Prioritize and separate server certs for OpenVPN servers to make it more clear they should be using certificates created as Server certificates for this purpose -- it's still valid to use non-server certs but it's not what most people intend to do. Ticket #5602

2 files changed, 51 insertions, 15 deletions

diff --git a/src/etc/inc/openvpn.inc b/src/etc/inc/openvpn.inc
index 15133d4..202d6bd 100644
--- a/src/etc/inc/openvpn.inc
+++ b/src/etc/inc/openvpn.inc
@@ -192,7 +192,7 @@ function openvpn_build_crl_list() {
 	return($list);
 }
 
-function openvpn_build_cert_list($include_none = false) {
+function openvpn_build_cert_list($include_none = false, $prioritize_server_certs = false) {
 	global $a_cert;
 
 	if ($include_none) {
@@ -201,29 +201,50 @@ function openvpn_build_cert_list($include_none = false) {
 		$list = array();
 	}
 
+	if ($prioritize_server_certs) {
+		$list[' '] = "===== Server Certificates =====";
+		$non_server_list = array();
+		$non_server_list['  '] = "===== Non-Server Certificates =====";
+	}
+
 	foreach ($a_cert as $cert) {
-		$caname = "";
-		$inuse = "";
-		$revoked = "";
+		$properties = array();
+		$propstr = "";
 		$ca = lookup_ca($cert['caref']);
+		$purpose = cert_get_purpose($cert['crt'], true);
 
+		if ($purpose['server'] == "Yes") {
+			$properties[] = "Server: Yes";
+		} elseif ($prioritize_server_certs) {
+			$properties[] = "Server: NO";
+		}
 		if ($ca) {
-			$caname = " (CA: {$ca['descr']})";
+			$properties[] = "CA: {$ca['descr']}";
 		}
-
-		if ($pconfig['certref'] == $cert['refid']) {
-			$selected = "selected";
+		if (cert_in_use($cert['refid'])) {
+			$properties[] = "In Use";
+		}
+		if (is_cert_revoked($cert)) {
+			$properties[] = "Revoked";
 		}
 
-		if (cert_in_use($cert['refid'])) {
-			$inuse = " *In Use";
+		if (!empty($properties)) {
+			$propstr = " (" . implode(", ", $properties) . ")";
 		}
 
-		if (is_cert_revoked($cert)) {
-			$revoked = " *Revoked";
+		if ($prioritize_server_certs) {
+			if ($purpose['server'] == "Yes") {
+				$list[$cert['refid']] = $cert['descr'] . $propstr;
+			} else {
+				$non_server_list[$cert['refid']] = $cert['descr'] . $propstr;
+			}
+		} else {
+			$list[$cert['refid']] = $cert['descr'] . $propstr;
 		}
+	}
 
-		$list[$cert['refid']] = $cert['descr'] . $caname . $inuse . $revoked;
+	if ($prioritize_server_certs) {
+		$list = array_merge($list, $non_server_list);
 	}
 
 	return($list);
diff --git a/src/usr/local/www/vpn_openvpn_server.php b/src/usr/local/www/vpn_openvpn_server.php
index 7a94bec..8861cb7 100644
--- a/src/usr/local/www/vpn_openvpn_server.php
+++ b/src/usr/local/www/vpn_openvpn_server.php
@@ -419,6 +419,9 @@ if ($_POST) {
 
 	/* If we are not in shared key mode, then we need the CA/Cert. */
 	if ($pconfig['mode'] != "p2p_shared_key") {
+		if (empty(trim($pconfig['certref']))) {
+			$input_errors[] = gettext("The selected certificate is not valid");
+		}
 		$reqdfields = explode(" ", "caref certref");
 		$reqdfieldsn = array(gettext("Certificate Authority"), gettext("Certificate"));
 	} elseif (!$pconfig['autokey_enable']) {
@@ -744,12 +747,24 @@ if($act=="new" || $act=="edit") :
 		));
 	}
 
+	$certhelp = "";
+	if (count($a_cert)) {
+		if (!empty(trim($pconfig['certref']))) {
+			$purpose = cert_get_purpose($a_cert[$pconfig['certref']]['crt'], true);
+			if ($purpose['server'] != "Yes") {
+				$certhelp = gettext("Warning: The previously saved server was not created as an SSL Server certificate and may not work properly.");
+			}
+		}
+	} else {
+		$certhelp = sprintf('No Certificates defined. You may create one here: %s', '<a href="system_camanager.php">System &gt; Cert Manager</a>');
+	}
+
 	$section->addInput(new Form_Select(
 		'certref',
 		'Server certificate',
 		$pconfig['certref'],
-		openvpn_build_cert_list()
-		))->setHelp(count($a_cert) ? '':sprintf('No Certificates defined. You may create one here: %s', '<a href="system_camanager.php">System &gt; Cert Manager</a>'));
+		openvpn_build_cert_list(false, true)
+		))->setHelp($certhelp);
 
 	$section->addInput(new Form_Select(
 		'dh_length',