Mercurial > hg > freeDiameter
view contrib/PKI/phpki-0.82.patch @ 1562:6219359a36a9 default tip
Merge latest changes from proposed branch
author | Sebastien Decugis <sdecugis@freediameter.net> |
---|---|
date | Mon, 21 Jun 2021 19:08:18 +0800 |
parents | 0f43f42669be |
children |
line wrap: on
line source
diff -Nur phpki-0.82/ca/main.php phpki-0.82-fD/ca/main.php --- phpki-0.82/ca/main.php 2005-11-17 10:17:20.000000000 +0900 +++ phpki-0.82-fD/ca/main.php 2010-05-27 17:04:44.000000000 +0900 @@ -36,7 +36,7 @@ else { ?> <font color=#ff0000> - <h2>There was an error updating the Certificate Revocation List.</h2></font><br> + <h2>There was an error updating the Certificate Revocation List.</h2></font><br /> <blockquote> <h3>Debug Info:</h3> <pre><?=$errtxt?></pre> @@ -53,8 +53,11 @@ default: printHeader('ca'); ?> - <br> - <br> + <br /> + <br /> + + <center><h3>For <span style="color: #FF0000;">freeDiameter</span> specific instructions, scroll down this page...</h3></center><br /> + <center> <table class=menu width=600><th class=menu colspan=2><big>CERTIFICATE MANAGEMENT MENU</big></th> @@ -89,7 +92,57 @@ </table> </center> - <br><br> + <br /><br /> + <center> + <table class=menu width=900><th class=menu colspan=2><big>FREEDIAMETER INSTRUCTIONS</big></th> + <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;"> + Create a new certificate</td> + + <td>Use the <strong><cite>Create a New Certificate</cite></strong> link in previous table to request a new certificate. Fill the form as follow: + <ul> + <li><strong>Common Name</strong>: use your new freeDiameter identity (usually the FQDN).</li> + <li><strong>E-mail Address</strong>: Provide your address so that you can be contacted in case of inquiry.</li> + <li><strong>Organization</strong>: use "freeDiameter testbed" for example.</li> + <li><strong>Certificate Password</strong>: Do not loose the password you provide, you'll need it in the next step. <br /> + The password must be >= 8 chars.</li> + <li>The other fields can be filled at your taste.</li> + </ul> + Once you have validated, you can check the values, and then proceed to download the new certificate and private key. + You will receive a file in PEM format. Let's call this file <em>mycertprotected.pem</em>. + It contains: + <ul> + <li>Your password-protected RSA private key.</li> + <li>Your certificate in PEM format.</li> + <li>The CA certificate.</li> + </ul></td></tr> + + <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;"> + Split the file</td> + + <td>In order to use the information with freeDiameter daemon, you must transform the data as follow: + <ul> + <li><strong>Decode the private key</strong>: <br /> + <code>openssl rsa -in <em>mycertprotected.pem</em> -out /etc/ssl/private/freeDiameter.key</code><br /> + OpenSSL will ask for the password you entered when creating the certificate.</li> + <li><strong>Extract your certificate</strong>: <br /> + <code>openssl x509 -in <em>mycertprotected.pem</em> > /etc/ssl/certs/freeDiameter.pem</code></li> + <li><strong>Get the CA certificate</strong>: <br /> + <code>wget --no-check-certificate "$config[base_url]index.php?stage=dl_root" -O /etc/ssl/certs/freeDiameter_testbed_CA.pem</code></li> + </ul> + Note: for the last step, you could also extract it directly from the PEM file you received.<br /> + Note: the CRL is also available from the website, but this feature is not tested yet.