diff options
author | Scott Ullrich <sullrich@pfsense.org> | 2004-11-22 19:55:54 +0000 |
---|---|---|
committer | Scott Ullrich <sullrich@pfsense.org> | 2004-11-22 19:55:54 +0000 |
commit | 6e4a97ca77f0b30a1219f459b9f5628ad86320f8 (patch) | |
tree | f8c3509c29a9f9e65a8649d78931774d8e0476a4 /usr | |
parent | 2479c9817ed0ead49105f83487e72072ec9e7cc9 (diff) | |
download | pfsense-6e4a97ca77f0b30a1219f459b9f5628ad86320f8.zip pfsense-6e4a97ca77f0b30a1219f459b9f5628ad86320f8.tar.gz |
Fix certificate creation .... again.
Diffstat (limited to 'usr')
-rwxr-xr-x | usr/local/www/system_advanced_create_certs.php | 56 | ||||
-rwxr-xr-x | usr/local/www/vpn_openvpn_create_certs.php | 56 |
2 files changed, 98 insertions, 14 deletions
diff --git a/usr/local/www/system_advanced_create_certs.php b/usr/local/www/system_advanced_create_certs.php index 0c4b94d..388bb63 100755 --- a/usr/local/www/system_advanced_create_certs.php +++ b/usr/local/www/system_advanced_create_certs.php @@ -67,7 +67,12 @@ if ($_POST) { fwrite($fd, "[ req ]\n"); fwrite($fd, "distinguished_name=req_distinguished_name \n"); fwrite($fd, "req_extensions = v3_req \n"); - fwrite($fd, "prompt=no \n"); + fwrite($fd, "prompt=no\n"); + fwrite($fd, "default_bits = 1024\n"); + fwrite($fd, "default_keyfile = privkey.pem\n"); + fwrite($fd, "distinguished_name = req_distinguished_name\n"); + fwrite($fd, "attributes = req_attributes\n"); + fwrite($fd, "x509_extensions = v3_ca # The extentions to add to the self signed cert\n"); fwrite($fd, "[ req_distinguished_name ] \n"); fwrite($fd, "C=" . $countrycode . " \n"); fwrite($fd, "ST=" . $stateorprovince. " \n"); @@ -81,6 +86,55 @@ if ($_POST) { fwrite($fd, "basicConstraints = critical,CA:FALSE \n"); fwrite($fd, "keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement \n"); fwrite($fd, "extendedKeyUsage=emailProtection,clientAuth \n"); + fwrite($fd, "[ ca ]\n"); + fwrite($fd, "default_ca = CA_default\n"); + fwrite($fd, "[ CA_default ]\n"); + fwrite($fd, "certificate = /tmp/cacert.pem \n"); + fwrite($fd, "private_key = /tmp/cakey.pem \n"); + fwrite($fd, "dir = /tmp/\n"); + fwrite($fd, "certs = /tmp/certs\n"); + fwrite($fd, "crl_dir = /tmp/crl\n"); + fwrite($fd, "database = /tmp/index.txt \n"); + fwrite($fd, "new_certs_dir = /tmp/newcerts \n"); + fwrite($fd, "serial = /tmp/serial \n"); + fwrite($fd, "crl = /tmp/crl.pem \n"); + fwrite($fd, "RANDFILE = /tmp/.rand \n"); + fwrite($fd, "x509_extensions = usr_cert \n"); + fwrite($fd, "name_opt = ca_default \n"); + fwrite($fd, "cert_opt = ca_default \n"); + fwrite($fd, "default_days = 365 \n"); + fwrite($fd, "default_crl_days = 30 \n"); + fwrite($fd, "default_md = md5 \n"); + fwrite($fd, "preserve = no \n"); + fwrite($fd, "policy = policy_match\n"); + fwrite($fd, "[ policy_match ]\n"); + fwrite($fd, "countryName = match\n"); + fwrite($fd, "stateOrProvinceName = match\n"); + fwrite($fd, "organizationName = match\n"); + fwrite($fd, "organizationalUnitName = optional\n"); + fwrite($fd, "commonName = supplied\n"); + fwrite($fd, "emailAddress = optional\n"); + fwrite($fd, "[ policy_anything ]\n"); + fwrite($fd, "countryName = optional\n"); + fwrite($fd, "stateOrProvinceName = optional\n"); + fwrite($fd, "localityName = optional\n"); + fwrite($fd, "organizationName = optional\n"); + fwrite($fd, "organizationalUnitName = optional\n"); + fwrite($fd, "commonName = supplied\n"); + fwrite($fd, "emailAddress = optional\n"); + fwrite($fd, "[ req_distinguished_name ]\n"); + fwrite($fd, "countryName = US\n"); + fwrite($fd, "[ req_attributes ]\n"); + fwrite($fd, "challengePassword = A challenge password\n"); + fwrite($fd, "unstructuredName = An optional company name\n"); + fwrite($fd, "[ usr_cert ]\n"); + fwrite($fd, "basicConstraints=CA:FALSE\n"); + fwrite($fd, "[ v3_ca ]\n"); + fwrite($fd, "subjectKeyIdentifier=hash\n"); + fwrite($fd, "authorityKeyIdentifier=keyid:always,issuer:always\n"); + fwrite($fd, "basicConstraints = CA:true\n"); + fwrite($fd, "[ crl_ext ]\n"); + fwrite($fd, "authorityKeyIdentifier=keyid:always,issuer:always\n"); fclose($fd); ?