diff -ruN phpki-ng.old/phpki-ng-0.84/about.php phpki-ng/phpki-ng-0.84/about.php
--- phpki-ng.old/phpki-ng-0.84/about.php 2020-04-02 14:22:47.000000000 +0200
+++ phpki-ng/phpki-ng-0.84/about.php 2021-03-07 19:33:03.019322943 +0100
@@ -1,31 +1,32 @@
+
PHPki is an Open Source
Web application for managing a help/glossary.html#PKI target=help/glossary>
Public Key Infrastructure within a small organizations. PHPki acts as a
mechanism for the centralized creation and management of digital certificates.
PHPki is capable of managing certificates for multiple organizations or user
-accounts.
+accounts.
PHPki requires the Apache Web Server, the PHP Scripting Language, and
OpenSSL, all of which are included with any major
Linux Operating System
distribution .
+
This software may be freely redistributed under the terms of the
GNU Public
License provided this page and all copyright notices remain completely intact.
+
+
Copyright: 2003, William E. Roadcap
+
Contents of '.htvar($config['passwd_file']).' file: ';
readfile($config['passwd_file'])
- ?>
-
-
-
-
-
- Missing or invalid password or password and password verification do not match.
-
- ';
- system("htpasswd -bm $pwdfile $login $passwd 2>&1")
- ?>
-
-
-
-
-
- ';
- system("htpasswd -D $pwdfile $login 2>&1")
- ?>
-
-
-
-
-
-
- Missing or invalid password or password and password verification do not match.
+
+ ';
+ system("htpasswd -bm $pwdfile $login $passwd 2>&1")
+ ?>
+
+
+
+
+
+ ';
+ system("htpasswd -D $pwdfile $login 2>&1")
+ ?>
+
+
+
+
+
+
+
-
+
Certificate Revocation List Updated
- There was an error updating the Certificate Revocation List.
- Debug Info:
-
-
-
- OpenVPN pre-shared Key OpenVPN Diffie-Helman parameters Root certificate file (PEM Encoded)
-
-
- Certificate Revocation List Updated
+ There was an error updating the Certificate Revocation List.
+ Debug Info:
+
+
+
+ OpenVPN pre-shared Key OpenVPN Diffie-Helman parameters Root certificate file (PEM Encoded)
+
+
+
YOU ARE A VERY BAD BOY! Certificate Details (#) REVOKED '.$revoke_date.' '.CA_cert_text($serial).' ';
- break;
-
-case 'dl-confirm':
- printHeader('ca');
-
- $rec = CAdb_get_entry($serial);
-
- ?>
- You are about to download the PRIVATE certificate key for
- DO NOT DISTRIBUTE THIS FILE TO THE PUBLIC!
YOU ARE A VERY BAD BOY! Certificate Details (#) REVOKED '.$revoke_date.' '.CA_cert_text($serial).' ';
+ break;
- $rec = CAdb_get_entry($serial);
+ case 'dl-confirm':
+ printHeader('ca');
+
+ $rec = CAdb_get_entry($serial);
+
+ ?>
+ You are about to download the PRIVATE certificate key for
+ DO NOT DISTRIBUTE THIS FILE TO THE PUBLIC! You are about to REVOKE the following certificate:
-
-
-
+ break;
+
+ case 'download':
+ if (strstr($submit, "Back")) {
+ $dl_type = '';
+ }
+
+ $rec = CAdb_get_entry($serial);
+
+ switch ($dl_type) {
+ case 'PKCS#12':
+ upload($config['pfx_dir'] . "/$serial.pfx", "$rec[common_name].p12", 'application/x-pkcs12');
+ break;
+ case 'PEMCERT':
+ upload($config['new_certs_dir'] . "/$serial.pem", "$rec[common_name]-cert.pem", 'application/pkix-cert');
+ break;
+ case 'PEMKEY':
+ upload($config['private_dir'] . "/$serial-key.pem", "$rec[common_name]-key.pem", 'application/octet-stream');
+ break;
+ case 'PEMBUNDLE':
+ upload(array($config['private_dir'] . "/$serial-key.pem",$config['new_certs_dir'] . "/$serial.pem"), $rec['common_name'] . "-Bundle.pem", 'application/octet-stream');
+ break;
+ case 'PEMCABUNDLE':
+ upload(array($config['private_dir'] . "/$serial-key.pem",$config['new_certs_dir'] . "/$serial.pem", $config['cacert_pem']), $rec['common_name'] . "-CABundle.pem", 'application/octet-stream');
+ break;
+ default:
+ header("Location: ${PHP_SELF}?$qstr_sort&$qstr_filter");
+ }
+ break;
+
+ case 'revoke-form':
+ $rec = CAdb_get_entry($serial);
+
+ printHeader('ca');
+
+ ?>
+
You are about to REVOKE the following certificate:
+
+
+
Serial Number
-
-
- '.htvar($rec[serial]).'
- Are you sure?
- ';
-
- break;
-
-case 'revoke':
- $ret = true;
- if ($submit == 'Yes')
- list($ret, $errtxt) = CA_revoke_cert($serial);
-
- if (! $ret) {
- printHeader('ca');
-
- print "
-
-
-
-
-
- ";
- ?>
-
- There was an error creating your certificate.
-
- Debug Info:
-
-
-
-
-
-
-
- CERTIFICATE MANAGEMENT CONTROL PANEL
-
+ Are you sure?
+ ';
+
+ break;
+
+ case 'revoke':
+ $ret = true;
+ if ($submit == 'Yes') {
+ list($ret, $errtxt) = CA_revoke_cert($serial);
+ }
+
+ if (! $ret) {
+ printHeader('ca');
+
+ print "
+
+
+
+
+
+ ";
+ ?>
+
+ There was an error creating your certificate.
+
+ Debug Info:
+
+
+
+
+
+
+
+
+ CERTIFICATE MANAGEMENT CONTROL PANEL
+
- '.$head.' '.
- ' ';
- }
-
- print 'Actions
- ' .$rec[status].' '.$rec['issued'].'
- '.$rec['expires'].'
- '.$rec['common_name'].'
- ' . htvar($rec['email']) . ' '.htvar($rec['organization']).'
- '.htvar($rec['unit']).'
- '.htvar($rec['locality']).'
- '.
- ' ';
-
- if ($rec['status'] == 'Valid') {
- print '
- '.
- '
- '.
- ' ';
- }
- print '
- '.
- '
- ';
- }
+
+
+
+ ';
+
+ $headings = array(
+ 'status'=>"Status", 'issued'=>"Issued", 'expires'=>"Expires",
+ 'common_name'=>"User's Name", 'email'=>"E-mail",
+ 'organization'=>"Organization", 'unit'=>"Department",
+ 'locality'=>"Locality"
+ );
+
+ foreach ($headings as $field => $head) {
+ print ''.$head.' '.
+ ' ';
+ }
+
+ print 'Actions
+ ' . $rec['status'] . ' '.$rec['issued'].'
+ '.$rec['expires'].'
+ ' . $rec['common_name'] . '
+ ' . htvar($rec['email']) . ' ' . htvar($rec['organization']) . '
+ ' . htvar($rec['unit']) . '
+ ' . htvar($rec['locality']) . '
+ '.
+ ' ';
+
+ if ($rec['status'] == 'Valid') {
+ print '
+ ' .
+ '
+ ' .
+ ' ';
+ }
+ print '
+ ' .
+ '
+ ';
+ }
- print '
';
+ print '
';
- printFooter();
+ printFooter();
}
?>
diff -ruN phpki-ng.old/phpki-ng-0.84/ca/policy.html phpki-ng/phpki-ng-0.84/ca/policy.html
--- phpki-ng.old/phpki-ng-0.84/ca/policy.html 2020-04-02 14:22:47.000000000 +0200
+++ phpki-ng/phpki-ng-0.84/ca/policy.html 2021-03-07 19:33:03.072323731 +0100
@@ -1,78 +1,34 @@
-
-
-
-Certificate Authority Agreement
-
-
-
-
-Certificate Authority Agreement
-Policy and Practices
-
-This is a statement of practices by this Digital Certificate Authority.
-Your use of this Certificate Authority constitutes your and/or your agency's
-understanding and full acceptance of these practices and all associated risks.
