| Brian Waters | 13d9601 | 2017-12-08 16:53:31 -0600 | [diff] [blame^] | 1 | diff -Nur phpki-0.82/ca/main.php phpki-0.82-fD/ca/main.php |
| 2 | --- phpki-0.82/ca/main.php 2005-11-17 10:17:20.000000000 +0900 |
| 3 | +++ phpki-0.82-fD/ca/main.php 2010-05-27 17:04:44.000000000 +0900 |
| 4 | @@ -36,7 +36,7 @@ |
| 5 | else { |
| 6 | ?> |
| 7 | <font color=#ff0000> |
| 8 | - <h2>There was an error updating the Certificate Revocation List.</h2></font><br> |
| 9 | + <h2>There was an error updating the Certificate Revocation List.</h2></font><br /> |
| 10 | <blockquote> |
| 11 | <h3>Debug Info:</h3> |
| 12 | <pre><?=$errtxt?></pre> |
| 13 | @@ -53,8 +53,11 @@ |
| 14 | default: |
| 15 | printHeader('ca'); |
| 16 | ?> |
| 17 | - <br> |
| 18 | - <br> |
| 19 | + <br /> |
| 20 | + <br /> |
| 21 | + |
| 22 | + <center><h3>For <span style="color: #FF0000;">freeDiameter</span> specific instructions, scroll down this page...</h3></center><br /> |
| 23 | + |
| 24 | <center> |
| 25 | <table class=menu width=600><th class=menu colspan=2><big>CERTIFICATE MANAGEMENT MENU</big></th> |
| 26 | |
| 27 | @@ -89,7 +92,57 @@ |
| 28 | |
| 29 | </table> |
| 30 | </center> |
| 31 | - <br><br> |
| 32 | + <br /><br /> |
| 33 | + <center> |
| 34 | + <table class=menu width=900><th class=menu colspan=2><big>FREEDIAMETER INSTRUCTIONS</big></th> |
| 35 | + <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;"> |
| 36 | + Create a new certificate</td> |
| 37 | + |
| 38 | + <td>Use the <strong><cite>Create a New Certificate</cite></strong> link in previous table to request a new certificate. Fill the form as follow: |
| 39 | + <ul> |
| 40 | + <li><strong>Common Name</strong>: use your new freeDiameter identity (usually the FQDN).</li> |
| 41 | + <li><strong>E-mail Address</strong>: Provide your address so that you can be contacted in case of inquiry.</li> |
| 42 | + <li><strong>Organization</strong>: use "freeDiameter testbed" for example.</li> |
| 43 | + <li><strong>Certificate Password</strong>: Do not loose the password you provide, you'll need it in the next step. <br /> |
| 44 | + The password must be >= 8 chars.</li> |
| 45 | + <li>The other fields can be filled at your taste.</li> |
| 46 | + </ul> |
| 47 | + Once you have validated, you can check the values, and then proceed to download the new certificate and private key. |
| 48 | + You will receive a file in PEM format. Let's call this file <em>mycertprotected.pem</em>. |
| 49 | + It contains: |
| 50 | + <ul> |
| 51 | + <li>Your password-protected RSA private key.</li> |
| 52 | + <li>Your certificate in PEM format.</li> |
| 53 | + <li>The CA certificate.</li> |
| 54 | + </ul></td></tr> |
| 55 | + |
| 56 | + <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;"> |
| 57 | + Split the file</td> |
| 58 | + |
| 59 | + <td>In order to use the information with freeDiameter daemon, you must transform the data as follow: |
| 60 | + <ul> |
| 61 | + <li><strong>Decode the private key</strong>: <br /> |
| 62 | + <code>openssl rsa -in <em>mycertprotected.pem</em> -out /etc/ssl/private/freeDiameter.key</code><br /> |
| 63 | + OpenSSL will ask for the password you entered when creating the certificate.</li> |
| 64 | + <li><strong>Extract your certificate</strong>: <br /> |
| 65 | + <code>openssl x509 -in <em>mycertprotected.pem</em> > /etc/ssl/certs/freeDiameter.pem</code></li> |
| 66 | + <li><strong>Get the CA certificate</strong>: <br /> |
| 67 | + <code>wget --no-check-certificate "$config[base_url]index.php?stage=dl_root" -O /etc/ssl/certs/freeDiameter_testbed_CA.pem</code></li> |
