blob: e954d8851ed54b2f753d9ad739fcfbb5e3acf582 [file] [log] [blame]
diff -Nur phpki-0.82/ca/main.php phpki-0.82-fD/ca/main.php
--- phpki-0.82/ca/main.php 2005-11-17 10:17:20.000000000 +0900
+++ phpki-0.82-fD/ca/main.php 2010-05-27 17:04:44.000000000 +0900
@@ -36,7 +36,7 @@
else {
?>
<font color=#ff0000>
- <h2>There was an error updating the Certificate Revocation List.</h2></font><br>
+ <h2>There was an error updating the Certificate Revocation List.</h2></font><br />
<blockquote>
<h3>Debug Info:</h3>
<pre><?=$errtxt?></pre>
@@ -53,8 +53,11 @@
default:
printHeader('ca');
?>
- <br>
- <br>
+ <br />
+ <br />
+
+ <center><h3>For <span style="color: #FF0000;">freeDiameter</span> specific instructions, scroll down this page...</h3></center><br />
+
<center>
<table class=menu width=600><th class=menu colspan=2><big>CERTIFICATE MANAGEMENT MENU</big></th>
@@ -89,7 +92,57 @@
</table>
</center>
- <br><br>
+ <br /><br />
+ <center>
+ <table class=menu width=900><th class=menu colspan=2><big>FREEDIAMETER INSTRUCTIONS</big></th>
+ <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
+ Create a new certificate</td>
+
+ <td>Use the <strong><cite>Create a New Certificate</cite></strong> link in previous table to request a new certificate. Fill the form as follow:
+ <ul>
+ <li><strong>Common Name</strong>: use your new freeDiameter identity (usually the FQDN).</li>
+ <li><strong>E-mail Address</strong>: Provide your address so that you can be contacted in case of inquiry.</li>
+ <li><strong>Organization</strong>: use "freeDiameter testbed" for example.</li>
+ <li><strong>Certificate Password</strong>: Do not loose the password you provide, you'll need it in the next step. <br />
+ The password must be >= 8 chars.</li>
+ <li>The other fields can be filled at your taste.</li>
+ </ul>
+ Once you have validated, you can check the values, and then proceed to download the new certificate and private key.
+ You will receive a file in PEM format. Let's call this file <em>mycertprotected.pem</em>.
+ It contains:
+ <ul>
+ <li>Your password-protected RSA private key.</li>
+ <li>Your certificate in PEM format.</li>
+ <li>The CA certificate.</li>
+ </ul></td></tr>
+
+ <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
+ Split the file</td>
+
+ <td>In order to use the information with freeDiameter daemon, you must transform the data as follow:
+ <ul>
+ <li><strong>Decode the private key</strong>: <br />
+ <code>openssl rsa -in <em>mycertprotected.pem</em> -out /etc/ssl/private/freeDiameter.key</code><br />
+ OpenSSL will ask for the password you entered when creating the certificate.</li>
+ <li><strong>Extract your certificate</strong>: <br />
+ <code>openssl x509 -in <em>mycertprotected.pem</em> > /etc/ssl/certs/freeDiameter.pem</code></li>
+ <li><strong>Get the CA certificate</strong>: <br />
+ <code>wget --no-check-certificate "$config[base_url]index.php?stage=dl_root" -O /etc/ssl/certs/freeDiameter_testbed_CA.pem</code></li>
+ </ul>
+ Note: for the last step, you could also extract it directly from the PEM file you received.<br />
+ Note: the CRL is also available from the website, but this feature is not tested yet.</td></tr>
+
+ <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
+ Configure freeDiameter</td>
+
+ <td>Here is the configuration related to TLS that you should set in your <em>/etc/freeDiameter/freeDiameter.conf</em> file:
+ <blockquote>TLS_Cred = "/etc/ssl/certs/freeDiameter.pem", "/etc/ssl/private/freeDiameter.key";<br />
+TLS_CA = "/etc/ssl/certs/freeDiameter_testbed_CA.pem";</blockquote></td></tr>
+
+
+ </table>
+ </center>
+ <br /><br />
<?
