mirror of
https://github.com/pfsense/pfsense.git
synced 2025-10-26 11:38:35 +00:00
When creating an internal certificate, offer the user a choice of what constraints to place upon the certificate (CA, Server, or User).
This commit is contained in:
parent
74a556a3ca
commit
7aaabd69b0
@ -253,7 +253,7 @@ function cert_import(& $cert, $crt_str, $key_str) {
|
||||
return true;
|
||||
}
|
||||
|
||||
function cert_create(& $cert, $caref, $keylen, $lifetime, $dn) {
|
||||
function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user") {
|
||||
|
||||
$ca =& lookup_ca($caref);
|
||||
if (!$ca)
|
||||
@ -266,8 +266,20 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn) {
|
||||
if(!$ca_res_key) return false;
|
||||
$ca_serial = ++$ca['serial'];
|
||||
|
||||
switch ($type) {
|
||||
case "ca":
|
||||
$cert_type = "v3_ca";
|
||||
break;
|
||||
case "server":
|
||||
$cert_type = "server";
|
||||
break;
|
||||
default:
|
||||
$cert_type = "usr_cert";
|
||||
break;
|
||||
}
|
||||
|
||||
$args = array(
|
||||
"x509_extensions" => "usr_cert",
|
||||
"x509_extensions" => $cert_type,
|
||||
"digest_alg" => "sha1",
|
||||
"private_key_bits" => (int)$keylen,
|
||||
"private_key_type" => OPENSSL_KEYTYPE_RSA,
|
||||
@ -295,6 +307,7 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn) {
|
||||
$cert['caref'] = $caref;
|
||||
$cert['crt'] = base64_encode($str_crt);
|
||||
$cert['prv'] = base64_encode($str_key);
|
||||
$cert['type'] = $type;
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
@ -189,7 +189,7 @@ basicConstraints=CA:FALSE
|
||||
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
# This will be displayed in Netscape's comment listbox.
|
||||
nsComment = "OpenSSL Generated Certificate"
|
||||
nsComment = "OpenSSL Generated User Certificate"
|
||||
|
||||
# PKIX recommendations harmless if included in all certificates.
|
||||
subjectKeyIdentifier=hash
|
||||
@ -212,6 +212,17 @@ authorityKeyIdentifier=keyid,issuer:always
|
||||
#nsCaPolicyUrl
|
||||
#nsSslServerName
|
||||
|
||||
[ server ]
|
||||
|
||||
# Make a cert with nsCertType=server
|
||||
basicConstraints=CA:FALSE
|
||||
nsCertType = server
|
||||
nsComment = "OpenSSL Generated Server Certificate"
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
extendedKeyUsage=serverAuth
|
||||
keyUsage = digitalSignature, keyEncipherment
|
||||
|
||||
[ v3_req ]
|
||||
|
||||
# Extensions to add to a certificate request
|
||||
|
||||
@ -47,6 +47,9 @@ $cert_methods = array(
|
||||
);
|
||||
|
||||
$cert_keylens = array( "512", "1024", "2048", "4096");
|
||||
$cert_types = array( "ca" => "Certificate Authority",
|
||||
"server" => "Server Certificate",
|
||||
"user" => "User Certificate");
|
||||
|
||||
$pgtitle = array(gettext("System"), gettext("Certificate Manager"));
|
||||
|
||||
@ -101,6 +104,7 @@ if ($act == "del") {
|
||||
if ($act == "new") {
|
||||
$pconfig['method'] = $_GET['method'];
|
||||
$pconfig['keylen'] = "2048";
|
||||
$pconfig['type'] = "user";
|
||||
$pconfig['lifetime'] = "3650";
|
||||
}
|
||||
|
||||
@ -170,12 +174,13 @@ if ($_POST) {
|
||||
|
||||
if ($pconfig['method'] == "internal") {
|
||||
$reqdfields = explode(" ",
|
||||
"descr caref keylen lifetime dn_country dn_state dn_city ".
|
||||
"descr caref keylen type lifetime dn_country dn_state dn_city ".
|
||||
"dn_organization dn_email dn_commonname");
|
||||
$reqdfieldsn = array(
|
||||
gettext("Descriptive name"),
|
||||
gettext("Certificate authority"),
|
||||
gettext("Key length"),
|
||||
gettext("Certificate Type"),
|
||||
gettext("Lifetime"),
|
||||
gettext("Distinguished name Country Code"),
|
||||
gettext("Distinguished name State or Province"),
|
||||
@ -255,7 +260,7 @@ if ($_POST) {
|
||||
'commonName' => $pconfig['dn_commonname']);
|
||||
|
||||
if (!cert_create($cert, $pconfig['caref'], $pconfig['keylen'],
|
||||
$pconfig['lifetime'], $dn)){
|
||||
$pconfig['lifetime'], $dn, $pconfig['type'])){
|
||||
while($ssl_err = openssl_error_string()){
|
||||
$input_errors = array();
|
||||
array_push($input_errors, "openssl library returns: " . $ssl_err);
|
||||
@ -578,6 +583,23 @@ function internalca_change() {
|
||||
<?=gettext("bits");?>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td width="22%" valign="top" class="vncellreq"><?=gettext("Certificate Type");?></td>
|
||||
<td width="78%" class="vtable">
|
||||
<select name='type' class="formselect">
|
||||
<?php
|
||||
foreach( $cert_types as $ct => $ctdesc ):
|
||||
$selected = "";
|
||||
if ($pconfig['type'] == $ct)
|
||||
$selected = "selected";
|
||||
?>
|
||||
<option value="<?=$ct;?>"<?=$selected;?>><?=$ctdesc;?></option>
|
||||
<?php endforeach; ?>
|
||||
</select>
|
||||
<br/>
|
||||
<?=gettext("Type of certificate to generate. Used for placing restrictions on the usage of the generated certificate.");?>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td width="22%" valign="top" class="vncellreq"><?=gettext("Lifetime");?></td>
|
||||
<td width="78%" class="vtable">
|
||||
@ -897,6 +919,9 @@ function internalca_change() {
|
||||
<?=$name;?>
|
||||
</td>
|
||||
</tr>
|
||||
<?php if ($cert['type']): ?>
|
||||
<tr><td colspan="2"><em><?php echo $cert_types[$cert['type']]; ?></em></td></tr>
|
||||
<?php endif; ?>
|
||||
</table>
|
||||
</td>
|
||||
<td class="listr"><?=$caname;?> </td>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user