contrib/PKI/phpki-0.82.patch - freeDiameter-old - Gitiles

 diff -Nur phpki-0.82/ca/main.php phpki-0.82-fD/ca/main.php
 --- phpki-0.82/ca/main.php	2005-11-17 10:17:20.000000000 +0900
 +++ phpki-0.82-fD/ca/main.php	2010-05-27 17:04:44.000000000 +0900
 @@ -36,7 +36,7 @@
          else {
                  ?>
                  <font color=#ff0000>
 -                <h2>There was an error updating the Certificate Revocation List.</h2></font><br>
 +                <h2>There was an error updating the Certificate Revocation List.</h2></font><br />
                  <blockquote>
                  <h3>Debug Info:</h3>
                  <pre><?=$errtxt?></pre>
 @@ -53,8 +53,11 @@
  default:
  	printHeader('ca');
  	?>
 -	<br>
 -	<br>
 +	<br />
 +	<br />
 +
 +	<center><h3>For <span style="color: #FF0000;">freeDiameter</span> specific instructions, scroll down this page...</h3></center><br />
 +
  	<center>
  	<table class=menu width=600><th class=menu colspan=2><big>CERTIFICATE MANAGEMENT MENU</big></th>

 @@ -89,7 +92,57 @@

  	</table>
  	</center>
 -	<br><br>
 +	<br /><br />
 +	<center>
 +	<table class=menu width=900><th class=menu colspan=2><big>FREEDIAMETER INSTRUCTIONS</big></th>
 +        <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
 +        Create a new certificate</td>
 +
 +	<td>Use the <strong><cite>Create a New Certificate</cite></strong> link in previous table to request a new certificate. Fill the form as follow:
 +	<ul>
 +	  <li><strong>Common Name</strong>: use your new freeDiameter identity (usually the FQDN).</li>
 +	  <li><strong>E-mail Address</strong>: Provide your address so that you can be contacted in case of inquiry.</li>
 +	  <li><strong>Organization</strong>: use "freeDiameter testbed" for example.</li>
 +          <li><strong>Certificate Password</strong>: Do not loose the password you provide, you'll need it in the next step. <br />
 +		The password must be >= 8 chars.</li>
 +	  <li>The other fields can be filled at your taste.</li>
 +	</ul>
 +	Once you have validated, you can check the values, and then proceed to download the new certificate and private key.
 +	You will receive a file in PEM format. Let's call this file <em>mycertprotected.pem</em>.
 +        It contains:
 +        <ul>
 +          <li>Your password-protected RSA private key.</li>
 +          <li>Your certificate in PEM format.</li>
 +          <li>The CA certificate.</li>
 +        </ul></td></tr>
 +
 +        <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
 +        Split the file</td>
 +
 +	<td>In order to use the information with freeDiameter daemon, you must transform the data as follow:
 +	<ul>
 +	  <li><strong>Decode the private key</strong>: <br />
 +		<code>openssl rsa -in <em>mycertprotected.pem</em> -out /etc/ssl/private/freeDiameter.key</code><br />
 +	OpenSSL will ask for the password you entered when creating the certificate.</li>
 +	  <li><strong>Extract your certificate</strong>: <br />
 +                <code>openssl x509 -in <em>mycertprotected.pem</em> > /etc/ssl/certs/freeDiameter.pem</code></li>
 +          <li><strong>Get the CA certificate</strong>: <br />
 +                <code>wget --no-check-certificate "$config[base_url]index.php?stage=dl_root" -O /etc/ssl/certs/freeDiameter_testbed_CA.pem</code></li>
 +	</ul>
 +	Note: for the last step, you could also extract it directly from the PEM file you received.<br />
 +	Note: the CRL is also available from the website, but this feature is not tested yet.</td></tr>
 +
 +	<tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
 +        Configure freeDiameter</td>
 +
 +        <td>Here is the configuration related to TLS that you should set in your <em>/etc/freeDiameter/freeDiameter.conf</em> file:
 +	<blockquote>TLS_Cred = "/etc/ssl/certs/freeDiameter.pem", "/etc/ssl/private/freeDiameter.key";<br />
 +TLS_CA = "/etc/ssl/certs/freeDiameter_testbed_CA.pem";</blockquote></td></tr>
 +
 +
 +        </table>
 +        </center>
 +	<br /><br />
  	<?
  	printFooter();
  }
 diff -Nur phpki-0.82/ca/request_cert.php phpki-0.82-fD/ca/request_cert.php
 --- phpki-0.82/ca/request_cert.php	2007-01-04 14:45:09.000000000 +0900
 +++ phpki-0.82-fD/ca/request_cert.php	2010-05-27 16:59:16.000000000 +0900
 @@ -197,6 +197,7 @@

