When creating an internal certificate, offer the user a choice of what constraints to place upon the certificate (CA, Server, or User).

This commit is contained in:
jim-p 2011-11-09 15:43:49 -05:00
parent 74a556a3ca
commit 7aaabd69b0
3 changed files with 54 additions and 5 deletions

View File

@ -253,7 +253,7 @@ function cert_import(& $cert, $crt_str, $key_str) {
return true;
}
function cert_create(& $cert, $caref, $keylen, $lifetime, $dn) {
function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user") {
$ca =& lookup_ca($caref);
if (!$ca)
@ -266,8 +266,20 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn) {
if(!$ca_res_key) return false;
$ca_serial = ++$ca['serial'];
switch ($type) {
case "ca":
$cert_type = "v3_ca";
break;
case "server":
$cert_type = "server";
break;
default:
$cert_type = "usr_cert";
break;
}
$args = array(
"x509_extensions" => "usr_cert",
"x509_extensions" => $cert_type,
"digest_alg" => "sha1",
"private_key_bits" => (int)$keylen,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
@ -295,6 +307,7 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn) {
$cert['caref'] = $caref;
$cert['crt'] = base64_encode($str_crt);
$cert['prv'] = base64_encode($str_key);
$cert['type'] = $type;
return true;
}

View File

@ -189,7 +189,7 @@ basicConstraints=CA:FALSE
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
nsComment = "OpenSSL Generated User Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
@ -212,6 +212,17 @@ authorityKeyIdentifier=keyid,issuer:always
#nsCaPolicyUrl
#nsSslServerName
[ server ]
# Make a cert with nsCertType=server
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
[ v3_req ]
# Extensions to add to a certificate request

View File

@ -47,6 +47,9 @@ $cert_methods = array(
);
$cert_keylens = array( "512", "1024", "2048", "4096");
$cert_types = array( "ca" => "Certificate Authority",
"server" => "Server Certificate",
"user" => "User Certificate");
$pgtitle = array(gettext("System"), gettext("Certificate Manager"));
@ -101,6 +104,7 @@ if ($act == "del") {
if ($act == "new") {
$pconfig['method'] = $_GET['method'];
$pconfig['keylen'] = "2048";
$pconfig['type'] = "user";
$pconfig['lifetime'] = "3650";
}
@ -170,12 +174,13 @@ if ($_POST) {
if ($pconfig['method'] == "internal") {
$reqdfields = explode(" ",
"descr caref keylen lifetime dn_country dn_state dn_city ".
"descr caref keylen type lifetime dn_country dn_state dn_city ".
"dn_organization dn_email dn_commonname");
$reqdfieldsn = array(
gettext("Descriptive name"),
gettext("Certificate authority"),
gettext("Key length"),
gettext("Certificate Type"),
gettext("Lifetime"),
gettext("Distinguished name Country Code"),
gettext("Distinguished name State or Province"),
@ -255,7 +260,7 @@ if ($_POST) {
'commonName' => $pconfig['dn_commonname']);
if (!cert_create($cert, $pconfig['caref'], $pconfig['keylen'],
$pconfig['lifetime'], $dn)){
$pconfig['lifetime'], $dn, $pconfig['type'])){
while($ssl_err = openssl_error_string()){
$input_errors = array();
array_push($input_errors, "openssl library returns: " . $ssl_err);
@ -578,6 +583,23 @@ function internalca_change() {
<?=gettext("bits");?>
</td>
</tr>
<tr>
<td width="22%" valign="top" class="vncellreq"><?=gettext("Certificate Type");?></td>
<td width="78%" class="vtable">
<select name='type' class="formselect">
<?php
foreach( $cert_types as $ct => $ctdesc ):
$selected = "";
if ($pconfig['type'] == $ct)
$selected = "selected";
?>
<option value="<?=$ct;?>"<?=$selected;?>><?=$ctdesc;?></option>
<?php endforeach; ?>
</select>
<br/>
<?=gettext("Type of certificate to generate. Used for placing restrictions on the usage of the generated certificate.");?>
</td>
</tr>
<tr>
<td width="22%" valign="top" class="vncellreq"><?=gettext("Lifetime");?></td>
<td width="78%" class="vtable">
@ -897,6 +919,9 @@ function internalca_change() {
<?=$name;?>
</td>
</tr>
<?php if ($cert['type']): ?>
<tr><td colspan="2"><em><?php echo $cert_types[$cert['type']]; ?></em></td></tr>
<?php endif; ?>
</table>
</td>
<td class="listr"><?=$caname;?>&nbsp;</td>