printFooter();
}
diff -Nur phpki-0.82/ca/request_cert.php phpki-0.82-fD/ca/request_cert.php
--- phpki-0.82/ca/request_cert.php 2007-01-04 14:45:09.000000000 +0900
+++ phpki-0.82-fD/ca/request_cert.php 2010-05-27 16:59:16.000000000 +0900
@@ -197,6 +197,7 @@
switch($cert_type) {
case 'server':
+ case 'freediameter':
upload(array("$config[private_dir]/$serial-key.pem","$config[new_certs_dir]/$serial.pem",$config['cacert_pem']), "$common_name ($email).pem",'application/pkix-cert');
break;
case 'email':
@@ -225,7 +226,7 @@
if (! $email) $email = "";
if (! $expiry) $expiry = 1;
if (! $keysize) $keysize = 1024;
- if (! $cert_type) $cert_type = 'email';
+ if (! $cert_type) $cert_type = 'freediameter';
printHeader();
?>
@@ -302,13 +303,14 @@
<td>Certificate Use: </td>
<td><select name=cert_type>
<?
- print '<option value="email" '.($cert_type=='email'?'selected':'').'>E-mail, SSL Client</option>';
- print '<option value="email_signing" '.($cert_type=='email_signing'?'selected':'').'>E-mail, SSL Client, Code Signing</option>';
- print '<option value="server" '.($cert_type=='server'?'selected':'').'>SSL Server</option>';
- print '<option value="vpn_client" '.($cert_type=='vpn_client'?'selected':'').'>VPN Client Only</option>';
- print '<option value="vpn_server" '.($cert_type=='vpn_server'?'selected':'').'>VPN Server Only</option>';
- print '<option value="vpn_client_server" '.($cert_type=='vpn_client_server'?'selected':'').'>VPN Client, VPN Server</option>';
- print '<option value="time_stamping" '.($cert_type=='time_stamping'?'selected':'').'>Time Stamping</option>';
+ print '<option value="email" disabled '.($cert_type=='email'?'selected':'').'>E-mail, SSL Client</option>';
+ print '<option value="email_signing" disabled '.($cert_type=='email_signing'?'selected':'').'>E-mail, SSL Client, Code Signing</option>';
+ print '<option value="server" disabled '.($cert_type=='server'?'selected':'').'>SSL Server</option>';
+ print '<option value="freediameter" '.($cert_type=='freediameter'?'selected':'').'>freeDiameter node</option>';
+ print '<option value="vpn_client" disabled '.($cert_type=='vpn_client'?'selected':'').'>VPN Client Only</option>';
+ print '<option value="vpn_server" disabled '.($cert_type=='vpn_server'?'selected':'').'>VPN Server Only</option>';
+ print '<option value="vpn_client_server" disabled '.($cert_type=='vpn_client_server'?'selected':'').'>VPN Client, VPN Server</option>';
+ print '<option value="time_stamping" disabled '.($cert_type=='time_stamping'?'selected':'').'>Time Stamping</option>';
?>
</select></td>
</tr>
diff -Nur phpki-0.82/include/openssl_functions.php phpki-0.82-fD/include/openssl_functions.php
--- phpki-0.82/include/openssl_functions.php 2007-01-04 15:47:57.000000000 +0900
+++ phpki-0.82-fD/include/openssl_functions.php 2010-05-27 16:59:57.000000000 +0900
@@ -69,6 +69,13 @@
default_days = 365
policy = policy_supplied
+[ freediameter_cert ]
+x509_extensions = freediameter_ext
+default_days = 730
+policy = policy_supplied
+
+
+
[ vpn_cert ]
x509_extensions = vpn_client_server_ext
default_days = 365
@@ -152,6 +159,24 @@
nsRevocationUrl = ns_revoke_query.php?
nsCaPolicyUrl = $config[base_url]policy.html
+[ freediameter_ext ]
+basicConstraints = CA:false
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = critical, serverAuth, clientAuth
+nsCertType = critical, server, client
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always, issuer:always
+subjectAltName = DNS:$common_name,email:copy
+issuerAltName = issuer:copy
+crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl
+nsComment = \"PHPki/OpenSSL Generated Secure Certificate for freeDiameter\"
+nsBaseUrl = $config[base_url]
+nsRevocationUrl = ns_revoke_query.php?