                  switch($cert_type) {
                  case 'server':
 +                case 'freediameter':
                          upload(array("$config[private_dir]/$serial-key.pem","$config[new_certs_dir]/$serial.pem",$config['cacert_pem']), "$common_name ($email).pem",'application/pkix-cert');
                          break;
                  case 'email':
 @@ -225,7 +226,7 @@
  	if (! $email)         $email = "";
  	if (! $expiry)        $expiry = 1;
  	if (! $keysize)       $keysize = 1024;
 -	if (! $cert_type)     $cert_type = 'email';
 +	if (! $cert_type)     $cert_type = 'freediameter';

  	printHeader();
  	?>
 @@ -302,13 +303,14 @@
  	<td>Certificate Use: </td>
  	<td><select name=cert_type>
  	<?
 -	print '<option value="email" '.($cert_type=='email'?'selected':'').'>E-mail, SSL Client</option>';
 -	print '<option value="email_signing" '.($cert_type=='email_signing'?'selected':'').'>E-mail, SSL Client, Code Signing</option>';
 -	print '<option value="server" '.($cert_type=='server'?'selected':'').'>SSL Server</option>';
 -	print '<option value="vpn_client" '.($cert_type=='vpn_client'?'selected':'').'>VPN Client Only</option>';
 -	print '<option value="vpn_server" '.($cert_type=='vpn_server'?'selected':'').'>VPN Server Only</option>';
 -	print '<option value="vpn_client_server" '.($cert_type=='vpn_client_server'?'selected':'').'>VPN Client, VPN Server</option>';
 -	print '<option value="time_stamping" '.($cert_type=='time_stamping'?'selected':'').'>Time Stamping</option>';
 +	print '<option value="email" disabled '.($cert_type=='email'?'selected':'').'>E-mail, SSL Client</option>';
 +	print '<option value="email_signing" disabled '.($cert_type=='email_signing'?'selected':'').'>E-mail, SSL Client, Code Signing</option>';
 +	print '<option value="server" disabled '.($cert_type=='server'?'selected':'').'>SSL Server</option>';
 +	print '<option value="freediameter" '.($cert_type=='freediameter'?'selected':'').'>freeDiameter node</option>';
 +	print '<option value="vpn_client" disabled '.($cert_type=='vpn_client'?'selected':'').'>VPN Client Only</option>';
 +	print '<option value="vpn_server" disabled '.($cert_type=='vpn_server'?'selected':'').'>VPN Server Only</option>';
 +	print '<option value="vpn_client_server" disabled '.($cert_type=='vpn_client_server'?'selected':'').'>VPN Client, VPN Server</option>';
 +	print '<option value="time_stamping" disabled '.($cert_type=='time_stamping'?'selected':'').'>Time Stamping</option>';
  	?>
  	</select></td>
  	</tr>
 diff -Nur phpki-0.82/include/openssl_functions.php phpki-0.82-fD/include/openssl_functions.php
 --- phpki-0.82/include/openssl_functions.php	2007-01-04 15:47:57.000000000 +0900
 +++ phpki-0.82-fD/include/openssl_functions.php	2010-05-27 16:59:57.000000000 +0900
 @@ -69,6 +69,13 @@
  default_days           = 365
  policy                 = policy_supplied

 +[ freediameter_cert ]
 +x509_extensions        = freediameter_ext
 +default_days           = 730
 +policy                 = policy_supplied
 +
 +
 +
  [ vpn_cert ]
  x509_extensions        = vpn_client_server_ext
  default_days           = 365
 @@ -152,6 +159,24 @@
  nsRevocationUrl         = ns_revoke_query.php?
  nsCaPolicyUrl           = $config[base_url]policy.html