> diff --git a/usr/local/www/vpn_openvpn_create_certs.php b/usr/local/www/vpn_openvpn_create_certs.php index 75c0fae..504d4e6 100755 --- a/usr/local/www/vpn_openvpn_create_certs.php +++ b/usr/local/www/vpn_openvpn_create_certs.php @@ -134,8 +134,8 @@ if ($_POST) { fwrite($fd, "[ ca ]\n"); fwrite($fd, "default_ca = CA_default\n"); fwrite($fd, "[ CA_default ]\n"); - fwrite($fd, "certificate = /tmp/ca.crt \n"); - fwrite($fd, "private_key = /tmp/ca.key\n"); + fwrite($fd, "certificate = /tmp/cacert.pem \n"); + fwrite($fd, "private_key = /tmp/cakey.pem \n"); fwrite($fd, "dir = /tmp/\n"); fwrite($fd, "certs = /tmp/certs\n"); fwrite($fd, "crl_dir = /tmp/crl\n"); @@ -225,36 +225,66 @@ function f(ta_id){ <?php echo "<script language=\"JavaScript\">document.forms[0].status.value=\"Creating CA...\";</script>"; - mwexec("rm -rf /tmp/newcerts"); + mwexec("rm -rf /tmp/*"); + //mwexec("rm -rf /tmp/newcerts"); mwexec("mkdir /tmp/newcerts"); mwexec("touch /tmp/index.txt"); $fd = fopen("/tmp/serial","w"); - fwrite($fd, "01"); + fwrite($fd, "01\n"); fclose($fd); - execute_command_return_output("cd /tmp/ && openssl req -nodes -new -x509 -keyout ca.key -out ca.crt -days 3650 -config /etc/ssl/openssl.cnf"); + /* + mkdir /tmp/newcerts + touch /tmp/index.txt + echo 01 > serial + #Create The Certificate Authority Root Certificate + cd /tmp/ && openssl req -nodes -new -x509 -keyout cakey.pem -out cacert.pem -config /etc/ssl/openssl.cnf + #Create User Certificates + cd /tmp/ && openssl req -nodes -new -keyout vpnkey.pem -out vpncert-req.pem -config /etc/ssl/openssl.cnf + mkdir /tmp/newcerts + openssl ca -out vpncert.pem -in vpncert-req.pem -batch + + + # Diffie-Hellman Parameters (tls-server only) + dh dh1024.pem + # Root certificate + ca CA-DB/cacert.pem + # Server certificate + cert vpncert.pem + # Server private key + key vpnkey.pem + */ + + execute_command_return_output("cd /tmp/ && openssl req -nodes -new -x509 -keyout cakey.pem -out cacert.pem -config /etc/ssl/openssl.cnf"); + echo "\n<script language=\"JavaScript\">document.forms[0].status.value=\"Creating Server Certificates...\";</script>"; - execute_command_return_output("cd /tmp/ && openssl req -nodes -new -keyout office.key -out office.csr -config /etc/ssl/openssl.cnf"); - execute_command_return_output("cd /tmp/ && openssl ca -out /tmp/office.crt -in office.csr -config /etc/ssl/openssl.cnf -batch"); + + execute_command_return_output("cd /tmp/ && openssl req -nodes -new -keyout vpnkey.pem -out vpncert-req.pem -config /etc/ssl/openssl.cnf"); + + execute_command_return_output("cd /tmp/ && openssl ca -out vpncert.pem -in vpncert-req.pem -batch"); + echo "\n<script language=\"JavaScript\">document.forms[0].status.value=\"Creating DH Parms...\";</script>"; + execute_command_return_output("cd /tmp/ && openssl dhparam -out dh1024.pem 1024"); + echo "\n<script language=\"JavaScript\">document.forms[0].status.value=\"Done!\";</script>"; + //CLIENT //mwexec("openssl req -nodes -new -keyout home.key -out home.csr"); //mwexec("openssl ca -out home.crt -in home.csr"); - $cacertA = get_file_contents("/tmp/ca.crt"); - $serverkeyA = get_file_contents("/tmp/office.key"); - $servercertA = get_file_contents("/tmp/office.pem"); + $cacertA = get_file_contents("/tmp/cacert.pem"); + $serverkeyA = get_file_contents("/tmp/vpnkey.pem"); + $servercertA = get_file_contents("/tmp/vpncert.pem"); $dhpemA = get_file_contents("/tmp/dh1024.pem"); $cacert = ereg_replace("\n","\\n", $cacertA); $serverkey = ereg_replace("\n","\\n", $serverkeyA); $dhpem = ereg_replace("\n","\\n", $dhpemA); - $servercert = ereg_replace("\n","\\n", $servercertA); + //$servercert = ereg_replace("\n","\\n", $servercertA); - //$tmp = strstr($servercertA, "-----BEGIN CERTIFICATE-----"); - //$servercertA = ereg_replace("\n","\\n", $tmp); + $tmp = strstr($servercertA, "-----BEGIN CERTIFICATE-----"); + $servercert = ereg_replace("\n","\\n", $tmp); ?> <script language="JavaScript"> |