| 68 | + </ul> |
| 69 | + Note: for the last step, you could also extract it directly from the PEM file you received.<br /> |
| 70 | + Note: the CRL is also available from the website, but this feature is not tested yet.</td></tr> |
| 71 | + |
| 72 | + <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;"> |
| 73 | + Configure freeDiameter</td> |
| 74 | + |
| 75 | + <td>Here is the configuration related to TLS that you should set in your <em>/etc/freeDiameter/freeDiameter.conf</em> file: |
| 76 | + <blockquote>TLS_Cred = "/etc/ssl/certs/freeDiameter.pem", "/etc/ssl/private/freeDiameter.key";<br /> |
| 77 | +TLS_CA = "/etc/ssl/certs/freeDiameter_testbed_CA.pem";</blockquote></td></tr> |
| 78 | + |
| 79 | + |
| 80 | + </table> |
| 81 | + </center> |
| 82 | + <br /><br /> |
| 83 | <? |
| 84 | printFooter(); |
| 85 | } |
| 86 | diff -Nur phpki-0.82/ca/request_cert.php phpki-0.82-fD/ca/request_cert.php |
| 87 | --- phpki-0.82/ca/request_cert.php 2007-01-04 14:45:09.000000000 +0900 |
| 88 | +++ phpki-0.82-fD/ca/request_cert.php 2010-05-27 16:59:16.000000000 +0900 |
| 89 | @@ -197,6 +197,7 @@ |
| 90 | |
| 91 | switch($cert_type) { |
| 92 | case 'server': |
| 93 | + case 'freediameter': |
| 94 | upload(array("$config[private_dir]/$serial-key.pem","$config[new_certs_dir]/$serial.pem",$config['cacert_pem']), "$common_name ($email).pem",'application/pkix-cert'); |
| 95 | break; |
| 96 | case 'email': |
| 97 | @@ -225,7 +226,7 @@ |
| 98 | if (! $email) $email = ""; |
| 99 | if (! $expiry) $expiry = 1; |
| 100 | if (! $keysize) $keysize = 1024; |
| 101 | - if (! $cert_type) $cert_type = 'email'; |
| 102 | + if (! $cert_type) $cert_type = 'freediameter'; |
| 103 | |
| 104 | printHeader(); |
| 105 | ?> |
| 106 | @@ -302,13 +303,14 @@ |
| 107 | <td>Certificate Use: </td> |
| 108 | <td><select name=cert_type> |
| 109 | <? |
| 110 | - print '<option value="email" '.($cert_type=='email'?'selected':'').'>E-mail, SSL Client</option>'; |
| 111 | - print '<option value="email_signing" '.($cert_type=='email_signing'?'selected':'').'>E-mail, SSL Client, Code Signing</option>'; |
| 112 | - print '<option value="server" '.($cert_type=='server'?'selected':'').'>SSL Server</option>'; |
| 113 | - print '<option value="vpn_client" '.($cert_type=='vpn_client'?'selected':'').'>VPN Client Only</option>'; |
| 114 | - print '<option value="vpn_server" '.($cert_type=='vpn_server'?'selected':'').'>VPN Server Only</option>'; |
| 115 | - print '<option value="vpn_client_server" '.($cert_type=='vpn_client_server'?'selected':'').'>VPN Client, VPN Server</option>'; |
| 116 | - print '<option value="time_stamping" '.($cert_type=='time_stamping'?'selected':'').'>Time Stamping</option>'; |
| 117 | + print '<option value="email" disabled '.($cert_type=='email'?'selected':'').'>E-mail, SSL Client</option>'; |
| 118 | + print '<option value="email_signing" disabled '.($cert_type=='email_signing'?'selected':'').'>E-mail, SSL Client, Code Signing</option>'; |
| 119 | + print '<option value="server" disabled '.($cert_type=='server'?'selected':'').'>SSL Server</option>'; |
| 120 | + print '<option value="freediameter" '.($cert_type=='freediameter'?'selected':'').'>freeDiameter node</option>'; |
| 121 | + print '<option value="vpn_client" disabled '.($cert_type=='vpn_client'?'selected':'').'>VPN Client Only</option>'; |
| 122 | + print '<option value="vpn_server" disabled '.($cert_type=='vpn_server'?'selected':'').'>VPN Server Only</option>'; |