 +[ freediameter_ext ]
 +basicConstraints        = CA:false
 +keyUsage                = critical, digitalSignature, keyEncipherment
 +extendedKeyUsage        = critical, serverAuth, clientAuth
 +nsCertType              = critical, server, client
 +subjectKeyIdentifier    = hash
 +authorityKeyIdentifier  = keyid:always, issuer:always
 +subjectAltName          = DNS:$common_name,email:copy
 +issuerAltName           = issuer:copy
 +crlDistributionPoints   = URI:$config[base_url]index.php?stage=dl_crl
 +nsComment               = \"PHPki/OpenSSL Generated Secure Certificate for freeDiameter\"
 +nsBaseUrl                       = $config[base_url]
 +nsRevocationUrl             = ns_revoke_query.php?
 +nsCaPolicyUrl           = $config[base_url]policy.html
 +
 +
 +
 +
  [ time_stamping_ext ]
  basicConstraints       = CA:false
  keyUsage               = critical, nonRepudiation, digitalSignature
 diff -Nur phpki-0.82/openssl.cnf phpki-0.82-fD/openssl.cnf
 --- phpki-0.82/openssl.cnf	2006-07-23 00:33:34.000000000 +0900
 +++ phpki-0.82-fD/openssl.cnf	2010-05-27 17:00:33.000000000 +0900
 @@ -39,6 +39,11 @@
  default_days           = 365
  policy                 = policy_supplied

 +[ freediameter_cert ]
 +x509_extensions        = freediameter_ext
 +default_days           = 730
 +policy                 = policy_supplied
 +
  [ vpn_cert ]
  x509_extensions        = vpn_client_server_ext
  default_days           = 365
 @@ -115,6 +120,23 @@
  nsRevocationUrl		= ns_revoke_query.php?
  nsCaPolicyUrl           = http://www.somewhere.com/phpki/policy.html

 +[ freediameter_ext ]
 +basicConstraints        = CA:false
 +keyUsage                = critical, digitalSignature, keyEncipherment
 +extendedKeyUsage        = critical, serverAuth, clientAuth
 +nsCertType              = critical, server, client
 +subjectKeyIdentifier    = hash
 +authorityKeyIdentifier  = keyid:always, issuer:always
 +subjectAltName          = DNS:$common_name,email:copy
 +issuerAltName           = issuer:copy
 +crlDistributionPoints   = URI:$config[base_url]index.php?stage=dl_crl
 +nsComment               = "PHPki/OpenSSL Generated Secure Certificate for freeDiameter"
 +nsBaseUrl                       = $config[base_url]
 +nsRevocationUrl             = ns_revoke_query.php?
 +nsCaPolicyUrl           = $config[base_url]policy.html
 +
 +
 +
  [ vpn_client_ext ]
  basicConstraints        = critical, CA:false
  keyUsage                = critical, digitalSignature
 diff -Nur phpki-0.82/setup.php phpki-0.82-fD/setup.php
 --- phpki-0.82/setup.php	2007-07-22 23:34:08.000000000 +0900
 +++ phpki-0.82-fD/setup.php	2010-05-27 17:01:41.000000000 +0900
 @@ -339,6 +339,11 @@
  default_days           = 365
  policy                 = policy_supplied

 +[ freediameter_cert ]
 +x509_extensions        = freediameter_ext
 +default_days           = 730
 +policy                 = policy_supplied
 +
  [ vpn_cert ]
  x509_extensions        = vpn_client_server_ext
  default_days           = 365
 @@ -418,6 +423,22 @@
  nsRevocationUrl		    = ns_revoke_query.php?
  nsCaPolicyUrl           = $config[base_url]policy.html