+nsCaPolicyUrl = $config[base_url]policy.html
+
+
+
+
[ time_stamping_ext ]
basicConstraints = CA:false
keyUsage = critical, nonRepudiation, digitalSignature
diff -Nur phpki-0.82/openssl.cnf phpki-0.82-fD/openssl.cnf
--- phpki-0.82/openssl.cnf 2006-07-23 00:33:34.000000000 +0900
+++ phpki-0.82-fD/openssl.cnf 2010-05-27 17:00:33.000000000 +0900
@@ -39,6 +39,11 @@
default_days = 365
policy = policy_supplied
+[ freediameter_cert ]
+x509_extensions = freediameter_ext
+default_days = 730
+policy = policy_supplied
+
[ vpn_cert ]
x509_extensions = vpn_client_server_ext
default_days = 365
@@ -115,6 +120,23 @@
nsRevocationUrl = ns_revoke_query.php?
nsCaPolicyUrl = http://www.somewhere.com/phpki/policy.html
+[ freediameter_ext ]
+basicConstraints = CA:false
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = critical, serverAuth, clientAuth
+nsCertType = critical, server, client
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always, issuer:always
+subjectAltName = DNS:$common_name,email:copy
+issuerAltName = issuer:copy
+crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl
+nsComment = "PHPki/OpenSSL Generated Secure Certificate for freeDiameter"
+nsBaseUrl = $config[base_url]
+nsRevocationUrl = ns_revoke_query.php?
+nsCaPolicyUrl = $config[base_url]policy.html
+
+
+
[ vpn_client_ext ]
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature
diff -Nur phpki-0.82/setup.php phpki-0.82-fD/setup.php
--- phpki-0.82/setup.php 2007-07-22 23:34:08.000000000 +0900
+++ phpki-0.82-fD/setup.php 2010-05-27 17:01:41.000000000 +0900
@@ -339,6 +339,11 @@
default_days = 365
policy = policy_supplied
+[ freediameter_cert ]
+x509_extensions = freediameter_ext
+default_days = 730
+policy = policy_supplied
+
[ vpn_cert ]
x509_extensions = vpn_client_server_ext
default_days = 365
@@ -418,6 +423,22 @@
nsRevocationUrl = ns_revoke_query.php?
nsCaPolicyUrl = $config[base_url]policy.html
+[ freediameter_ext ]
+basicConstraints = CA:false
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = critical, serverAuth, clientAuth
+nsCertType = critical, server, client
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always, issuer:always
+subjectAltName = DNS:$common_name,email:copy
+issuerAltName = issuer:copy
+crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl
+nsComment = "PHPki/OpenSSL Generated Secure Certificate for freeDiameter"
+nsBaseUrl = $config[base_url]
+nsRevocationUrl = ns_revoke_query.php?
+nsCaPolicyUrl = $config[base_url]policy.html
+
+
[ time_stamping_ext ]
basicConstraints = CA:false
keyUsage = critical, nonRepudiation, digitalSignature
diff -Nur phpki-0.82/setup.php-presetup phpki-0.82-fD/setup.php-presetup
--- phpki-0.82/setup.php-presetup 2007-07-22 23:34:08.000000000 +0900
+++ phpki-0.82-fD/setup.php-presetup 2010-05-27 17:01:41.000000000 +0900
@@ -339,6 +339,11 @@
default_days = 365
policy = policy_supplied
+[ freediameter_cert ]
+x509_extensions = freediameter_ext
+default_days = 730
+policy = policy_supplied
+
[ vpn_cert ]
x509_extensions = vpn_client_server_ext
default_days = 365
@@ -418,6 +423,22 @@
nsRevocationUrl = ns_revoke_query.php?
nsCaPolicyUrl = $config[base_url]policy.html
+[ freediameter_ext ]
+basicConstraints = CA:false
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = critical, serverAuth, clientAuth
+nsCertType = critical, server, client
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always, issuer:always
+subjectAltName = DNS:$common_name,email:copy
+issuerAltName = issuer:copy
+crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl
+nsComment = "PHPki/OpenSSL Generated Secure Certificate for freeDiameter"
+nsBaseUrl = $config[base_url]
+nsRevocationUrl = ns_revoke_query.php?
+nsCaPolicyUrl = $config[base_url]policy.html
+
+
[ time_stamping_ext ]
basicConstraints = CA:false
keyUsage = critical, nonRepudiation, digitalSignature