-Please have an authorized person at your agency sign this document and fax it to 000-000-0000
-
-
This document may not be all encompassing, and we reserve the right to modify it at any time.
-
-
- The sole role of this Certificate Authority is
-to provide and maintain a password protected software application for the easy
-and instant creation and management of standard x.509 personal digital
-certificates for e-mail encryption. We assume no responsibility for
-verifying the identity of any persons other than that of the limited number of
-authorized users of the software.
-We accept no liability for damages resulting from the use, misuse,
-or compromise of the software application or its host server.
-
-
As an authorized user of the software, you are in effect THE Certificate Authority for your
-agency. As such, you are solely
-responsible for authenticating the identity of the persons for whom you obtain
-certificates. We accept no
-responsibility or liability for non-repudiation in any digital certificate
-created by this software. You agree that
-password protection to the application by authorized certificate managers,
-and personal identity management by
-those managers is sufficient to create a chain of trust for non-repudiation
-in all digital certificates created using the software.
-
-
No more than two(2)
-users at your agency should have access to your agency's Certificate Authority
-password. We should be notified
-immediately, via e-mail, when the employment of any
-authorized user at your agency is terminated so that a new password can be
-issued.
-
-
This Certificate
-Authority software application is accessed via the Internet using standard SSL
-or Secure Server encryption mechanisms.
-Although steps have been taken to protect the security and availability
-of the host server and application, its exposure to the Internet as well as any
-presently unknown security flaws could lead to potential compromise of the
-software and your certificates.
-
-
No promise is made as
-to the availability of the software in the event of hardware, software, or
-telecommunications failure or maintenance.
-No advanced notice will be given when the software must be temporarily
-taken off line for service.
-
-
In order to provide
-software which can easily create "instant" certificates it is
-necessary to store all private keys on the host server. As such, all private keys are potentially exposed
-to the Internet and suffer some risk of unauthorized access. However, since all private keys ARE
-ENCRYPTED using a password provided by you, they are unlikely to be usable by
-any intruder.
-
-
A publicly accessible
-web page is provided for interested Internet users to download the Certificate
-Authority root certificate, certificate revocation list, and search for the
-e-mail addresses and public certificates of users. So as to avoid e-mail address scraping by spammers, no static
-content with users' e-mail addresses is available.
-
-
-
-
-
+
+
+
+
+ Certificate Authority Agreement
+
+
+
+ Certificate Authority Agreement
+
+ Policy and Practices This is a statement of practices by this Digital Certificate Authority. Your use of this Certificate Authority constitutes your and/or your agency's understanding and full acceptance of these practices and all associated risks. Please have an authorized person at your agency sign this document and fax it to 000-000-0000
+
+ This document may not be all encompassing, and we reserve the right to modify it at any time.
+
+
+ The sole role of this Certificate Authority is to provide and maintain a password protected software application for the easy and instant creation and management of standard x.509 personal digital certificates for e-mail encryption. We assume no responsibility for verifying the identity of any persons other than that of the limited number of authorized users of the software. We accept no liability for damages resulting from the use, misuse, or compromise of the software application or its host server.
+
+ As an authorized user of the software, you are in effect THE Certificate Authority for your agency. As such, you are solely responsible for authenticating the identity of the persons for whom you obtain certificates. We accept no responsibility or liability for non-repudiation in any digital certificate created by this software. You agree that password protection to the application by authorized certificate managers, and personal identity management by those managers is sufficient to create a chain of trust for non-repudiation in all digital certificates created using the software.
+
+ No more than two(2) users at your agency should have access to your agency's Certificate Authority password. We should be notified immediately, via e-mail, when the employment of any authorized user at your agency is terminated so that a new password can be issued.
+
+ This Certificate Authority software application is accessed via the Internet using standard SSL or Secure Server encryption mechanisms. Although steps have been taken to protect the security and availability of the host server and application, its exposure to the Internet as well as any presently unknown security flaws could lead to potential compromise of the software and your certificates.
+
+ No promise is made as to the availability of the software in the event of hardware, software, or telecommunications failure or maintenance. No advanced notice will be given when the software must be temporarily taken off line for service.
+
+ In order to provide software which can easily create "instant" certificates it is necessary to store all private keys on the host server. As such, all private keys are potentially exposed to the Internet and suffer some risk of unauthorized access. However, since all private keys ARE ENCRYPTED using a password provided by you, they are unlikely to be usable by any intruder.
+
+ A publicly accessible web page is provided for interested Internet users to download the Certificate Authority root certificate, certificate revocation list, and search for the e-mail addresses and public certificates of users. So as to avoid e-mail address scraping by spammers, no static content with users' e-mail addresses is available.
+
+
+
diff -ruN phpki-ng.old/phpki-ng-0.84/ca/request_cert.php phpki-ng/phpki-ng-0.84/ca/request_cert.php
--- phpki-ng.old/phpki-ng-0.84/ca/request_cert.php 2020-04-02 14:22:47.000000000 +0200
+++ phpki-ng/phpki-ng-0.84/ca/request_cert.php 2021-03-07 19:33:03.072323731 +0100
@@ -7,7 +7,7 @@
include('../include/openssl_functions.php') ;
# User's preferences file
-$user_cnf = "$config[home_dir]/config/user-".strtr($PHPki_user,'/\\','|#').'.php';
+$user_cnf = $config['home_dir'] . "/config/user-".strtr($PHPki_user, '/\\', '|#').'.php';
# Retrieve GET/POST values
$form_stage = gpvar('form_stage');
@@ -48,355 +48,398 @@
switch ($form_stage) {
+ case 'validate':
+ $er = '';
-case 'validate':
- $er = '';
-
- if (! $country) $er .= 'Missing CountryERROR(S) IN FORM: ' . $er . ' A valid certificate already exists for ' . htvar("$common_name <$email>") . ' ';
- $er .= ' ' . htvar($certtext) . ' ERROR(S) IN FORM: ' . $er . ' A valid certificate already exists for ' . htvar("$common_name <$email>") . ' ';
+ $er .= ' ' . htvar($certtext) . ' Root Certificate Installation for Outlook & Outlook Express
-Root Certificate Installation for Outlook & Outlook Express
+ Root Certificate Installation for Outlook & Outlook Express
-A Step-by-Step Guide
-
Open the folder which holds the certificates you have downloaded.Install Certificate from the context menu.
-
Click the Next button in the Certificate Wizard
-welcome window.
-
Click the Next button in the Select a Certificate Store window.
-
Click the Finish button in the Complete the Certificate.. window.
-
You may be asked to confirm the root certificate installation. Click the Yes button if a window like this appears.
-
Windows confirms the root certificate was successfully imported.install your personal e-mail certificate .
+
+ Root Certificate Installation for Outlook & Outlook Express
+
+ A Step-by-Step Guide
+
+
+ Open the folder which holds the certificates you have downloaded.Install Certificate from the context menu.
+
+
+
+ Click the Next button in the Certificate Wizard welcome window.
+
+
+
+ Click the Next button in the Select a Certificate Store window.
+
+
+
+ Click the Finish button in the Complete the Certificate.. window.
+
+
+
+ You may be asked to confirm the root certificate installation. Click the Yes button if a window like this appears.
+
+
-
+ Windows confirms the root certificate was successfully imported.install your personal e-mail certificate .
diff -ruN phpki-ng.old/phpki-ng-0.84/help/glossary.html phpki-ng/phpki-ng-0.84/help/glossary.html
--- phpki-ng.old/phpki-ng-0.84/help/glossary.html 2020-04-02 14:22:47.000000000 +0200
+++ phpki-ng/phpki-ng-0.84/help/glossary.html 2021-03-07 19:33:03.075323772 +0100
@@ -1,144 +1,169 @@
+
+
-PHPki Glossary
-PHPki Glossary
+
-
-PUBLIC KEY INFRASTRUCTURE
-PKI stands for Public Key Infrastructure . PKI is IT infrastructure that enables users of a basically unsecure public network (such as the Internet) to securely and privately exchange data through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority.
-
-PKI is not only software or hardware. It is an infrastructure. So, PKI is a combination of products, services, facilities, policies, procedures, agreements, and people. All of these elements work together to provide for secure interactions on the Internet and other open networks. PKI is not a single monolithic entity, but a distributed system. The component elements may include multiple organization-specific public key infrastructures that are interoperable and interconnected.