 +[ freediameter_ext ]
 +basicConstraints        = CA:false
 +keyUsage                = critical, digitalSignature, keyEncipherment
 +extendedKeyUsage        = critical, serverAuth, clientAuth
 +nsCertType              = critical, server, client
 +subjectKeyIdentifier    = hash
 +authorityKeyIdentifier  = keyid:always, issuer:always
 +subjectAltName          = DNS:$common_name,email:copy
 +issuerAltName           = issuer:copy
 +crlDistributionPoints   = URI:$config[base_url]index.php?stage=dl_crl
 +nsComment               = "PHPki/OpenSSL Generated Secure Certificate for freeDiameter"
 +nsBaseUrl		        = $config[base_url]
 +nsRevocationUrl		    = ns_revoke_query.php?
 +nsCaPolicyUrl           = $config[base_url]policy.html
 +
 +
  [ time_stamping_ext ]
  basicConstraints       = CA:false
  keyUsage               = critical, nonRepudiation, digitalSignature
 diff -Nur phpki-0.82/setup.php-presetup phpki-0.82-fD/setup.php-presetup
 --- phpki-0.82/setup.php-presetup	2007-07-22 23:34:08.000000000 +0900
 +++ phpki-0.82-fD/setup.php-presetup	2010-05-27 17:01:41.000000000 +0900
 @@ -339,6 +339,11 @@
  default_days           = 365
  policy                 = policy_supplied

 +[ freediameter_cert ]
 +x509_extensions        = freediameter_ext
 +default_days           = 730
 +policy                 = policy_supplied
 +
  [ vpn_cert ]
  x509_extensions        = vpn_client_server_ext
  default_days           = 365
 @@ -418,6 +423,22 @@
  nsRevocationUrl		    = ns_revoke_query.php?
  nsCaPolicyUrl           = $config[base_url]policy.html

 +[ freediameter_ext ]
 +basicConstraints        = CA:false
 +keyUsage                = critical, digitalSignature, keyEncipherment
 +extendedKeyUsage        = critical, serverAuth, clientAuth
 +nsCertType              = critical, server, client
 +subjectKeyIdentifier    = hash
 +authorityKeyIdentifier  = keyid:always, issuer:always
 +subjectAltName          = DNS:$common_name,email:copy
 +issuerAltName           = issuer:copy
 +crlDistributionPoints   = URI:$config[base_url]index.php?stage=dl_crl
 +nsComment               = "PHPki/OpenSSL Generated Secure Certificate for freeDiameter"
 +nsBaseUrl		        = $config[base_url]
 +nsRevocationUrl		    = ns_revoke_query.php?
 +nsCaPolicyUrl           = $config[base_url]policy.html
 +
 +
  [ time_stamping_ext ]
  basicConstraints       = CA:false
  keyUsage               = critical, nonRepudiation, digitalSignature
	diff -Nur phpki-0.82/ca/main.php phpki-0.82-fD/ca/main.php
	--- phpki-0.82/ca/main.php 2005-11-17 10:17:20.000000000 +0900
	+++ phpki-0.82-fD/ca/main.php 2010-05-27 17:04:44.000000000 +0900
	@@ -36,7 +36,7 @@
	else {
	?>
	<font color=#ff0000>
	- <h2>There was an error updating the Certificate Revocation List.</h2></font><br>
	+ <h2>There was an error updating the Certificate Revocation List.</h2></font><br />
	<blockquote>
	<h3>Debug Info:</h3>
	<pre><?=$errtxt?></pre>
	@@ -53,8 +53,11 @@
	default:
	printHeader('ca');
	?>
	- <br>
	- <br>
	+ <br />
	+ <br />
	+
	+ <center><h3>For <span style="color: #FF0000;">freeDiameter</span> specific instructions, scroll down this page...</h3></center><br />
	+
	<center>
	<table class=menu width=600><th class=menu colspan=2><big>CERTIFICATE MANAGEMENT MENU</big></th>