</td></tr> + + <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;"> + Configure freeDiameter</td> + + <td>Here is the configuration related to TLS that you should set in your <em>/etc/freeDiameter/freeDiameter.conf</em> file: + <blockquote>TLS_Cred = "/etc/ssl/certs/freeDiameter.pem", "/etc/ssl/private/freeDiameter.key";<br /> +TLS_CA = "/etc/ssl/certs/freeDiameter_testbed_CA.pem";</blockquote></td></tr> + + + </table> + </center> + <br /><br /> <? printFooter(); } diff -Nur phpki-0.82/ca/request_cert.php phpki-0.82-fD/ca/request_cert.php --- phpki-0.82/ca/request_cert.php 2007-01-04 14:45:09.000000000 +0900 +++ phpki-0.82-fD/ca/request_cert.php 2010-05-27 16:59:16.000000000 +0900 @@ -197,6 +197,7 @@ switch($cert_type) { case 'server': + case 'freediameter': upload(array("$config[private_dir]/$serial-key.pem","$config[new_certs_dir]/$serial.pem",$config['cacert_pem']), "$common_name ($email).pem",'application/pkix-cert'); break; case 'email': @@ -225,7 +226,7 @@ if (! $email) $email = ""; if (! $expiry) $expiry = 1; if (! $keysize) $keysize = 1024; - if (! $cert_type) $cert_type = 'email'; + if (! $cert_type) $cert_type = 'freediameter'; printHeader(); ?> @@ -302,13 +303,14 @@ <td>Certificate Use: </td> <td><select name=cert_type> <? - print '<option value="email" '.($cert_type=='email'?'selected':'').'>E-mail, SSL Client</option>'; - print '<option value="email_signing" '.($cert_type=='email_signing'?'selected':'').'>E-mail, SSL Client, Code Signing</option>'; - print '<option value="server" '.($cert_type=='server'?'selected':'').'>SSL Server</option>'; - print '<option value="vpn_client" '.($cert_type=='vpn_client'?'selected':'').'>VPN Client Only</option>'; - print '<option value="vpn_server" '.($cert_type=='vpn_server'?'selected':'').'>VPN Server Only</option>'; - print '<option value="vpn_client_server" '.($cert_type=='vpn_client_server'?'selected':'').'>VPN Client, VPN Server</option>'; - print '<option value="time_stamping" '.($cert_type=='time_stamping'?'selected':'').'>Time Stamping</option>'; + print '<option value="email" disabled '.($cert_type=='email'?'selected':'').'>E-mail, SSL Client</option>'; + print '<option value="email_signing" disabled '.($cert_type=='email_signing'?'selected':'').'>E-mail, SSL Client, Code Signing</option>'; + print '<option value="server" disabled '.($cert_type=='server'?'selected':'').'>SSL Server</option>'; + print '<option value="freediameter" '.($cert_type=='freediameter'?'selected':'').'>freeDiameter node</option>'; + print '<option value="vpn_client" disabled '.($cert_type=='vpn_client'?'selected':'').'>VPN Client Only</option>'; + print '<option value="vpn_server" disabled '.($cert_type=='vpn_server'?'selected':'').'>VPN Server Only</option>'; + print '<option value="vpn_client_server" disabled '.($cert_type=='vpn_client_server'?'selected':'').'>VPN Client, VPN Server</option>'; + print '<option value="time_stamping" disabled '.($cert_type=='time_stamping'?'selected':'').'>Time Stamping</option>'; ?> </select></td> </tr> diff -Nur phpki-0.82/include/openssl_functions.php phpki-0.82-fD/include/openssl_functions.php --- phpki-0.82/include/openssl_functions.php 2007-01-04 15:47:57.000000000 +0900 +++ phpki-0.82-fD/include/openssl_functions.php 2010-05-27 16:59:57.000000000 +0900 @@ -69,6 +69,13 @@ default_days = 365 policy = policy_supplied +[ freediameter_cert ] +x509_extensions = freediameter_ext +default_days = 730 +policy = policy_supplied + + + [ vpn_cert ] x509_extensions = vpn_client_server_ext default_days = 365 @@ -152,6 +159,24 @@ nsRevocationUrl = ns_revoke_query.php? nsCaPolicyUrl = $config[base_url]policy.html +[ freediameter_ext ] +basicConstraints = CA:false +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = critical, serverAuth, clientAuth +nsCertType = critical, server, client +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always, issuer:always +subjectAltName = DNS:$common_name,email:copy +issuerAltName = issuer:copy +crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl +nsComment = \"PHPki/OpenSSL Generated Secure Certificate for freeDiameter\" +nsBaseUrl = $config[base_url] +nsRevocationUrl = ns_revoke_query.php? +nsCaPolicyUrl = $config[base_url]policy.html + + + + [ time_stamping_ext ] basicConstraints = CA:false keyUsage = critical, nonRepudiation, digitalSignature diff -Nur phpki-0.82/openssl.cnf phpki-0.82-fD/openssl.cnf --- phpki-0.82/openssl.cnf 2006-07-23 00:33:34.000000000 +0900 +++ phpki-0.82-fD/openssl.cnf 2010-05-27 17:00:33.000000000 +0900 @@ -39,6 +39,11 @@ default_days = 365 policy = policy_supplied +[ freediameter_cert ] +x509_extensions = freediameter_ext +default_days = 730 +policy = policy_supplied + [ vpn_cert ] x509_extensions = vpn_client_server_ext default_days = 365 @@ -115,6 +120,23 @@ nsRevocationUrl = ns_revoke_query.php? nsCaPolicyUrl = http://www.somewhere.com/phpki/policy.html +[ freediameter_ext ] +basicConstraints = CA:false +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = critical, serverAuth, clientAuth +nsCertType = critical, server, client +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always, issuer:always +subjectAltName = DNS:$common_name,email:copy +issuerAltName = issuer:copy +crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl +nsComment = "PHPki/OpenSSL Generated Secure Certificate for freeDiameter" +nsBaseUrl = $config[base_url] +nsRevocationUrl = ns_revoke_query.php? +nsCaPolicyUrl = $config[base_url]policy.html + + + [ vpn_client_ext ] basicConstraints = critical, CA:false keyUsage = critical, digitalSignature diff -Nur phpki-0.82/setup.php phpki-0.82-fD/setup.php --- phpki-0.82/setup.php 2007-07-22 23:34:08.000000000 +0900 +++ phpki-0.82-fD/setup.php 2010-05-27 17:01:41.000000000 +0900 @@ -339,6 +339,11 @@ default_days = 365 policy = policy_supplied +[ freediameter_cert ] +x509_extensions = freediameter_ext +default_days = 730 +policy = policy_supplied + [ vpn_cert ] x509_extensions = vpn_client_server_ext default_days = 365 @@ -418,6 +423,22 @@ nsRevocationUrl = ns_revoke_query.php? nsCaPolicyUrl = $config[base_url]policy.html +[ freediameter_ext ] +basicConstraints = CA:false +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = critical, serverAuth, clientAuth +nsCertType = critical, server, client +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always, issuer:always +subjectAltName = DNS:$common_name,email:copy +issuerAltName = issuer:copy +crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl +nsComment = "PHPki/OpenSSL Generated Secure Certificate for freeDiameter" +nsBaseUrl = $config[base_url] +nsRevocationUrl = ns_revoke_query.php? +nsCaPolicyUrl = $config[base_url]policy.html + + [ time_stamping_ext ] basicConstraints = CA:false keyUsage = critical, nonRepudiation, digitalSignature diff -Nur phpki-0.82/setup.php-presetup phpki-0.82-fD/setup.php-presetup --- phpki-0.82/setup.php-presetup 2007-07-22 23:34:08.000000000 +0900 +++ phpki-0.82-fD/setup.php-presetup 2010-05-27 17:01:41.000000000 +0900 @@ -339,6 +339,11 @@ default_days = 365 policy = policy_supplied +[ freediameter_cert ] +x509_extensions = freediameter_ext +default_days = 730 +policy = policy_supplied + [ vpn_cert ] x509_extensions = vpn_client_server_ext default_days = 365 @@ -418,6 +423,22 @@ nsRevocationUrl = ns_revoke_query.php? nsCaPolicyUrl = $config[base_url]policy.html +[ freediameter_ext ] +basicConstraints = CA:false +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = critical, serverAuth, clientAuth +nsCertType = critical, server, client +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always, issuer:always +subjectAltName = DNS:$common_name,email:copy +issuerAltName = issuer:copy +crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl +nsComment = "PHPki/OpenSSL Generated Secure Certificate for freeDiameter" +nsBaseUrl = $config[base_url] +nsRevocationUrl = ns_revoke_query.php? +nsCaPolicyUrl = $config[base_url]policy.html + + [ time_stamping_ext ] basicConstraints = CA:false keyUsage = critical, nonRepudiation, digitalSignature