From 0cdaaa8ed83314bd29878fbb33cd7ad8cb5d3a60 Mon Sep 17 00:00:00 2001
From: Chris Buechler <cmb@pfsense.org>
Date: Mon, 21 Dec 2009 02:05:11 -0500
Subject: Generate a certificate at first boot rather than using a default
 public cert/key pair. Ticket #63

---
 .../pfSense_webConfigurator_HTTPS_Certificate.crt  | 22 ----------------------
 .../pfSense_webConfigurator_HTTPS_Certificate.key  | 15 ---------------
 etc/inc/system.inc                                 | 22 +++++++++++++---------
 3 files changed, 13 insertions(+), 46 deletions(-)
 delete mode 100644 etc/default_ssl_certs/pfSense_webConfigurator_HTTPS_Certificate.crt
 delete mode 100644 etc/default_ssl_certs/pfSense_webConfigurator_HTTPS_Certificate.key

diff --git a/etc/default_ssl_certs/pfSense_webConfigurator_HTTPS_Certificate.crt b/etc/default_ssl_certs/pfSense_webConfigurator_HTTPS_Certificate.crt
deleted file mode 100644
index 1f48624..0000000
--- a/etc/default_ssl_certs/pfSense_webConfigurator_HTTPS_Certificate.crt
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDjTCCAvagAwIBAgIBATANBgkqhkiG9w0BAQUFADCBkDELMAkGA1UEBhMCVVMx
-ETAPBgNVBAgTCEtlbnR1Y2t5MRMwEQYDVQQHEwpMb3Vpc3ZpbGxlMR4wHAYDVQQK
-ExVCU0QgUGVyaW1ldGVyIHBmU2Vuc2UxIzAhBgkqhkiG9w0BCQEWFGNvcmV0ZWFt
-QHBmc2Vuc2Uub3JnMRQwEgYDVQQDEwtpbnRlcm5hbC1jYTAeFw0wOTEyMDMwMTMw
-MTdaFw0xNTA1MjYwMTMwMTdaMIGUMQswCQYDVQQGEwJVUzERMA8GA1UECBMIS2Vu
-dHVja3kxEzARBgNVBAcTCkxvdWlzdmlsbGUxHjAcBgNVBAoTFUJTRCBQZXJpbWV0
-ZXIgcGZTZW5zZTEjMCEGCSqGSIb3DQEJARYUY29yZXRlYW1AcGZzZW5zZS5vcmcx
-GDAWBgNVBAMTD3d3dy5wZnNlbnNlLm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
-gYkCgYEA2uXmubyVleXzt8Nxj19VOiL3FdWL/8xLzVHe5NxTfs02zvmdpqjmcuMa
-StY02UkJA24wvOpnoRJu1K6CsEAade7wCm294UjoqVg3wdJq+2yngxeGxrTeQ8d5
-3TvE8QYyjX1Oo+e6fZFadNGqn9NO61RngdGaqcvalv8CwYQpdwECAwEAAaOB8DCB
-7TAdBgNVHQ4EFgQUu4/6LXe6HdEO5W6k+bZotCU4zIcwgb0GA1UdIwSBtTCBsoAU
-6VqQ9sdA8dRnqX7t9HDQuDJlg32hgZakgZMwgZAxCzAJBgNVBAYTAlVTMREwDwYD
-VQQIEwhLZW50dWNreTETMBEGA1UEBxMKTG91aXN2aWxsZTEeMBwGA1UEChMVQlNE
-IFBlcmltZXRlciBwZlNlbnNlMSMwIQYJKoZIhvcNAQkBFhRjb3JldGVhbUBwZnNl
-bnNlLm9yZzEUMBIGA1UEAxMLaW50ZXJuYWwtY2GCAQAwDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQUFAAOBgQCKHCe/RXW+AEyKgMWe22jmC3nQGdNALtRzemftMsud
-J01tw8VjJ7JpxxPbg++yiaaAXCgnCdcNtyfa6WG5EekLZWj+ChDUMciKBxWUtgKH
-09JywYUbAiOHsL5YuSHhq98HWwzahOAuTRknLCW+vmwx2isk78kTvHHIIK2KHfua
-Ow==
------END CERTIFICATE-----
diff --git a/etc/default_ssl_certs/pfSense_webConfigurator_HTTPS_Certificate.key b/etc/default_ssl_certs/pfSense_webConfigurator_HTTPS_Certificate.key
deleted file mode 100644
index 36b9ddb..0000000
--- a/etc/default_ssl_certs/pfSense_webConfigurator_HTTPS_Certificate.key
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQDa5ea5vJWV5fO3w3GPX1U6IvcV1Yv/zEvNUd7k3FN+zTbO+Z2m
-qOZy4xpK1jTZSQkDbjC86mehEm7UroKwQBp17vAKbb3hSOipWDfB0mr7bKeDF4bG
-tN5Dx3ndO8TxBjKNfU6j57p9kVp00aqf007rVGeB0Zqpy9qW/wLBhCl3AQIDAQAB
