a new GUI certificate.
Several master commits rolled into one patch for 2.1.x.
Diffstat (limited to 'etc/inc/certs.inc')
-rw-r--r-- | etc/inc/certs.inc | 37 |
1 files changed, 25 insertions, 12 deletions
diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc index 518bc59..2043ca3 100644 --- a/etc/inc/certs.inc +++ b/etc/inc/certs.inc @@ -270,22 +270,28 @@ function cert_import(& $cert, $crt_str, $key_str) { function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $digest_alg = "sha256") { - $ca =& lookup_ca($caref); - if (!$ca) - return false; + $cert['type'] = $type; - $ca_str_crt = base64_decode($ca['crt']); - $ca_str_key = base64_decode($ca['prv']); - $ca_res_crt = openssl_x509_read($ca_str_crt); - $ca_res_key = openssl_pkey_get_private(array(0 => $ca_str_key, 1 => "")); - if(!$ca_res_key) return false; - $ca_serial = ++$ca['serial']; + if ($type != "self-signed") { + $cert['caref'] = $caref; + $ca =& lookup_ca($caref); + if (!$ca) + return false; + + $ca_str_crt = base64_decode($ca['crt']); + $ca_str_key = base64_decode($ca['prv']); + $ca_res_crt = openssl_x509_read($ca_str_crt); + $ca_res_key = openssl_pkey_get_private(array(0 => $ca_str_key, 1 => "")); + if(!$ca_res_key) return false; + $ca_serial = ++$ca['serial']; + } switch ($type) { case "ca": $cert_type = "v3_ca"; break; case "server": + case "self-signed": $cert_type = "server"; break; default: @@ -304,11 +310,20 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $di $res_key = openssl_pkey_new($args); if(!$res_key) return false; + // If this is a self-signed cert, blank out the CA and sign with the cert's key + if ($type == "self-signed") { + $ca = null; + $ca_res_crt = null; + $ca_res_key = $res_key; + $ca_serial = 0; + $cert['type'] = "server"; + } + // generate a certificate signing request $res_csr = openssl_csr_new($dn, $res_key, $args); if(!$res_csr) return false; - // self sign the certificate + // sign the certificate using an internal CA $res_crt = openssl_csr_sign($res_csr, $ca_res_crt, $ca_res_key, $lifetime, $args, $ca_serial); if(!$res_crt) return false; @@ -319,10 +334,8 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $di return false; // return our certificate information - $cert['caref'] = $caref; $cert['crt'] = base64_encode($str_crt); $cert['prv'] = base64_encode($str_key); - $cert['type'] = $type; return true; } |