	@@ -89,7 +92,57 @@

	</table>
	</center>
	- <br><br>
	+ <br /><br />
	+ <center>
	+ <table class=menu width=900><th class=menu colspan=2><big>FREEDIAMETER INSTRUCTIONS</big></th>
	+ <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
	+ Create a new certificate</td>
	+
	+ <td>Use the <strong><cite>Create a New Certificate</cite></strong> link in previous table to request a new certificate. Fill the form as follow:
	+ <ul>
	+ <li><strong>Common Name</strong>: use your new freeDiameter identity (usually the FQDN).</li>
	+ <li><strong>E-mail Address</strong>: Provide your address so that you can be contacted in case of inquiry.</li>
	+ <li><strong>Organization</strong>: use "freeDiameter testbed" for example.</li>
	+ <li><strong>Certificate Password</strong>: Do not loose the password you provide, you'll need it in the next step. <br />
	+ The password must be >= 8 chars.</li>
	+ <li>The other fields can be filled at your taste.</li>
	+ </ul>
	+ Once you have validated, you can check the values, and then proceed to download the new certificate and private key.
	+ You will receive a file in PEM format. Let's call this file <em>mycertprotected.pem</em>.
	+ It contains:
	+ <ul>
	+ <li>Your password-protected RSA private key.</li>
	+ <li>Your certificate in PEM format.</li>
	+ <li>The CA certificate.</li>
	+ </ul></td></tr>
	+
	+ <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
	+ Split the file</td>
	+
	+ <td>In order to use the information with freeDiameter daemon, you must transform the data as follow:
	+ <ul>
	+ <li><strong>Decode the private key</strong>: <br />
	+ <code>openssl rsa -in <em>mycertprotected.pem</em> -out /etc/ssl/private/freeDiameter.key</code><br />
	+ OpenSSL will ask for the password you entered when creating the certificate.</li>
	+ <li><strong>Extract your certificate</strong>: <br />
	+ <code>openssl x509 -in <em>mycertprotected.pem</em> > /etc/ssl/certs/freeDiameter.pem</code></li>
	+ <li><strong>Get the CA certificate</strong>: <br />
	+ <code>wget --no-check-certificate "$config[base_url]index.php?stage=dl_root" -O /etc/ssl/certs/freeDiameter_testbed_CA.pem</code></li>
	+ </ul>
	+ Note: for the last step, you could also extract it directly from the PEM file you received.<br />
	+ Note: the CRL is also available from the website, but this feature is not tested yet.</td></tr>
	+
	+ <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
	+ Configure freeDiameter</td>
	+
	+ <td>Here is the configuration related to TLS that you should set in your <em>/etc/freeDiameter/freeDiameter.conf</em> file:
	+ <blockquote>TLS_Cred = "/etc/ssl/certs/freeDiameter.pem", "/etc/ssl/private/freeDiameter.key";<br />
	+TLS_CA = "/etc/ssl/certs/freeDiameter_testbed_CA.pem";</blockquote></td></tr>
	+
	+
	+ </table>
	+ </center>
	+ <br /><br />
	<?
	printFooter();
	}
	diff -Nur phpki-0.82/ca/request_cert.php phpki-0.82-fD/ca/request_cert.php
	--- phpki-0.82/ca/request_cert.php 2007-01-04 14:45:09.000000000 +0900
	+++ phpki-0.82-fD/ca/request_cert.php 2010-05-27 16:59:16.000000000 +0900
	@@ -197,6 +197,7 @@

	switch($cert_type) {
	case 'server':
	+ case 'freediameter':
	upload(array("$config[private_dir]/$serial-key.pem","$config[new_certs_dir]/$serial.pem",$config['cacert_pem']), "$common_name ($email).pem",'application/pkix-cert');
	break;
	case 'email':
	@@ -225,7 +226,7 @@
	if (! $email) $email = "";
	if (! $expiry) $expiry = 1;
	if (! $keysize) $keysize = 1024;
	- if (! $cert_type) $cert_type = 'email';
	+ if (! $cert_type) $cert_type = 'freediameter';