-
-
-
-
-DIGITAL CERTIFICATE
-
-An attachment to an electronic message used for security purposes. The most common use of a digital certificate is to verify that a user sending a message is who he or she claims to be, and to provide the receiver with the means to encode a reply.
-
-
An individual wishing to send an encrypted message applies for a digital certificate from a Certificate Authority (CA) . The CA issues an encrypted digital certificate containing the applicant's public key and a variety of other identification information. The CA makes its own public key readily available through print publicity or perhaps on the Internet.
-
-
The recipient of an encrypted message uses the CA's public key to decode the digital certificate attached to the message, verifies it as issued by the CA and then obtains the sender's public key and identification information held within the certificate. With this information, the recipient can send an encrypted reply.
-
-
The most widely used standard for digital certificates is X.509.
-
-
-
-
-CERTIFICATE AUTHORITY
-A trusted third-party organization or company that issues digital certificates used to create digital signatures and public-private key pairs . The role of the CA in this process is to guarantee that the individual granted the unique certificate is, in fact, who he or she claims to be. Usually, this means that the CA has an arrangement with a financial institution, such as a credit card company, which provides it with information to confirm an individual's claimed identity. CAs are a critical component in data security and electronic commerce because they guarantee that the two parties exchanging information are really who they claim to be.
-
-
-
-
-PUBLIC KEY ENCRYPTION
-A cryptographic system that uses two keys -- a public key known to everyone and a private or secret key known only to the recipient of the message. When John wants to send a secure message to Jane, he uses Jane's public key to encrypt the message. Jane then uses her private key to decrypt it.
-
-An important element to the public key system is that the public and private keys are related in such a way that only the public key can be used to encrypt messages and only the corresponding private key can be used to decrypt them. Moreover, it is virtually impossible to deduce the private key if you know the public key.
-
-
-
-
-S/MIME
-S/MIME (Secure Multi-Purpose Internet Mail Extensions) is a secure method of sending e-mail that uses the RSA encryption system. S/MIME is included in the latest versions of the Web browsers from Microsoft and Netscape and has also been endorsed by other vendors that make messaging products. RSA has proposed S/MIME as a standard to the Internet Engineering Task Force (IETF).
-
-
-
-
-RSA
-RSA is an Internet encryption and authentication system that uses an algorithm developed in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman. The RSA algorithm is the most commonly used encryption and authentication algorithm and is included as part of the Web browsers from Microsoft and Netscape. It's also part of Lotus Notes, Intuit's Quicken, and many other products. The encryption system was owned by RSA Security, but a recent patent expiration placed it into the public domain. The technologies are part of existing or proposed Web, Internet, and computing standards.
-
-
-
-
-ROOT CERTIFICATE
-A root certificate is like a MASTER
-digital certificate .
-You must install a certificate authority's root certificate
-before you can trust other certificates issued by that same certificate
-authority. Root certificates are used to "sign" other certificates.
-A signature by a root certificate is somewhat analogous to "notarizing" a
-document in the physical world. When you install a root certificate on your
-computer, you are saying you "trust" that certification authority and all
-certificates it signs.
-
-
-
-
-DIGITAL SIGNATURE
-A digital code that can be attached to an electronically transmitted message
-that uniquely identifies the sender. Like a written signature, the purpose of
-a digital signature is to guarantee that the individual sending the message
-really is who he or she claims to be. Digital certificates inherently provide
-digital signature capability to most S/MIME enable e-mail clients. Digitally
-signing an e-mail usually provides the recipient the with the sender's public
-key, so the recipient may then send encrypted e-mail back to the sender.
-
-
-
-
-X.509
-The most widely used standard for defining digital certificates. X.509 is
-actually an ITU Recommendation, which means that has not yet been officially
-defined or approved. As a result, companies have implemented the standard in
-different ways. For example, both Netscape and Microsoft use X.509 certificates
-to implement SSL in their web servers and browsers. But an X.509 certificate
-generated by Netscape may not be readable by Microsoft products, and vice
-versa.
-
-
-
-
-PEM
-PEM is a widely used standard for storing digital certificates.
-A PEM encoded file can contain all of private keys, public keys, and
-(x.509) certificates. It is the default format for OpenSSL.
-It stores data in Base64 encoded format, surrounded by ascii headers, so it is
-suitable for text mode transfers between systems. PEM files usually end with
-a .PEM extension.
-
-
-
-
-DER
-DER is a widely used standard for storing digital certificates. A DER encoded
-file can contain all of private keys, public keys, and (x.509)
-certificates. DER is a binary encoded headerless format. DER files usually
-end with a .CRT or .CER extension.
-
-
-
-
-PKCS #12
-PKCS #12 (a.k.a. Personal Information Exchange Standard) is a standard for storing private keys and certificates securely (well sort of). It is used in (among other things) Netscape and Microsoft Internet Explorer with their import and export options. PKCS12 files usually end with a .PFX extension.
-
+
+
+
+
+ PUBLIC KEY INFRASTRUCTURE
+
+
+
+
+ PKI stands for Public Key Infrastructure . PKI is IT infrastructure that enables users of a basically unsecure public network (such as the Internet) to securely and privately exchange data through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. PKI is not only software or hardware. It is an infrastructure. So, PKI is a combination of products, services, facilities, policies, procedures, agreements, and people. All of these elements work together to provide for secure interactions on the Internet and other open networks. PKI is not a single monolithic entity, but a distributed system. The component elements may include multiple organization-specific public key infrastructures that are interoperable and interconnected.
+
+
+
+
+ DIGITAL CERTIFICATE
+
+
+
+
+
+ An attachment to an electronic message used for security purposes. The most common use of a digital certificate is to verify that a user sending a message is who he or she claims to be, and to provide the receiver with the means to encode a reply.
+
+ An individual wishing to send an encrypted message applies for a digital certificate from a Certificate Authority (CA) . The CA issues an encrypted digital certificate containing the applicant's public key and a variety of other identification information. The CA makes its own public key readily available through print publicity or perhaps on the Internet.
+
+ The recipient of an encrypted message uses the CA's public key to decode the digital certificate attached to the message, verifies it as issued by the CA and then obtains the sender's public key and identification information held within the certificate. With this information, the recipient can send an encrypted reply.
+
+ The most widely used standard for digital certificates is X.509.
+
+
+
+
+
+ CERTIFICATE AUTHORITY
+
+
+
+
+ A trusted third-party organization or company that issues digital certificates used to create digital signatures and public-private key pairs . The role of the CA in this process is to guarantee that the individual granted the unique certificate is, in fact, who he or she claims to be. Usually, this means that the CA has an arrangement with a financial institution, such as a credit card company, which provides it with information to confirm an individual's claimed identity. CAs are a critical component in data security and electronic commerce because they guarantee that the two parties exchanging information are really who they claim to be.
+
+
+
+
+ PUBLIC KEY ENCRYPTION
+
+
+
+
+
+ A cryptographic system that uses two keys -- a public key known to everyone and a private or secret key known only to the recipient of the message. When John wants to send a secure message to Jane, he uses Jane's public key to encrypt the message. Jane then uses her private key to decrypt it.
+
+ An important element to the public key system is that the public and private keys are related in such a way that only the public key can be used to encrypt messages and only the corresponding private key can be used to decrypt them. Moreover, it is virtually impossible to deduce the private key if you know the public key.
+
+
+
+
+
+ S/MIME
+
+
+
+
+ S/MIME (Secure Multi-Purpose Internet Mail Extensions) is a secure method of sending e-mail that uses the RSA encryption system. S/MIME is included in the latest versions of the Web browsers from Microsoft and Netscape and has also been endorsed by other vendors that make messaging products. RSA has proposed S/MIME as a standard to the Internet Engineering Task Force (IETF).
+
+
+
+
+ RSA
+
+
+
+
+ RSA is an Internet encryption and authentication system that uses an algorithm developed in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman. The RSA algorithm is the most commonly used encryption and authentication algorithm and is included as part of the Web browsers from Microsoft and Netscape. It's also part of Lotus Notes, Intuit's Quicken, and many other products. The encryption system was owned by RSA Security, but a recent patent expiration placed it into the public domain. The technologies are part of existing or proposed Web, Internet, and computing standards.