| 123 | + print '<option value="vpn_client_server" disabled '.($cert_type=='vpn_client_server'?'selected':'').'>VPN Client, VPN Server</option>'; |
| 124 | + print '<option value="time_stamping" disabled '.($cert_type=='time_stamping'?'selected':'').'>Time Stamping</option>'; |
| 125 | ?> |
| 126 | </select></td> |
| 127 | </tr> |
| 128 | diff -Nur phpki-0.82/include/openssl_functions.php phpki-0.82-fD/include/openssl_functions.php |
| 129 | --- phpki-0.82/include/openssl_functions.php 2007-01-04 15:47:57.000000000 +0900 |
| 130 | +++ phpki-0.82-fD/include/openssl_functions.php 2010-05-27 16:59:57.000000000 +0900 |
| 131 | @@ -69,6 +69,13 @@ |
| 132 | default_days = 365 |
| 133 | policy = policy_supplied |
| 134 | |
| 135 | +[ freediameter_cert ] |
| 136 | +x509_extensions = freediameter_ext |
| 137 | +default_days = 730 |
| 138 | +policy = policy_supplied |
| 139 | + |
| 140 | + |
| 141 | + |
| 142 | [ vpn_cert ] |
| 143 | x509_extensions = vpn_client_server_ext |
| 144 | default_days = 365 |
| 145 | @@ -152,6 +159,24 @@ |
| 146 | nsRevocationUrl = ns_revoke_query.php? |
| 147 | nsCaPolicyUrl = $config[base_url]policy.html |
| 148 | |
| 149 | +[ freediameter_ext ] |
| 150 | +basicConstraints = CA:false |
| 151 | +keyUsage = critical, digitalSignature, keyEncipherment |
| 152 | +extendedKeyUsage = critical, serverAuth, clientAuth |
| 153 | +nsCertType = critical, server, client |
| 154 | +subjectKeyIdentifier = hash |
| 155 | +authorityKeyIdentifier = keyid:always, issuer:always |
| 156 | +subjectAltName = DNS:$common_name,email:copy |
| 157 | +issuerAltName = issuer:copy |
| 158 | +crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl |
| 159 | +nsComment = \"PHPki/OpenSSL Generated Secure Certificate for freeDiameter\" |
| 160 | +nsBaseUrl = $config[base_url] |
| 161 | +nsRevocationUrl = ns_revoke_query.php? |
| 162 | +nsCaPolicyUrl = $config[base_url]policy.html |
| 163 | + |
| 164 | + |
| 165 | + |
| 166 | + |
| 167 | [ time_stamping_ext ] |
| 168 | basicConstraints = CA:false |
| 169 | keyUsage = critical, nonRepudiation, digitalSignature |
| 170 | diff -Nur phpki-0.82/openssl.cnf phpki-0.82-fD/openssl.cnf |
| 171 | --- phpki-0.82/openssl.cnf 2006-07-23 00:33:34.000000000 +0900 |
| 172 | +++ phpki-0.82-fD/openssl.cnf 2010-05-27 17:00:33.000000000 +0900 |
| 173 | @@ -39,6 +39,11 @@ |
| 174 | default_days = 365 |
| 175 | policy = policy_supplied |
| 176 | |
| 177 | +[ freediameter_cert ] |
| 178 | +x509_extensions = freediameter_ext |
| 179 | +default_days = 730 |
| 180 | +policy = policy_supplied |
| 181 | + |
| 182 | [ vpn_cert ] |
| 183 | x509_extensions = vpn_client_server_ext |
| 184 | default_days = 365 |
| 185 | @@ -115,6 +120,23 @@ |
| 186 | nsRevocationUrl = ns_revoke_query.php? |
| 187 | nsCaPolicyUrl = http://www.somewhere.com/phpki/policy.html |
| 188 | |
| 189 | +[ freediameter_ext ] |
| 190 | +basicConstraints = CA:false |
| 191 | +keyUsage = critical, digitalSignature, keyEncipherment |
| 192 | +extendedKeyUsage = critical, serverAuth, clientAuth |
| 193 | +nsCertType = critical, server, client |
| 194 | +subjectKeyIdentifier = hash |
| 195 | +authorityKeyIdentifier = keyid:always, issuer:always |
| 196 | +subjectAltName = DNS:$common_name,email:copy |
| 197 | +issuerAltName = issuer:copy |
| 198 | +crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl |
| 199 | +nsComment = "PHPki/OpenSSL Generated Secure Certificate for freeDiameter" |
| 200 | +nsBaseUrl = $config[base_url] |
| 201 | +nsRevocationUrl = ns_revoke_query.php? |