	printHeader();
	?>
	@@ -302,13 +303,14 @@
	<td>Certificate Use: </td>
	<td><select name=cert_type>
	<?
	- print '<option value="email" '.($cert_type=='email'?'selected':'').'>E-mail, SSL Client</option>';
	- print '<option value="email_signing" '.($cert_type=='email_signing'?'selected':'').'>E-mail, SSL Client, Code Signing</option>';
	- print '<option value="server" '.($cert_type=='server'?'selected':'').'>SSL Server</option>';
	- print '<option value="vpn_client" '.($cert_type=='vpn_client'?'selected':'').'>VPN Client Only</option>';
	- print '<option value="vpn_server" '.($cert_type=='vpn_server'?'selected':'').'>VPN Server Only</option>';
	- print '<option value="vpn_client_server" '.($cert_type=='vpn_client_server'?'selected':'').'>VPN Client, VPN Server</option>';
	- print '<option value="time_stamping" '.($cert_type=='time_stamping'?'selected':'').'>Time Stamping</option>';
	+ print '<option value="email" disabled '.($cert_type=='email'?'selected':'').'>E-mail, SSL Client</option>';
	+ print '<option value="email_signing" disabled '.($cert_type=='email_signing'?'selected':'').'>E-mail, SSL Client, Code Signing</option>';
	+ print '<option value="server" disabled '.($cert_type=='server'?'selected':'').'>SSL Server</option>';
	+ print '<option value="freediameter" '.($cert_type=='freediameter'?'selected':'').'>freeDiameter node</option>';
	+ print '<option value="vpn_client" disabled '.($cert_type=='vpn_client'?'selected':'').'>VPN Client Only</option>';
	+ print '<option value="vpn_server" disabled '.($cert_type=='vpn_server'?'selected':'').'>VPN Server Only</option>';
	+ print '<option value="vpn_client_server" disabled '.($cert_type=='vpn_client_server'?'selected':'').'>VPN Client, VPN Server</option>';
	+ print '<option value="time_stamping" disabled '.($cert_type=='time_stamping'?'selected':'').'>Time Stamping</option>';
	?>
	</select></td>
	</tr>
	diff -Nur phpki-0.82/include/openssl_functions.php phpki-0.82-fD/include/openssl_functions.php
	--- phpki-0.82/include/openssl_functions.php 2007-01-04 15:47:57.000000000 +0900
	+++ phpki-0.82-fD/include/openssl_functions.php 2010-05-27 16:59:57.000000000 +0900
	@@ -69,6 +69,13 @@
	default_days = 365
	policy = policy_supplied

	+[ freediameter_cert ]
	+x509_extensions = freediameter_ext
	+default_days = 730
	+policy = policy_supplied
	+
	+
	+
	[ vpn_cert ]
	x509_extensions = vpn_client_server_ext
	default_days = 365
	@@ -152,6 +159,24 @@
	nsRevocationUrl = ns_revoke_query.php?
	nsCaPolicyUrl = $config[base_url]policy.html

	+[ freediameter_ext ]
	+basicConstraints = CA:false
	+keyUsage = critical, digitalSignature, keyEncipherment
	+extendedKeyUsage = critical, serverAuth, clientAuth
	+nsCertType = critical, server, client
	+subjectKeyIdentifier = hash
	+authorityKeyIdentifier = keyid:always, issuer:always
	+subjectAltName = DNS:$common_name,email:copy
	+issuerAltName = issuer:copy
	+crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl
	+nsComment = \"PHPki/OpenSSL Generated Secure Certificate for freeDiameter\"
	+nsBaseUrl = $config[base_url]
	+nsRevocationUrl = ns_revoke_query.php?
	+nsCaPolicyUrl = $config[base_url]policy.html
	+
	+
	+
	+
	[ time_stamping_ext ]
	basicConstraints = CA:false
	keyUsage = critical, nonRepudiation, digitalSignature
	diff -Nur phpki-0.82/openssl.cnf phpki-0.82-fD/openssl.cnf
	--- phpki-0.82/openssl.cnf 2006-07-23 00:33:34.000000000 +0900
	+++ phpki-0.82-fD/openssl.cnf 2010-05-27 17:00:33.000000000 +0900
	@@ -39,6 +39,11 @@
	default_days = 365
	policy = policy_supplied

	+[ freediameter_cert ]
	+x509_extensions = freediameter_ext
	+default_days = 730
	+policy = policy_supplied
	+
	[ vpn_cert ]
	x509_extensions = vpn_client_server_ext
	default_days = 365
	@@ -115,6 +120,23 @@
	nsRevocationUrl = ns_revoke_query.php?
	nsCaPolicyUrl = http://www.somewhere.com/phpki/policy.html