+
+
+
+
+ ROOT CERTIFICATE
+
+
+
+
+ A root certificate is like a MASTER digital certificate . You must install a certificate authority's root certificate before you can trust other certificates issued by that same certificate authority. Root certificates are used to "sign" other certificates. A signature by a root certificate is somewhat analogous to "notarizing" a document in the physical world. When you install a root certificate on your computer, you are saying you "trust" that certification authority and all certificates it signs.
+
+
+
+
+ DIGITAL SIGNATURE
+
+
+
+
+ A digital code that can be attached to an electronically transmitted message that uniquely identifies the sender. Like a written signature, the purpose of a digital signature is to guarantee that the individual sending the message really is who he or she claims to be. Digital certificates inherently provide digital signature capability to most S/MIME enable e-mail clients. Digitally signing an e-mail usually provides the recipient the with the sender's public key, so the recipient may then send encrypted e-mail back to the sender.
+
+
+
+
+ X.509
+
+
+
+
+ The most widely used standard for defining digital certificates. X.509 is actually an ITU Recommendation, which means that has not yet been officially defined or approved. As a result, companies have implemented the standard in different ways. For example, both Netscape and Microsoft use X.509 certificates to implement SSL in their web servers and browsers. But an X.509 certificate generated by Netscape may not be readable by Microsoft products, and vice versa.
+
+
+
+
+ PEM
+
+
+
+
+ PEM is a widely used standard for storing digital certificates. A PEM encoded file can contain all of private keys, public keys, and (x.509) certificates. It is the default format for OpenSSL. It stores data in Base64 encoded format, surrounded by ascii headers, so it is suitable for text mode transfers between systems. PEM files usually end with a .PEM extension.
+
+
+
+
+ DER
+
+
+
+
+ DER is a widely used standard for storing digital certificates. A DER encoded file can contain all of private keys, public keys, and (x.509) certificates. DER is a binary encoded headerless format. DER files usually end with a .CRT or .CER extension.
+
+
+
+
+ PKCS #12
+
+
+
+
+ PKCS #12 (a.k.a. Personal Information Exchange Standard) is a standard for storing private keys and certificates securely (well sort of). It is used in (among other things) Netscape and Microsoft Internet Explorer with their import and export options. PKCS12 files usually end with a .PFX extension.
+
+
PKI and E-mail Encryption - A Brief Explanation
+ PKI and E-mail Encryption - A Brief Explanation
+
-PKI and E-mail Encryption - A Brief Explanation
+ PKI and E-mail Encryption - A Brief Explanation
+
+
+ PKI stands for Public Key Infrastructure . PKI is Information Technology infrastructure that enables users of a basically unsecure public network (such as the Internet) to securely and privately exchange data through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted Authority .
+
+ Public and private keys are like two halves of a single key. PKI encryption algorithms are designed such that a public key is used to encrypt or "lock" a message, and only the complementary private key can "unlock" that message. Think of a bank vault or safe that can only be unlocked by two individuals using two different but complementary keys. Neither of those keys can be used by itself to unlock the vault.
+
+ In practice, individuals wishing to exchange encrypted e-mail will agree to mutually trust one or more Certificate Authorities(CA) by downloading and installing each trusted Authority's root certificate on their computers. They will each obtain their own personal digital certificate from a trusted Certificate Authority, and install them on their respective computers. Because they mutually trust the Certificate Authorities, they trust each other's digital certificates. More specifically, they trust the public keys contained within their personal digital certificates which have been digitally signed by a trusted Certificate Authority. They will then exchange their trusted public keys by sending each other digitally
+ signed e-mail messages. Once each party has the other's public key, they may exchange trusted and encrypted messsages.
+
+ Public key exchange and encryption is like exchanging notarized documents. One trusts a notarized document because a trusted third party, the Notary Public, has signed it. The Certificate Authority is the Notary Public, and the public keys are the documents.
-PKI stands for Public Key Infrastructure . PKI is Information
-Technology infrastructure that enables users of a basically unsecure public
-network (such as the Internet) to securely and privately exchange data through
-the use of a public and a private
-cryptographic key pair that is obtained and shared through a
-trusted Authority .
-
-
-Public and private keys are like two halves of a single key. PKI encryption
-algorithms are designed such that a public key is used to encrypt or
-"lock" a message, and only the complementary private key can "unlock" that
-message.
-Think of a bank vault or safe that can only be unlocked by two individuals
-using two different but complementary keys. Neither of those keys can be used
-by itself to unlock the vault.
-
-
-In practice, individuals wishing to exchange encrypted e-mail
-will agree to mutually trust one or more
-Certificate Authorities(CA) by downloading and installing each trusted Authority's
-root certificate on their computers.
-They will each obtain their own personal
-digital certificate
-from a trusted Certificate Authority, and install them on their
-respective computers.
-Because they mutually trust the Certificate Authorities, they trust each other's
-digital certificates. More specifically, they trust the
-public keys contained within
-their personal digital certificates which have been
-digitally signed by a
-trusted Certificate Authority.
-They will then exchange their trusted public keys by sending each other
-digitally signed e-mail messages. Once each party has the other's public key,
-they may exchange trusted and encrypted messsages.
-
-
-Public key exchange and encryption is like exchanging notarized documents.
-One trusts a notarized document because a trusted third party, the Notary
-Public, has signed it. The Certificate Authority is the Notary Public, and
-the public keys are the documents.
-
-
-Remember, having a personal digital certificate alone does not
-give one the ability to send encrypted e-mail to others, but only allows the
-receipt of encrypted e-mail. PKI is a cooperative encryption
-standard. Both parties who are exchanging encrypted messages must have
-personal digital certificates, they must trust the Certificate Authority
-which issued the other persons certificate, and they must exchange
-public keys with each other, as described above.
-
-
-The process of installing certificates and exchanging public keys is dependent
-upon the e-mail application one uses, and is beyond the scope of this document.
+
Remember, having a personal digital certificate alone does not give one the ability to send encrypted e-mail to others, but only allows the receipt of encrypted e-mail. PKI is a cooperative encryption standard. Both parties who are exchanging encrypted messages must have personal digital certificates, they must trust the Certificate Authority which issued the other persons certificate, and they must exchange public keys with each other, as described above.
+ The process of installing certificates and exchanging public keys is dependent upon the e-mail application one uses, and is beyond the scope of this document.
diff -ruN phpki-ng.old/phpki-ng-0.84/help/usercert_install_ie.html phpki-ng/phpki-ng-0.84/help/usercert_install_ie.html
--- phpki-ng.old/phpki-ng-0.84/help/usercert_install_ie.html 2020-04-02 14:22:47.000000000 +0200
+++ phpki-ng/phpki-ng-0.84/help/usercert_install_ie.html 2021-03-07 19:33:03.076323787 +0100
@@ -1,40 +1,51 @@
+
+
-Personal E-mail Certificate Installation for Outlook & Outlook Express
-Personal E-mail Certificate Installation for Outlook & Outlook Express
+ Personal E-mail Certificate Installation for Outlook & Outlook Express
-A Step-by-Step Guide
-
Open the folder which holds the certificates you have downloaded.Install PFX from the context menu.
-
Click the Next button in the Certificate Wizard
-welcome window.
-
Click the Next button in the Select File to Import window.
-
The personal e-mail certificate files created by PHPki contain an encrypted
-copy of your private key. When your certficate was created, a password was
-given to PHPki to encrypt the private key. The same password is used to
-decrypt your private key and install the certificate. Do not forget or lose
-this password as it cannot be recovered under any circumstance.
-Select the Enable strong private key protection option if you
-would like Windows to add an additional layer of password protection to use
-your certificate. This is not necessary, and will not be covered further here.
-There is no need to select the Mark the private key as exportable
-option. Enter your certificate password and click the Next button
-in the Password Protection for Private Keys window.
-
Click the Next button in the Select a Certificate Store window.
-
Click the Finish button in the Complete the Certificate.. window.
-
Windows confirms the root certificate was successfully imported.
+ Personal E-mail Certificate Installation for Outlook & Outlook Express
+
+ A Step-by-Step Guide
+
+
+ Open the folder which holds the certificates you have downloaded.Install PFX from the context menu.
+
+
+
+ Click the Next button in the Certificate Wizard welcome window.
