'/usr/local/etc/ssl/opnsense.cnf', 'private_key_type' => OPENSSL_KEYTYPE_RSA, 'private_key_bits' => (int)$keylen, 'x509_extensions' => 'v3_req', 'digest_alg' => $digest_alg, 'encrypt_key' => false ); // generate a new key pair $res_key = openssl_pkey_new($args); if (!$res_key) { return false; } // generate a certificate signing request $res_csr = openssl_csr_new($dn, $res_key, $args); if (!$res_csr) { return false; } // export our request data if (!openssl_pkey_export($res_key, $str_key) || !openssl_csr_export($res_csr, $str_csr)) { return false; } // return our request information $cert['csr'] = base64_encode($str_csr); $cert['prv'] = base64_encode($str_key); return true; } function csr_complete(& $cert, $str_crt) { // return our request information $cert['crt'] = base64_encode($str_crt); unset($cert['csr']); return true; } function csr_get_modulus($str_crt, $decode = true) { return cert_get_modulus($str_crt, $decode, 'csr'); } $cert_methods = array( "import" => gettext("Import an existing Certificate"), "internal" => gettext("Create an internal Certificate"), "external" => gettext("Create a Certificate Signing Request"), ); $cert_keylens = array( "512", "1024", "2048", "4096"); $altname_types = array("DNS", "IP", "email", "URI"); $openssl_digest_algs = array("sha1", "sha224", "sha256", "sha384", "sha512"); $pgtitle = array(gettext("System"), gettext("Certificate Manager")); if (isset($_GET['userid']) && is_numericint($_GET['userid'])) { $userid = $_GET['userid']; } if (isset($_POST['userid']) && is_numericint($_POST['userid'])) { $userid = $_POST['userid']; } if (isset($userid)) { $cert_methods["existing"] = gettext("Choose an existing certificate"); if (!is_array($config['system']['user'])) { $config['system']['user'] = array(); } $a_user =& $config['system']['user']; } if (isset($_GET['id']) && is_numericint($_GET['id'])) { $id = $_GET['id']; } if (isset($_POST['id']) && is_numericint($_POST['id'])) { $id = $_POST['id']; } if (!isset($config['ca']) || !is_array($config['ca'])) { $config['ca'] = array(); } $a_ca =& $config['ca']; if (!is_array($config['cert'])) { $config['cert'] = array(); } $a_cert =& $config['cert']; $internal_ca_count = 0; foreach ($a_ca as $ca) { if ($ca['prv']) { $internal_ca_count++; } } $act = null; if (isset($_GET['act'])) { $act = $_GET['act']; } elseif (isset($_POST['act'])) { $act = $_POST['act']; } if ($act == "del") { if (!isset($a_cert[$id])) { redirectHeader("system_certmanager.php"); exit; } $name = $a_cert[$id]['descr']; unset($a_cert[$id]); write_config(); $savemsg = sprintf(gettext("Certificate %s successfully deleted"), $name) . "
"; redirectHeader("system_certmanager.php"); exit; } if ($act == "new") { if (isset($_GET['method'])) { $pconfig['method'] = $_GET['method']; } else { $pconfig['method'] = null; } $pconfig['keylen'] = "2048"; $pconfig['digest_alg'] = "sha256"; $pconfig['csr_keylen'] = "2048"; $pconfig['csr_digest_alg'] = "sha256"; $pconfig['lifetime'] = "365"; } if ($act == "exp") { if (!$a_cert[$id]) { redirectHeader("system_certmanager.php"); exit; } $exp_name = urlencode("{$a_cert[$id]['descr']}.crt"); $exp_data = base64_decode($a_cert[$id]['crt']); $exp_size = strlen($exp_data); header("Content-Type: application/octet-stream"); header("Content-Disposition: attachment; filename={$exp_name}"); header("Content-Length: $exp_size"); echo $exp_data; exit; } if ($act == "key") { if (!$a_cert[$id]) { redirectHeader("system_certmanager.php"); exit; } $exp_name = urlencode("{$a_cert[$id]['descr']}.key"); $exp_data = base64_decode($a_cert[$id]['prv']); $exp_size = strlen($exp_data); header("Content-Type: application/octet-stream"); header("Content-Disposition: attachment; filename={$exp_name}"); header("Content-Length: $exp_size"); echo $exp_data; exit; } if ($act == "p12") { if (!