	+[ freediameter_ext ]
	+basicConstraints = CA:false
	+keyUsage = critical, digitalSignature, keyEncipherment
	+extendedKeyUsage = critical, serverAuth, clientAuth
	+nsCertType = critical, server, client
	+subjectKeyIdentifier = hash
	+authorityKeyIdentifier = keyid:always, issuer:always
	+subjectAltName = DNS:$common_name,email:copy
	+issuerAltName = issuer:copy
	+crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl
	+nsComment = "PHPki/OpenSSL Generated Secure Certificate for freeDiameter"
	+nsBaseUrl = $config[base_url]
	+nsRevocationUrl = ns_revoke_query.php?
	+nsCaPolicyUrl = $config[base_url]policy.html
	+
	+
	+
	[ vpn_client_ext ]
	basicConstraints = critical, CA:false
	keyUsage = critical, digitalSignature
	diff -Nur phpki-0.82/setup.php phpki-0.82-fD/setup.php
	--- phpki-0.82/setup.php 2007-07-22 23:34:08.000000000 +0900
	+++ phpki-0.82-fD/setup.php 2010-05-27 17:01:41.000000000 +0900
	@@ -339,6 +339,11 @@
	default_days = 365
	policy = policy_supplied

	+[ freediameter_cert ]
	+x509_extensions = freediameter_ext
	+default_days = 730
	+policy = policy_supplied
	+
	[ vpn_cert ]
	x509_extensions = vpn_client_server_ext
	default_days = 365
	@@ -418,6 +423,22 @@
	nsRevocationUrl = ns_revoke_query.php?
	nsCaPolicyUrl = $config[base_url]policy.html

	+[ freediameter_ext ]
	+basicConstraints = CA:false
	+keyUsage = critical, digitalSignature, keyEncipherment
	+extendedKeyUsage = critical, serverAuth, clientAuth
	+nsCertType = critical, server, client
	+subjectKeyIdentifier = hash
	+authorityKeyIdentifier = keyid:always, issuer:always
	+subjectAltName = DNS:$common_name,email:copy
	+issuerAltName = issuer:copy
	+crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl
	+nsComment = "PHPki/OpenSSL Generated Secure Certificate for freeDiameter"
	+nsBaseUrl = $config[base_url]
	+nsRevocationUrl = ns_revoke_query.php?
	+nsCaPolicyUrl = $config[base_url]policy.html
	+
	+
	[ time_stamping_ext ]
	basicConstraints = CA:false
	keyUsage = critical, nonRepudiation, digitalSignature
	diff -Nur phpki-0.82/setup.php-presetup phpki-0.82-fD/setup.php-presetup
	--- phpki-0.82/setup.php-presetup 2007-07-22 23:34:08.000000000 +0900
	+++ phpki-0.82-fD/setup.php-presetup 2010-05-27 17:01:41.000000000 +0900
	@@ -339,6 +339,11 @@
	default_days = 365
	policy = policy_supplied

	+[ freediameter_cert ]
	+x509_extensions = freediameter_ext
	+default_days = 730
	+policy = policy_supplied
	+
	[ vpn_cert ]
	x509_extensions = vpn_client_server_ext
	default_days = 365
	@@ -418,6 +423,22 @@
	nsRevocationUrl = ns_revoke_query.php?
	nsCaPolicyUrl = $config[base_url]policy.html

	+[ freediameter_ext ]
	+basicConstraints = CA:false
	+keyUsage = critical, digitalSignature, keyEncipherment
	+extendedKeyUsage = critical, serverAuth, clientAuth
	+nsCertType = critical, server, client
	+subjectKeyIdentifier = hash
	+authorityKeyIdentifier = keyid:always, issuer:always
	+subjectAltName = DNS:$common_name,email:copy
	+issuerAltName = issuer:copy
	+crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl
	+nsComment = "PHPki/OpenSSL Generated Secure Certificate for freeDiameter"
	+nsBaseUrl = $config[base_url]
	+nsRevocationUrl = ns_revoke_query.php?
	+nsCaPolicyUrl = $config[base_url]policy.html
	+
	+
	[ time_stamping_ext ]
	basicConstraints = CA:false
	keyUsage = critical, nonRepudiation, digitalSignature