+
+
+
+ Click the Next button in the Select File to Import window.
+
+
+
+ The personal e-mail certificate files created by PHPki contain an encrypted copy of your private key. When your certficate was created, a password was given to PHPki to encrypt the private key. The same password is used to decrypt your private key and install the certificate. Do not forget or lose this password as it cannot be recovered under any circumstance. Select the Enable strong private key protection option if you would like Windows to add an additional layer of password protection to use your certificate. This is not necessary, and will not be covered further here. There is no need to select the Mark the private key as exportable option. Enter your certificate password and click the Next button in the Password Protection for Private Keys window.
+
+
+
+ Click the Next button in the Select a Certificate Store window.
+
+
+
+ Click the Finish button in the Complete the Certificate.. window.
+
+
-
+ Windows confirms the root certificate was successfully imported.
diff -ruN phpki-ng.old/phpki-ng-0.84/help.php phpki-ng/phpki-ng-0.84/help.php
--- phpki-ng.old/phpki-ng-0.84/help.php 2020-04-02 14:22:47.000000000 +0200
+++ phpki-ng/phpki-ng-0.84/help.php 2021-03-07 19:33:03.076323787 +0100
@@ -5,11 +5,12 @@
printHeader(about);
?>
-PHPki HELP FILES
-help/PKI_basics.html>PKI and E-mail Encryption - A Brief Explanation
-help/cacert_install_ie.html>Installing Our Root Certificate For Use With Outlook and Outlook Express
-help/usercert_install_ie.html>Installing Your Personal E-mail Certificate For Use With Outlook and Outlook Express
-
help/glossary.html>Glossary
+
+ PHPki HELP FILES
+ PKI and E-mail Encryption - A Brief Explanation
+ Installing Our Root Certificate For Use With Outlook and Outlook Express
+ Installing Your Personal E-mail Certificate For Use With Outlook and Outlook Express
+ Glossary
-
-
- PHPki: <?php echo $title?>
- PHPki
-
-
-
- ";
-
- if (DEMO) {
- print "";
- print "";
- }
- else {
- print "";
- }
-
- if (file_exists('policy.html')) {
- print '';
- }
- ?>
-
-
-
- ";
-
- if (DEMO) {
- print "";
- print "";
- }
- else {
- print "";
- }
-
- if (file_exists('../policy.html')) {
- print '';
- }
- ?>
-
-
-
-
+
+
+
+ PHPki
+
+
+
+ ";
+
+ if (DEMO) {
+ print "";
+ print "";
+ } else {
+ print "";
+ }
+
+ if (file_exists('policy.html')) {
+ print '';
+ }
+ ?>
+
+
+
+ ";
+
+ if (DEMO) {
+ print "";
+ print "";
+ } else {
+ print "";
+ }
+
+ if (file_exists('../policy.html')) {
+ print '';
+ }
+ ?>
+
+
+
+ PHPki v - Copyright 2003 - William E. Roadcap
-
-
-
+ PHPki v - Copyright 2003 - William E. Roadcap
+
+
+
diff -ruN phpki-ng.old/phpki-ng-0.84/include/my_functions.php phpki-ng/phpki-ng-0.84/include/my_functions.php
--- phpki-ng.old/phpki-ng-0.84/include/my_functions.php 2020-04-02 14:22:47.000000000 +0200
+++ phpki-ng/phpki-ng-0.84/include/my_functions.php 2021-03-07 19:33:03.077323802 +0100
@@ -5,49 +5,57 @@
#
# Returns TRUE if browser is Internet Explorer.
#
-function isIE() {
- global $_SERVER;
- return strstr($_SERVER['HTTP_USER_AGENT'], 'MSIE');
-}
-
-function isKonq() {
- global $_SERVER;
- return strstr($_SERVER['HTTP_USER_AGENT'], 'Konqueror');
-}
-
-function isMoz() {
- global $_SERVER;
- return strstr($_SERVER['HTTP_USER_AGENT'], 'Gecko');
+function isIE()
+{
+ global $_SERVER;
+ return strstr($_SERVER['HTTP_USER_AGENT'], 'MSIE');
+}
+
+function isKonq()
+{
+ global $_SERVER;
+ return strstr($_SERVER['HTTP_USER_AGENT'], 'Konqueror');
+}
+
+function isMoz()
+{
+ global $_SERVER;
+ return strstr($_SERVER['HTTP_USER_AGENT'], 'Gecko');
}
#
# Force upload of specified file to browser.
#
-function upload($source, $destination, $content_type="application/octet-stream") {
- header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
- header("Expires: -1");
-# header("Cache-Control: no-store, no-cache, must-revalidate");
-# header("Cache-Control: post-check=0, pre-check=0", false);
-# header("Pragma: no-cache");
+function upload($source, $destination, $content_type = "application/octet-stream")
+{
+ header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
+ header("Expires: -1");
+# header("Cache-Control: no-store, no-cache, must-revalidate");
+# header("Cache-Control: post-check=0, pre-check=0", false);
+# header("Pragma: no-cache");
header("Content-Type: $content_type");
- if (is_array($source)) {
- $fsize = 0;
- foreach($source as $f) $fsize += filesize($f);
- }
- else {
- $fsize = filesize($source);
- }
+ if (is_array($source)) {
+ $fsize = 0;
+ foreach ($source as $f) {
+ $fsize += filesize($f);
+ }
+ } else {
+ $fsize = filesize($source);
+ }
- header("Content-length: " . $fsize);
+ header("Content-length: " . $fsize);
# header("Content-Disposition: attachment; filename=\"" . $destination ."\"");
header("Content-Disposition: filename=\"" . $destination ."\"");
- if (is_array($source))
- foreach($source as $f) $ret = readfile($f);
- else
- $ret=readfile($source);
+ if (is_array($source)) {
+ foreach ($source as $f) {
+ $ret = readfile($f);
+ }
+ } else {
+ $ret=readfile($source);
+ }
# $fd=fopen($source,'r');
# fpassthru($fd);
@@ -60,35 +68,51 @@
# by field name. POST fields have precedence over GET fields.
# Quoting/Slashes are stripped if magic quotes gpc is on.
#
-function gpvar($v) {
- global $_GET, $_POST;
+function gpvar($v)
+{
+ global $_GET, $_POST;
$x = "";
- if (isset($_GET[$v])) $x = $_GET[$v];
- if (isset($_POST[$v])) $x = $_POST[$v];
- if (get_magic_quotes_gpc()) $x = stripslashes($x);
- return $x;
+ if (isset($_GET[$v])) {
+ $x = $_GET[$v];
+ }
+ if (isset($_POST[$v])) {
+ $x = $_POST[$v];
+ }
+ if (get_magic_quotes_gpc()) {
+ $x = stripslashes($x);
+ }
+ return $x;
}
#
# Sort a two multidimensional array by one of it's columns
#
-function csort($array, $column, $ascdec=SORT_ASC){
+function csort($array, $column, $ascdec = SORT_ASC)
+{
- if (sizeof($array) == 0) return $array;
+ if (sizeof($array) == 0) {
+ return $array;
+ }
// Sort by digital date rather than text date
- if ($column == 'issued') $column = "issuedSort";
- if ($column == 'expires') $column = 'expiresSort';
+ if ($column == 'issued') {
+ $column = "issuedSort";
+ }
+ if ($column == 'expires') {
+ $column = 'expiresSort';
+ }
if ($column == 'status') {
- foreach($array as $x) {
- $sortarr[]=$x[$column];
- $sortdate[] = $x['expiresSort'];
- }
+ foreach ($array as $x) {
+ $sortarr[]=$x[$column];
+ $sortdate[] = $x['expiresSort'];
+ }
array_multisort($sortarr, $ascdec, $sortdate, SORT_ASC, $array);
} else {
- foreach($array as $x) $sortarr[]=$x[$column];
+ foreach ($array as $x) {
+ $sortarr[]=$x[$column];
+ }
array_multisort($sortarr, $ascdec, $array);
}
return $array;