-AoGAKHHkEJtslBa50lFVUSVPLP+64ZjkVi4cL2KaKXUgJESshM+QNnPsqHuXpw4v
-E5qwBKc+cBlrblJmkftwgDpH6PyxmZbbQL1LhQdtvBzddqf04KZqXm9rat3plCI3
-pPWJXp4UoP+v1/NITqX/WkMNobqTGLM0qqbwkFQcJiidx8UCQQD/mlD/Sb2rsG/y
-kvAVEMVt7I0tEwaGeEGAVJAY4K4OjV2nDtANARfKZiIOCfU0PztpQYLlqAOSnhk9
-1lKdYQK7AkEA2zz7qFIcM/5wLN0AXVvT6WMwtB5dOSmaJmjYx2WUReHb8E+z93Vk
-x+Z6KkTCgJ672+jDyHcKBNKL567TurRncwJBAKGaFFnDaprRO4YXZpk6+EgOhheY
-bsi34VncnRpNe16R/EMx91IxfbQmrKNJonD9BXf/xl2iw1eAg574EVWVTx8CQHM5
-XdpdLU12UGaD0IlAleN3qkVAICbG4qmFOUmy7Xa8+ecXPLK2FD2ruFE2yjLnOjyd
-3SgiyDU4oyclD0p1PlkCQQCeQz1JA68KmHmjKRP6Wv7vcx6KCbShoNXurUstD+i8
-4BCTmrAMf+dWsHxJxSfdi7qFS0J+QHNVtHzF0ldyYClB
------END RSA PRIVATE KEY-----
diff --git a/etc/inc/system.inc b/etc/inc/system.inc
index 7460f5a..e0cac4c 100644
--- a/etc/inc/system.inc
+++ b/etc/inc/system.inc
@@ -647,24 +647,28 @@ function system_webgui_start() {
 			if (!is_array($config['system']['cert']))
 				$config['system']['cert'] = array();
 			$a_cert =& $config['system']['cert'];
-			echo "Importing default SSL Certificate... ";
-			$cert_file = "/etc/default_ssl_certs/pfSense_webConfigurator_HTTPS_Certificate.crt";
-			$key_file  = "/etc/default_ssl_certs/pfSense_webConfigurator_HTTPS_Certificate.key";
+			echo "Creating SSL Certificate... ";
+			mwexec("openssl genrsa 1024 > /etc/ssl.key");
+			mwexec("chmod 400 /etc/ssl.key");
+			mwexec("openssl req -new -x509 -nodes -sha1 -days 365 -key /etc/ssl.key > /etc/ssl.crt");
+			mwexec("chmod 400 /etc/ssl.crt");
+			$cert_file = "/etc/ssl.crt";
+			$key_file  = "/etc/ssl.key";
 			if(file_exists($cert_file) && file_exists($key_file)) {
 				$cert = array();
 				$cert['refid'] = uniqid();
-				$cert['name'] = "pfSense webConfigurator default";
-				$crt = file_get_contents("/etc/default_ssl_certs/pfSense_webConfigurator_HTTPS_Certificate.crt");
-				$key = file_get_contents("/etc/default_ssl_certs/pfSense_webConfigurator_HTTPS_Certificate.key");
+				$cert['name'] = "webConfigurator default";
+				$crt = file_get_contents($cert_file);
+				$key = file_get_contents($key_file);
 				cert_import($cert, $crt, $key);
 				$a_cert[] = $cert;
 				$config['system']['webgui']['ssl-certref'] = $cert['refid'];
-				write_config("Importing default HTTPS certificate from /etc/default_ssl_certs/");
+				write_config("Importing HTTPS certificate");
 				if(!$config['system']['webgui']['port'])
 					$portarg = "443";
 				$ca = ca_chain($cert);
 			} else {
-				log_error("ERROR: Could not locate a default certificate file in /etc/default_ssl/certs/ for import $cert_file - $key_file");
+				log_error("ERROR: Could not locate a certificate file for import $cert_file - $key_file");
 			}
 		} else
 			$crt = base64_decode($cert['crt']);
@@ -1340,4 +1344,4 @@ function enable_watchdog() {
 	}
 }
 
-?>
+?>
\ No newline at end of file
-- 
cgit v1.1