$a_cert[$id]) { redirectHeader("system_certmanager.php"); exit; } $exp_name = urlencode("{$a_cert[$id]['descr']}.p12"); $args = array(); $args['friendly_name'] = $a_cert[$id]['descr']; $ca = lookup_ca($a_cert[$id]['caref']); if ($ca) { $args['extracerts'] = openssl_x509_read(base64_decode($ca['crt'])); } $res_crt = openssl_x509_read(base64_decode($a_cert[$id]['crt'])); $res_key = openssl_pkey_get_private(array(0 => base64_decode($a_cert[$id]['prv']) , 1 => "")); $exp_data = ""; openssl_pkcs12_export($res_crt, $exp_data, $res_key, null, $args); $exp_size = strlen($exp_data); header("Content-Type: application/octet-stream"); header("Content-Disposition: attachment; filename={$exp_name}"); header("Content-Length: $exp_size"); echo $exp_data; exit; } if ($act == "csr") { if (!$a_cert[$id]) { redirectHeader("system_certmanager.php"); exit; } $pconfig['descr'] = $a_cert[$id]['descr']; $pconfig['csr'] = base64_decode($a_cert[$id]['csr']); } if ($_POST) { if ($_POST['save'] == gettext("Save")) { $input_errors = array(); $pconfig = $_POST; /* input validation */ if ($pconfig['method'] == "import") { $reqdfields = explode( " ", "descr cert key" ); $reqdfieldsn = array( gettext("Descriptive name"), gettext("Certificate data"), gettext("Key data")); if ($_POST['cert'] && (!strstr($_POST['cert'], "BEGIN CERTIFICATE") || !strstr($_POST['cert'], "END CERTIFICATE"))) { $input_errors[] = gettext("This certificate does not appear to be valid."); } } if ($pconfig['method'] == "internal") { $reqdfields = explode( " ", "descr caref keylen lifetime dn_country dn_state dn_city ". "dn_organization dn_email dn_commonname" ); $reqdfieldsn = array( gettext("Descriptive name"), gettext("Certificate authority"), gettext("Key length"), gettext("Lifetime"), gettext("Distinguished name Country Code"), gettext("Distinguished name State or Province"), gettext("Distinguished name City"), gettext("Distinguished name Organization"), gettext("Distinguished name Email Address"), gettext("Distinguished name Common Name")); } if ($pconfig['method'] == "external") { $reqdfields = explode( " ", "descr csr_keylen csr_dn_country csr_dn_state csr_dn_city ". "csr_dn_organization csr_dn_email csr_dn_commonname" ); $reqdfieldsn = array( gettext("Descriptive name"), gettext("Key length"), gettext("Distinguished name Country Code"), gettext("Distinguished name State or Province"), gettext("Distinguished name City"), gettext("Distinguished name Organization"), gettext("Distinguished name Email Address"), gettext("Distinguished name Common Name")); } if ($pconfig['method'] == "existing") { $reqdfields = array("certref"); $reqdfieldsn = array(gettext("Existing Certificate Choice")); } $altnames = array(); do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); if ($pconfig['method'] != "import" && $pconfig['method'] != "existing") { /* subjectAltNames */ foreach ($_POST as $key => $value) { $entry = ''; if (!substr_compare('altname_type', $key, 0, 12)) { $entry = substr($key, 12); $field = 'type'; } elseif (!substr_compare('altname_value', $key, 0, 13)) { $entry = substr($key, 13); $field = 'value'; } if (ctype_digit($entry)) { $altnames[$entry][$field] = $value; } } $pconfig['altnames']['item'] = $altnames; /* Input validation for subjectAltNames */ foreach ($altnames as $idx => $altname) { switch ($altname['type']) { case "DNS": if (!is_hostname($altname['value'])) { array_push($input_errors, "DNS subjectAltName values must be valid hostnames or FQDNs"); } break; case "IP": if (!is_ipaddr($altname['value'])) { array_push($input_errors, "IP subjectAltName values must be valid IP Addresses"); } break; case "email": if (empty($altname['value'])) { array_push($input_errors, "You must provide an e-mail address for this type of subjectAltName"); } if (preg_match("/[\!