| 202 | +nsCaPolicyUrl = $config[base_url]policy.html |
| 203 | + |
| 204 | + |
| 205 | + |
| 206 | [ vpn_client_ext ] |
| 207 | basicConstraints = critical, CA:false |
| 208 | keyUsage = critical, digitalSignature |
| 209 | diff -Nur phpki-0.82/setup.php phpki-0.82-fD/setup.php |
| 210 | --- phpki-0.82/setup.php 2007-07-22 23:34:08.000000000 +0900 |
| 211 | +++ phpki-0.82-fD/setup.php 2010-05-27 17:01:41.000000000 +0900 |
| 212 | @@ -339,6 +339,11 @@ |
| 213 | default_days = 365 |
| 214 | policy = policy_supplied |
| 215 | |
| 216 | +[ freediameter_cert ] |
| 217 | +x509_extensions = freediameter_ext |
| 218 | +default_days = 730 |
| 219 | +policy = policy_supplied |
| 220 | + |
| 221 | [ vpn_cert ] |
| 222 | x509_extensions = vpn_client_server_ext |
| 223 | default_days = 365 |
| 224 | @@ -418,6 +423,22 @@ |
| 225 | nsRevocationUrl = ns_revoke_query.php? |
| 226 | nsCaPolicyUrl = $config[base_url]policy.html |
| 227 | |
| 228 | +[ freediameter_ext ] |
| 229 | +basicConstraints = CA:false |
| 230 | +keyUsage = critical, digitalSignature, keyEncipherment |
| 231 | +extendedKeyUsage = critical, serverAuth, clientAuth |
| 232 | +nsCertType = critical, server, client |
| 233 | +subjectKeyIdentifier = hash |
| 234 | +authorityKeyIdentifier = keyid:always, issuer:always |
| 235 | +subjectAltName = DNS:$common_name,email:copy |
| 236 | +issuerAltName = issuer:copy |
| 237 | +crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl |
| 238 | +nsComment = "PHPki/OpenSSL Generated Secure Certificate for freeDiameter" |
| 239 | +nsBaseUrl = $config[base_url] |
| 240 | +nsRevocationUrl = ns_revoke_query.php? |
| 241 | +nsCaPolicyUrl = $config[base_url]policy.html |
| 242 | + |
| 243 | + |
| 244 | [ time_stamping_ext ] |
| 245 | basicConstraints = CA:false |
| 246 | keyUsage = critical, nonRepudiation, digitalSignature |
| 247 | diff -Nur phpki-0.82/setup.php-presetup phpki-0.82-fD/setup.php-presetup |
| 248 | --- phpki-0.82/setup.php-presetup 2007-07-22 23:34:08.000000000 +0900 |
| 249 | +++ phpki-0.82-fD/setup.php-presetup 2010-05-27 17:01:41.000000000 +0900 |
| 250 | @@ -339,6 +339,11 @@ |
| 251 | default_days = 365 |
| 252 | policy = policy_supplied |
| 253 | |
| 254 | +[ freediameter_cert ] |
| 255 | +x509_extensions = freediameter_ext |
| 256 | +default_days = 730 |
| 257 | +policy = policy_supplied |
| 258 | + |
| 259 | [ vpn_cert ] |
| 260 | x509_extensions = vpn_client_server_ext |
| 261 | default_days = 365 |
| 262 | @@ -418,6 +423,22 @@ |
| 263 | nsRevocationUrl = ns_revoke_query.php? |
| 264 | nsCaPolicyUrl = $config[base_url]policy.html |
| 265 | |
| 266 | +[ freediameter_ext ] |
| 267 | +basicConstraints = CA:false |
| 268 | +keyUsage = critical, digitalSignature, keyEncipherment |
| 269 | +extendedKeyUsage = critical, serverAuth, clientAuth |
| 270 | +nsCertType = critical, server, client |
| 271 | +subjectKeyIdentifier = hash |
| 272 | +authorityKeyIdentifier = keyid:always, issuer:always |
| 273 | +subjectAltName = DNS:$common_name,email:copy |
| 274 | +issuerAltName = issuer:copy |
| 275 | +crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl |
| 276 | +nsComment = "PHPki/OpenSSL Generated Secure Certificate for freeDiameter" |
| 277 | +nsBaseUrl = $config[base_url] |
| 278 | +nsRevocationUrl = ns_revoke_query.php? |
| 279 | +nsCaPolicyUrl = $config[base_url]policy.html |
| 280 | + |
| 281 | + |
| 282 | [ time_stamping_ext ] |
| 283 | basicConstraints = CA:false |
| 284 | keyUsage = critical, nonRepudiation, digitalSignature |