diff options
author | jim-p <jimp@pfsense.org> | 2017-07-05 16:41:38 -0400 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2017-07-05 16:41:38 -0400 |
commit | 282b6c666a2f95a51a4b46d89fa80357d2ebccb2 (patch) | |
tree | 3045fafdcd987a384c9148db80144684304e8c87 /src/etc | |
parent | 5c985ed29b1d286d65a0acc3cc96d524021a7d20 (diff) | |
download | pfsense-282b6c666a2f95a51a4b46d89fa80357d2ebccb2.zip pfsense-282b6c666a2f95a51a4b46d89fa80357d2ebccb2.tar.gz |
Add the ability to set certificate type and SAN attributes in a CSR. Ticket #7527
TODO: They are not carried over after signing in the GUI
Diffstat (limited to 'src/etc')
-rw-r--r-- | src/etc/inc/certs.inc | 26 |
1 files changed, 24 insertions, 2 deletions
diff --git a/src/etc/inc/certs.inc b/src/etc/inc/certs.inc index 9e85177..d568fa9 100644 --- a/src/etc/inc/certs.inc +++ b/src/etc/inc/certs.inc @@ -401,10 +401,32 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type = "user", $ return true; } -function csr_generate(& $cert, $keylen, $dn, $digest_alg = "sha256") { +function csr_generate(& $cert, $keylen, $dn, $type = "user", $digest_alg = "sha256") { + + switch ($type) { + case "ca": + $cert_type = "v3_ca"; + break; + case "server": + case "self-signed": + $cert_type = "server"; + break; + default: + $cert_type = "usr_cert"; + break; + } + + // in case of using Subject Alternative Names use other sections (with postfix '_san') + // pass subjectAltName over environment variable 'SAN' + if ($dn['subjectAltName']) { + putenv("SAN={$dn['subjectAltName']}"); // subjectAltName can be set _only_ via configuration file + $cert_type .= '_san'; + unset($dn['subjectAltName']); + } $args = array( - "x509_extensions" => "v3_req", + "x509_extensions" => $cert_type, + "req_extensions" => "req_{$cert_type}", "digest_alg" => $digest_alg, "private_key_bits" => (int)$keylen, "private_key_type" => OPENSSL_KEYTYPE_RSA, |