\#\$\%\^\(\)\~\?\>\<\&\/\\\,\"\']/", $altname['value'])) { array_push($input_errors, "The e-mail provided in a subjectAltName contains invalid characters."); } break; case "URI": /* Close enough? */ if (!is_URL($altname['value'])) { $input_errors[] = "URI subjectAltName types must be a valid URI"; } break; default: $input_errors[] = "Unrecognized subjectAltName type."; } } /* Make sure we do not have invalid characters in the fields for the certificate */ for ($i = 0; $i < count($reqdfields); $i++) { if (preg_match('/email/', $reqdfields[$i])) { /* dn_email or csr_dn_name */ if (preg_match("/[\!\#\$\%\^\(\)\~\?\>\<\&\/\\\,\"\']/", $_POST[$reqdfields[$i]])) { array_push($input_errors, "The field 'Distinguished name Email Address' contains invalid characters."); } } elseif (preg_match('/commonname/', $reqdfields[$i])) { /* dn_commonname or csr_dn_commonname */ if (preg_match("/[\!\@\#\$\%\^\(\)\~\?\>\<\&\/\\\,\"\']/", $_POST[$reqdfields[$i]])) { array_push($input_errors, "The field 'Distinguished name Common Name' contains invalid characters."); } } elseif (($reqdfields[$i] != "descr") && preg_match("/[\!\@\#\$\%\^\(\)\~\?\>\<\&\/\\\,\.\"\']/", $_POST[$reqdfields[$i]])) { array_push($input_errors, "The field '" . $reqdfieldsn[$i] . "' contains invalid characters."); } } if (($pconfig['method'] != "external") && isset($_POST["keylen"]) && !in_array($_POST["keylen"], $cert_keylens)) { array_push($input_errors, gettext("Please select a valid Key Length.")); } if (($pconfig['method'] != "external") && !in_array($_POST["digest_alg"], $openssl_digest_algs)) { array_push($input_errors, gettext("Please select a valid Digest Algorithm.")); } if (($pconfig['method'] == "external") && isset($_POST["csr_keylen"]) && !in_array($_POST["csr_keylen"], $cert_keylens)) { array_push($input_errors, gettext("Please select a valid Key Length.")); } if (($pconfig['method'] == "external") && !in_array($_POST["csr_digest_alg"], $openssl_digest_algs)) { array_push($input_errors, gettext("Please select a valid Digest Algorithm.")); } } /* if this is an AJAX caller then handle via JSON */ if (isAjax() && is_array($input_errors)) { input_errors2Ajax($input_errors); exit; } /* save modifications */ if (!$input_errors) { if ($pconfig['method'] == "existing") { $cert = lookup_cert($pconfig['certref']); if ($cert && $a_user) { $a_user[$userid]['cert'][] = $cert['refid']; } } else { $cert = array(); $cert['refid'] = uniqid(); if (isset($id) && $a_cert[$id]) { $cert = $a_cert[$id]; } $cert['descr'] = $pconfig['descr']; $old_err_level = error_reporting(0); /* otherwise openssl_ functions throw warings directly to a page screwing menu tab */ if ($pconfig['method'] == "import") { cert_import($cert, $pconfig['cert'], $pconfig['key']); } if ($pconfig['method'] == "internal") { $dn = array( 'countryName' => $pconfig['dn_country'], 'stateOrProvinceName' => $pconfig['dn_state'], 'localityName' => $pconfig['dn_city'], 'organizationName' => $pconfig['dn_organization'], 'emailAddress' => $pconfig['dn_email'], 'commonName' => $pconfig['dn_commonname']); if (count($altnames)) { $altnames_tmp = ""; foreach ($altnames as $altname) { $altnames_tmp[] = "{$altname['type']}:{$altname['value']}"; } $dn['subjectAltName'] = implode(",", $altnames_tmp); } if (!cert_create( $cert, $pconfig['caref'], $pconfig['keylen'], $pconfig['lifetime'], $dn, $pconfig['digest_alg'] )) { $input_errors = array(); while ($ssl_err = openssl_error_string()) { array_push($input_errors, "openssl library returns: " . $ssl_err); } } } if ($pconfig['method'] == "external") { $dn = array( 'countryName' => $pconfig['csr_dn_country'], 'stateOrProvinceName' => $pconfig['csr_dn_state'], 