diff options
author | jim-p <jimp@pfsense.org> | 2011-11-09 15:43:49 -0500 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2011-11-09 15:43:49 -0500 |
commit | 7aaabd69b0dabc83fc535525bfd6200c3dd67245 (patch) | |
tree | ec9241a8bdfb6ba699209a7aa2734354d837cc13 /etc | |
parent | 74a556a3caa67adb0adac055ffb9321e264e1b71 (diff) | |
download | pfsense-7aaabd69b0dabc83fc535525bfd6200c3dd67245.zip pfsense-7aaabd69b0dabc83fc535525bfd6200c3dd67245.tar.gz |
When creating an internal certificate, offer the user a choice of what constraints to place upon the certificate (CA, Server, or User).
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/certs.inc | 17 | ||||
-rw-r--r-- | etc/ssl/openssl.cnf | 13 |
2 files changed, 27 insertions, 3 deletions
diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc index 104a9fe..50ce0ad 100644 --- a/etc/inc/certs.inc +++ b/etc/inc/certs.inc @@ -253,7 +253,7 @@ function cert_import(& $cert, $crt_str, $key_str) { return true; } -function cert_create(& $cert, $caref, $keylen, $lifetime, $dn) { +function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user") { $ca =& lookup_ca($caref); if (!$ca) @@ -266,8 +266,20 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn) { if(!$ca_res_key) return false; $ca_serial = ++$ca['serial']; + switch ($type) { + case "ca": + $cert_type = "v3_ca"; + break; + case "server": + $cert_type = "server"; + break; + default: + $cert_type = "usr_cert"; + break; + } + $args = array( - "x509_extensions" => "usr_cert", + "x509_extensions" => $cert_type, "digest_alg" => "sha1", "private_key_bits" => (int)$keylen, "private_key_type" => OPENSSL_KEYTYPE_RSA, @@ -295,6 +307,7 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn) { $cert['caref'] = $caref; $cert['crt'] = base64_encode($str_crt); $cert['prv'] = base64_encode($str_key); + $cert['type'] = $type; return true; } diff --git a/etc/ssl/openssl.cnf b/etc/ssl/openssl.cnf index a1dcfe8..4039035 100644 --- a/etc/ssl/openssl.cnf +++ b/etc/ssl/openssl.cnf @@ -189,7 +189,7 @@ basicConstraints=CA:FALSE # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" +nsComment = "OpenSSL Generated User Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash @@ -212,6 +212,17 @@ authorityKeyIdentifier=keyid,issuer:always #nsCaPolicyUrl #nsSslServerName +[ server ] + +# Make a cert with nsCertType=server +basicConstraints=CA:FALSE +nsCertType = server +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=serverAuth +keyUsage = digitalSignature, keyEncipherment + [ v3_req ] # Extensions to add to a certificate request |