@@ -99,11 +123,13 @@
# Returns a value suitable for display in the browser.
# Strips slashes if second argument is true.
#
-function htvar($v, $strip=false) {
- if ($strip)
- return htmlentities(stripslashes($v), 0, "UTF-8");
- else
- return htmlentities($v, 0, "UTF-8");
+function htvar($v, $strip = false)
+{
+ if ($strip) {
+ return htmlentities(stripslashes($v), 0, "UTF-8");
+ } else {
+ return htmlentities($v, 0, "UTF-8");
+ }
}
@@ -113,11 +139,13 @@
# provided strings with single-quotes and quotes any
# other dangerous characters.
#
-function escshellarg($v, $strip=false) {
- if ($strip)
- return escapeshellarg(stripslashes($v));
- else
- return escapeshellarg($v);
+function escshellarg($v, $strip = false)
+{
+ if ($strip) {
+ return escapeshellarg(stripslashes($v));
+ } else {
+ return escapeshellarg($v);
+ }
}
@@ -125,93 +153,103 @@
# Similar to escshellarg(), but doesn't surround provided
# string with single-quotes.
#
-function escshellcmd($v, $strip=false) {
- if ($strip)
- return escapeshellcmd(stripslashes($v));
- else
- return escapeshellarg($v);
+function escshellcmd($v, $strip = false)
+{
+ if ($strip) {
+ return escapeshellcmd(stripslashes($v));
+ } else {
+ return escapeshellarg($v);
+ }
}
-
+
#
# Recursively strips slashes from a string or array.
#
-function stripslashes_array(&$a) {
- if (is_array($a)) {
- foreach($a as $k => $v) {
- my_stripslashes($a[$k]);
- }
- }
- else {
- $a = stripslashes($a);
- }
+function stripslashes_array(&$a)
+{
+ if (is_array($a)) {
+ foreach ($a as $k => $v) {
+ my_stripslashes($a[$k]);
+ }
+ } else {
+ $a = stripslashes($a);
+ }
}
#
# Don't use this.
#
-function undo_magic_quotes(&$a) {
- if(get_magic_quotes_gpc()) {
- global $HTTP_POST_VARS, $HTTP_GET_VARS;
-
- foreach($HTTP_POST_VARS as $k => $v) {
- stripslashes_array($HTTP_POST_VARS[$k]);
- global $$k;
- stripslashes_array($$k);
- }
- foreach($HTTP_GET_VARS as $k => $v) {
- stripslashes_array($HTTP_GET_VARS[$k]);
- global $$k;
- stripslashes_array($$k);
- }
- }
+function undo_magic_quotes(&$a)
+{
+ if (get_magic_quotes_gpc()) {
+ global $HTTP_POST_VARS, $HTTP_GET_VARS;
+
+ foreach ($HTTP_POST_VARS as $k => $v) {
+ stripslashes_array($HTTP_POST_VARS[$k]);
+ global $$k;
+ stripslashes_array($$k);
+ }
+ foreach ($HTTP_GET_VARS as $k => $v) {
+ stripslashes_array($HTTP_GET_VARS[$k]);
+ global $$k;
+ stripslashes_array($$k);
+ }
+ }
}
#
# Returns TRUE if argument contains only alphabetic characters.
#
-function is_alpha($v) {
- #return (eregi('[^A-Z]',$v) ? false : true) ;
- #return (preg_match('/[^A-Z]'.'/i',$v,PCRE_CASELESS) ? false : true) ; # Replaced eregi() with preg_match()
- return (preg_match('/[^A-Z]/i',$v) ? false : true) ;
+function is_alpha($v)
+{
+ #return (eregi('[^A-Z]',$v) ? false : true) ;
+ #return (preg_match('/[^A-Z]'.'/i',$v,PCRE_CASELESS) ? false : true) ; # Replaced eregi() with preg_match()
+ return (preg_match('/[^A-Z]/i', $v) ? false : true) ;
}
#
# Returns TRUE if argument contains only numeric characters.
#
-function is_num($v) {
- #return (eregi('[^0-9]',$v) ? false : true) ;
- return (preg_match('/[^0-9]/',$v) ? false : true) ; # Replaced eregi() with preg_match()
+function is_num($v)
+{
+ #return (eregi('[^0-9]',$v) ? false : true) ;
+ return (preg_match('/[^0-9]/', $v) ? false : true) ; # Replaced eregi() with preg_match()
}
#
# Returns TRUE if argument contains only alphanumeric characters.
#
-function is_alnum($v) {
- #return (eregi('[^A-Z0-9]',$v) ? false : true) ;
- return (preg_match('/[^A-Z0-9]/i',$v) ? false : true) ; # Replaced eregi() with preg_match()
+function is_alnum($v)
+{
+ #return (eregi('[^A-Z0-9]',$v) ? false : true) ;
+ return (preg_match('/[^A-Z0-9]/i', $v) ? false : true) ; # Replaced eregi() with preg_match()
}
#
# Returns TRUE if argument is in proper e-mail address format.
#
-function is_email($v) {
- #return (eregi('^[^@ ]+\@[^@ ]+\.[A-Z]{2,4}$',$v) ? true : false);
- return (preg_match('/^[^@ ]+\@[^@ ]+\.[A-Z]{2,4}$'.'/i',$v) ? true : false); # Replaced eregi() with preg_match()
+function is_email($v)
+{
+ #return (eregi('^[^@ ]+\@[^@ ]+\.[A-Z]{2,4}$',$v) ? true : false);
+ return (preg_match('/^[^@ ]+\@[^@ ]+\.[A-Z]{2,4}$'.'/i', $v) ? true : false); # Replaced eregi() with preg_match()
}
#
# Returns True if the given string is a IP address
#
-function is_ip( $ip = null ) {
- if( !$ip or strlen(trim($ip)) == 0){
+function is_ip($ip = null)
+{
+ if (!$ip or strlen(trim($ip)) == 0) {
return false;
}
$ip=trim($ip);
- if(preg_match("/^[0-9]{1,3}(.[0-9]{1,3}){3}$/",$ip)) {
- foreach(explode(".", $ip) as $block)
- if($block<0 || $block>255 )
+ if (preg_match("/^[0-9]{1,3}(.[0-9]{1,3}){3}$/", $ip)) {
+ foreach (explode(".", $ip) as $block) {
+ if ($block<0 || $block>255) {
return false;
+ }
+ }
return true;
}
return false;
@@ -220,9 +258,10 @@
#
# Returns True if the given string is a valid FQDN
#
-function is_fqdn($FQDN) {
+function is_fqdn($FQDN)
+{
// remove leading wildcard characters if exist
- $FQDN = preg_replace('/^\*\./','', $FQDN, 1);
+ $FQDN = preg_replace('/^\*\./', '', $FQDN, 1);
return (!empty($FQDN) && preg_match('/^(?=.{1,254}$)((?=[a-z0-9-]{1,63}\.)(xn--+)?[a-z0-9]+(-[a-z0-9]+)*\.)+(xn--+)?[a-z0-9]{2,63}$/i', $FQDN) > 0);
}
@@ -231,26 +270,31 @@
# as a match is found.
#
-function eregi_array($regexp, $arr) {
+function eregi_array($regexp, $arr)
+{
- foreach ($arr as $elem) {
- #if (eregi($regexp,$elem))
- if (! preg_match('/^\/.*\/$/', $regexp)) # if it doesn't begin and end with '/'
- $regexp = '/'.$regexp.'/'; # pad the $regexp with '/' to prepare for preg_match()
- if (preg_match($regexp.'i',$elem)) # Replaced eregi() with preg_match()
- return true;
- }
- return false;
+ foreach ($arr as $elem) {
+ #if (eregi($regexp,$elem))
+ if (! preg_match('/^\/.*\/$/', $regexp)) { # if it doesn't begin and end with '/'
+ $regexp = '/'.$regexp.'/'; # pad the $regexp with '/' to prepare for preg_match()
+ }
+ if (preg_match($regexp.'i', $elem)) { # Replaced eregi() with preg_match()
+ return true;
+ }
+ }
+ return false;
}
#
# Reads entire file into a string
# Same as file_get_contents in php >= 4.3.0
#
-function my_file_get_contents($f) {
- return implode('', file($f));
+function my_file_get_contents($f)
+{
+ return implode('', file($f));
}
-function getOSInformation() {
+function getOSInformation()
+{
if (false == function_exists("shell_exec")) {
return null;
}
@@ -261,4 +305,3 @@
return null;
}
}
-?>
diff -ruN phpki-ng.old/phpki-ng-0.84/include/openssl_functions.php phpki-ng/phpki-ng-0.84/include/openssl_functions.php
--- phpki-ng.old/phpki-ng-0.84/include/openssl_functions.php 2020-04-02 14:22:47.000000000 +0200
+++ phpki-ng/phpki-ng-0.84/include/openssl_functions.php 2021-03-07 19:33:03.078323817 +0100
@@ -5,64 +5,88 @@
// File name is placed in ./tmp with a random name. It lingers unless
// removed manually.