'localityName' => $pconfig['csr_dn_city'], 'organizationName' => $pconfig['csr_dn_organization'], 'emailAddress' => $pconfig['csr_dn_email'], 'commonName' => $pconfig['csr_dn_commonname']); if (count($altnames)) { $altnames_tmp = ""; foreach ($altnames as $altname) { $altnames_tmp[] = "{$altname['type']}:{$altname['value']}"; } $dn['subjectAltName'] = implode(",", $altnames_tmp); } if (!csr_generate($cert, $pconfig['csr_keylen'], $dn, $pconfig['csr_digest_alg'])) { $input_errors = array(); while ($ssl_err = openssl_error_string()) { array_push($input_errors, "openssl library returns: " . $ssl_err); } } } error_reporting($old_err_level); if (isset($id) && $a_cert[$id]) { $a_cert[$id] = $cert; } else { $a_cert[] = $cert; } if (isset($a_user) && isset($userid)) { $a_user[$userid]['cert'][] = $cert['refid']; } } if (!$input_errors) { write_config(); } if (isset($userid)) { post_redirect("system_usermanager.php", array('act' => 'edit', 'userid' => $userid)); exit; } } } if ($_POST['save'] == gettext("Update")) { unset($input_errors); $pconfig = $_POST; /* input validation */ $reqdfields = explode(" ", "descr cert"); $reqdfieldsn = array( gettext("Descriptive name"), gettext("Final Certificate data")); do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); // old way /* make sure this csr and certificate subjects match */ // $subj_csr = csr_get_subject($pconfig['csr'], false); // $subj_cert = cert_get_subject($pconfig['cert'], false); // // if ( !isset($_POST['ignoresubjectmismatch']) && !($_POST['ignoresubjectmismatch'] == "yes") ) { // if (strcmp($subj_csr,$subj_cert)) { // $input_errors[] = sprintf(gettext("The certificate subject '%s' does not match the signing request subject."),$subj_cert); // $subject_mismatch = true; // } // } $mod_csr = csr_get_modulus($pconfig['csr'], false); $mod_cert = cert_get_modulus($pconfig['cert'], false); if (strcmp($mod_csr, $mod_cert)) { // simply: if the moduli don't match, then the private key and public key won't match $input_errors[] = sprintf(gettext("The certificate modulus does not match the signing request modulus."), $subj_cert); $subject_mismatch = true; } /* if this is an AJAX caller then handle via JSON */ if (isAjax() && is_array($input_errors)) { input_errors2Ajax($input_errors); exit; } /* save modifications */ if (!$input_errors) { $cert = $a_cert[$id]; $cert['descr'] = $pconfig['descr']; csr_complete($cert, $pconfig['cert']); $a_cert[$id] = $cert; write_config(); redirectHeader("system_certmanager.php"); } } } include("head.inc"); $main_buttons = array( array('label'=>gettext("add or import certificate"), 'href'=>'system_certmanager.php?act=new'), ); ?>
0) { print_input_errors($input_errors); } if (isset($savemsg)) { print_info_box($savemsg); } ?>



:  
:  
:  
:  
:     ex:  
:     ex:  
:  
" class="btn btn-default btn-xs">
 
" class="btn btn-default btn-xs">
NOTE: Type must be one of DNS (FQDN or Hostname), IP (IP address), URI, or email.
bits

:  
:     ex:  
:     ex:  
:     ex:  
:     ex:  
:     ex:  
  " />


 
" . "response subject verification. "); ?>
" />
" . gettext("self-signed") . ""; } else { $caname = "" . gettext("external"). ""; } $subj = htmlspecialchars($subj); } if (isset($cert['csr'])) { $subj = htmlspecialchars(csr_get_subject($cert['csr'])); $caname = "" . gettext("external - signature pending") . ""; } if (isset($cert['caref'])) { $ca = lookup_ca($cert['caref']); if ($ca) { $caname = $ca['descr']; } } // was: $certimg = "/themes/{$g['theme']}/images/icons/icon_frmfld_cert.png"; $certimg = ''; ?>
 
CA: , Server:
   
  :
  :
Revoked
webConfigurator
User Cert
OpenVPN Server
OpenVPN Client
IPsec Tunnel
Captive Portal
"> "> "> ')" data-toggle="tooltip" data-placement="left" title=""> ">