//
-function CA_create_cnf($country='',$province='',$locality='',$organization='',$unit='',$common_name='',$email='',$keysize=2048,$dns_names='',$ip_addr='',$serial='') {
- global $config, $PHPki_user;
+function CA_create_cnf($country = '', $province = '', $locality = '', $organization = '', $unit = '', $common_name = '', $email = '', $keysize = 2048, $dns_names = '', $ip_addr = '', $serial = '')
+{
+ global $config, $PHPki_user;
+
+ $issuer = $PHPki_user;
+ $count_dns = 0;
+ $count_ip = 0;
+ $alt_names = "";
+
+ if (! $dns_names == '') {
+ $dns_n=explode("\n", $dns_names);
+ $count_dns = $count_dns + 1;
+ $alt_names .= "DNS.$count_dns = $common_name\n";
+ foreach ($dns_n as $value) {
+ if (! $value == '') {
+ $count_dns = $count_dns + 1;
+ $alt_names .= "DNS.$count_dns = ".trim($value)."\n";
+ }
+ }
+ }
+
+ if (! $ip_addr == '') {
+ $ip_ar=explode("\n", $ip_addr);
+ foreach ($ip_ar as $value) {
+ if (! $value == '') {
+ $count_dns = $count_dns + 1;
+ $count_ip = $count_ip + 1;
+ # reetp IP should not be added to a DNS entry
+ #$alt_names .= "DNS.$count_dns = ".trim($value)."\n";
+ $alt_names .= "IP.$count_ip = ".trim($value)."\n";
+ }
+ }
+ }
+
+ if (($count_dns > 0) || ($count_ip > 0)) {
+ $server_altnames = "@alt_names";
+ } else {
+ $server_altnames = "DNS:$common_name,email:copy";
+ }
+
+ $configHOME = $config['home_dir'];
+ $configRANDFILE = $config['random'];
+ $configCa_dir = $config['ca_dir'];
+ $configCert_dir = $config['cert_dir'];
+ $configCrl_dir = $config['crl_dir'];
+ $configDatabase = $config['index'];
+ $configNew_certs_dir = $config['new_certs_dir'];
+ $configPrivate_dir = $config['private_dir'];
+ $configSerial = $config['serial'];
+ $configCacert_pem = $config['cacert_pem'];
+ $configCacrl_pem = $config['cacrl_pem'];
+ $configCakey = $config['cakey'];
+ $configDefault_md = $config['default_md'];
+ $configBase_url = $config['base_url'];
+ $configCrl_dist = $config['crl_distrib'];
+ $configComment_root = $config['comment_root'];
+ $configPolicy_url = $config['policy_url'];
+ $configRevoke_url = $config['revoke_url'];
+ $configComment_email = $config['comment_email'];
+ $configComment_sign = $config['comment_sign'];
+ $configComment_srv = $config['comment_srv'];
+
- $issuer = $PHPki_user;
- $count_dns = 0;
- $count_ip = 0;
- $alt_names = "";
-
- if (! $dns_names == '') {
-
- $dns_n=explode("\n", $dns_names);
- $count_dns = $count_dns + 1;
- $alt_names .= "DNS.$count_dns = $common_name\n";
- foreach ($dns_n as $value) {
- if (! $value == '') {
- $count_dns = $count_dns + 1;
- $alt_names .= "DNS.$count_dns = ".trim($value)."\n";
- }
- }
- }
-
- if (! $ip_addr == '') {
- $ip_ar=explode("\n", $ip_addr);
- foreach ($ip_ar as $value) {
- if (! $value == '') {
- $count_dns = $count_dns + 1;
- $count_ip = $count_ip + 1;
- # reetp IP should not be added to a DNS entry
- #$alt_names .= "DNS.$count_dns = ".trim($value)."\n";
- $alt_names .= "IP.$count_ip = ".trim($value)."\n";
- }
- }
- }
-
- if (($count_dns > 0) || ($count_ip > 0)) {
- $server_altnames = "@alt_names";
- } else {
- $server_altnames = "DNS:$common_name,email:copy";
- }
-
- $cnf_contents = "
-HOME = $config[home_dir]
-RANDFILE = $config[random]
-dir = $config[ca_dir]
-certs = $config[cert_dir]
-crl_dir = $config[crl_dir]
-database = $config[index]
-new_certs_dir = $config[new_certs_dir]
-private_dir = $config[private_dir]
-serial = $config[serial]
-certificate = $config[cacert_pem]
-crl = $config[cacrl_pem]
-private_key = $config[cakey]
+
+ $cnf_contents = "
+HOME = $configHOME
+RANDFILE = $configRANDFILE
+dir = $configCa_dir
+certs = $configCert_dir
+crl_dir = $configCrl_dir
+database = $configDatabase
+new_certs_dir = $configNew_certs_dir
+private_dir = $configPrivate_dir
+serial = $configSerial
+certificate = $configCacert_pem
+crl = $configCacrl_pem
+private_key = $configCakey
crl_extentions = crl_ext
default_days = 365
default_crl_days = 30
preserve = no
-default_md = $config[default_md]
+default_md = $configDefault_md
[ req ]
default_bits = $keysize
@@ -108,7 +132,7 @@
x509_extensions = vpn_client_server_ext
default_days = 365
policy = policy_supplied
-
+
[ time_stamping_cert ]
x509_extensions = time_stamping_ext
default_days = 365
@@ -137,10 +161,10 @@
nsCertType = sslCA, emailCA, objCA
subjectKeyIdentifier = hash
subjectAltName = email:copy
-crlDistributionPoints = URI:$config[base_url]$config[crl_distrib]
-nsComment = $config[comment_root]
+crlDistributionPoints = URI:$configBase_url$configCrl_dist
+nsComment = $configComment_root
#nsCaRevocationUrl =
-nsCaPolicyUrl = $config[base_url]$config[policy_url]
+nsCaPolicyUrl = $configBase_url$configPolicy_url
[ email_ext ]
basicConstraints = critical, CA:false
@@ -151,11 +175,11 @@
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = email:copy
issuerAltName = issuer:copy
-crlDistributionPoints = URI:$config[base_url]$config[crl_distrib]
-nsComment = $config[comment_email]
-nsBaseUrl = $config[base_url]
-nsRevocationUrl = $config[base_url]$config[revoke_url]$serial
-nsCaPolicyUrl = $config[base_url]$config[policy_url]
+crlDistributionPoints = URI:$configBase_url$configCrl_dist
+nsComment = $configComment_email
+nsBaseUrl = $configBase_url
+nsRevocationUrl = $configBase_url$configRevoke_url$serial
+nsCaPolicyUrl = $configBase_url$configPolicy_url
[ email_signing_ext ]
basicConstraints = critical, CA:false
@@ -166,11 +190,11 @@
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = email:copy
issuerAltName = issuer:copy
-crlDistributionPoints = URI:$config[base_url]$config[crl_distrib]
-nsComment = $config[comment_sign]
-nsBaseUrl = $config[base_url]
-nsRevocationUrl = $config[base_url]$config[revoke_url]$serial
-nsCaPolicyUrl = $config[base_url]$config[policy_url]
+crlDistributionPoints = URI:$configBase_url$configCrl_dist
+nsComment = $configComment_sign
+nsBaseUrl = $configBase_url
+nsRevocationUrl = $configBase_url$configRevoke_url$serial
+nsCaPolicyUrl = $configBase_url$configPolicy_url
[ server_ext ]
basicConstraints = critical, CA:false
@@ -181,11 +205,11 @@
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = $server_altnames
issuerAltName = issuer:copy
-crlDistributionPoints = URI:$config[base_url]$config[crl_distrib]
-nsComment = $config[comment_srv]
-nsBaseUrl = $config[base_url]
-nsRevocationUrl = $config[base_url]$config[revoke_url]$serial
-nsCaPolicyUrl = $config[base_url]$config[policy_url]
+crlDistributionPoints = URI:$configBase_url$configCrl_dist
+nsComment = $configComment_srv
+nsBaseUrl = $configBase_url
+nsRevocationUrl = $configBase_url$configRevoke_url$serial
+nsCaPolicyUrl = $configBase_url$configPolicy_url
[ time_stamping_ext ]
basicConstraints = CA:false
@@ -195,10 +219,10 @@
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = DNS:$common_name,email:copy
issuerAltName = issuer:copy
-crlDistributionPoints = URI:$config[base_url]$config[crl_distrib]
+crlDistributionPoints = URI:$configBase_url$configCrl_dist
nsComment = $config[comment_stamp]
-nsBaseUrl = $config[base_url]
-nsRevocationUrl = $config[base_url]$config[revoke_url]$serial
+nsBaseUrl = $configBase_url
+nsRevocationUrl = $configBase_url$configRevoke_url$serial
[ vpn_client_ext ]
basicConstraints = critical, CA:false
@@ -232,13 +256,13 @@
";
- # Write out the config file.
- $cnf_file = tempnam('../../tmp','cnf-'); // Why is this not in the phpki dir ? why ../../ ?
- $handle = fopen($cnf_file,"w");
- fwrite($handle, $cnf_contents);
- fclose($handle);
-
- return($cnf_file);
+ # Write out the config file.
+ $cnf_file = tempnam('../../tmp', 'cnf-'); // Why is this not in the phpki dir ? why ../../ ?
+ $handle = fopen($cnf_file, "w");
+ fwrite($handle, $cnf_contents);
+ fclose($handle);
+
+ return($cnf_file);
}
//
@@ -247,242 +271,264 @@
// Fields: serial, country, province, locality, organization,
// issuer, unit, common_name, email
//
-function CAdb_to_array($search = '.*') {
- global $config;
-
- # Prepend a default status to search string if missing.
- #if (! ereg('^\^\[.*\]', $search)) $search = '^[VRE].*'.$search;
- if (! preg_match("/^\^\[.*\]/", $search)) $search = '^[VRE].*'.$search;
- # Include valid certs?
- #if (ereg('^\^\[.*V.*\]',$search)) $inclval = true;
- if (preg_match('/^\^\[.*V.*\]/',$search)) $inclval = true;
- # Include revoked certs?
- #if (ereg('^\^\[.*R.*\]',$search)) $inclrev = true;
- if (preg_match('/^\^\[.*R.*\]/',$search)) $inclrev = true;
- # Include expired certs?
- #if (ereg('^\^\[.*E.*\]',$search)) $inclexp = true;
- if (preg_match('/^\^\[.*E.*\]/',$search)) $inclexp = true;
-
- # There isn't really a status of 'E' in the openssl index.
- # Change (E)xpired to (V)alid within the search string.
- #$search = ereg_replace('^(\^\[.*)E(.*\])','\\1V\\2',$search);
- $search = preg_replace('/^(\^\[.*)E(.*\])/','${1}V${2}',$search);
-
- $db = array();
- exec('egrep -i '.escshellarg($search).' '.$config['index'], $x);
- foreach($x as $y) {
- $i = CAdb_explode_entry($y);
- if (($i['status'] == "Valid" && $inclval) || ($i['status'] == "Revoked" && $inclrev) || ($i['status'] == "Expired" && $inclexp))
- $db[$i['serial']] = $i;
- }
+function CAdb_to_array($search = '.*')
+{
+ global $config;
+
+ # Prepend a default status to search string if missing.
+ #if (! ereg('^\^\[.*\]', $search)) $search = '^[VRE].*'.$search;
+ if (! preg_match("/^\^\[.*\]/", $search)) {
+ $search = '^[VRE].*'.$search;
+ }
+ # Include valid certs?
+ #if (ereg('^\^\[.*V.*\]',$search)) $inclval = true;
+ if (preg_match('/^\^\[.*V.*\]/', $search)) {
+ $inclval = true;
+ }
+ # Include revoked certs?
+ #if (ereg('^\^\[.*R.*\]',$search)) $inclrev = true;
+ if (preg_match('/^\^\[.*R.*\]/', $search)) {
+ $inclrev = true;
+ }
+ # Include expired certs?
+ #if (ereg('^\^\[.*E.*\]',$search)) $inclexp = true;
+ if (preg_match('/^\^\[.*E.*\]/', $search)) {
+ $inclexp = true;
+ }
+
+ # There isn't really a status of 'E' in the openssl index.
+ # Change (E)xpired to (V)alid within the search string.
+ #$search = ereg_replace('^(\^\[.*)E(.*\])','\\1V\\2',$search);
+ $search = preg_replace('/^(\^\[.*)E(.*\])/', '${1}V${2}', $search);
+
+ $db = array();
+ exec('egrep -i '.escshellarg($search).' '.$config['index'], $x);
+ foreach ($x as $y) {
+ $i = CAdb_explode_entry($y);
+ if (($i['status'] == "Valid" && $inclval) || ($i['status'] == "Revoked" && $inclrev) || ($i['status'] == "Expired" && $inclexp)) {
+ $db[$i['serial']] = $i;
+ }
+ }
- return($db);
+ return($db);
}
//
// Returns an array containing the index record for
// certificate $serial.
-//
-function CAdb_get_entry($serial) {
- global $config;
- $regexp = "^[VR]\t.*\t.*\t$serial\t.*\t.*$";
- $x = exec('egrep '.escshellarg($regexp).' '.$config['index']);
- if ($x)
- return CAdb_explode_entry($x);
- else {
- return false;
- }
+//
+function CAdb_get_entry($serial)
+{
+ global $config;
+ $regexp = "^[VR]\t.*\t.*\t$serial\t.*\t.*$";
+ $x = exec('egrep '.escshellarg($regexp).' '.$config['index']);
+ if ($x) {
+ return CAdb_explode_entry($x);
+ } else {
+ return false;
+ }
}
//
-// Returns the serial number of a VALID certificate matching
+// Returns the serial number of a VALID certificate matching
// $email and/or $name. Returns FALSE if no match is found.
//
-function CAdb_in($email="", $name="") {
- global $config;
- $email = escshellcmd($email);
- $name = escshellcmd($name);
- $regexp = "^[V].*CN=$name/(Email|emailAddress)=$email";
- $x =exec('egrep '.escshellarg($regexp).' '.$config['index']);
+function CAdb_in($email = "", $name = "")
+{
+ global $config;
+ $email = escshellcmd($email);
+ $name = escshellcmd($name);
+ $regexp = "^[V].*CN=$name/(Email|emailAddress)=$email";
+ $x = exec('egrep '.escshellarg($regexp).' '.$config['index']);
if ($x) {
- list($j,$j,$j,$serial,$j,$j) = explode("\t", $x);
- return "$serial";
- }
- else
- return false;
+ list($j,$j,$j,$serial,$j,$j) = explode("\t", $x);
+ return "$serial";
+ } else {
+ return false;
+ }
}
//
// Alias for CAdb_in()
//
-function CAdb_serial($email, $name='') {
- return CAdb_in($email, $name='');
+function CAdb_serial($email, $name = '')
+{
+ return CAdb_in($email, $name = '');
}
//
// Alias for CAdb_in()
//
-function CAdb_exists($email, $name='') {
- return CAdb_in($email, $name='');
+function CAdb_exists($email, $name = '')
+{
+ return CAdb_in($email, $name = '');
}
//
// Returns the certificate 'issuer'
//
-function CAdb_issuer($serial) {
- global $config;
- $rec = CAdb_get_entry($serial);
- return $rec['issuer'];
+function CAdb_issuer($serial)
+{
+ global $config;
+ $rec = CAdb_get_entry($serial);
+ return $rec['issuer'];
}
//
// Returns an array containing the respective fields given a
// a raw line ($dbentry) from the certificate index.
-// Fields: serial, country, province locality, organization,
+// Fields: serial, country, province locality, organization,
// issuer, unit, common_name, email
//
-function CAdb_explode_entry($dbentry) {
- $a = explode("\t", $dbentry);
- $b = preg_split('/\/([A-Z]|[a-z])+=/', $a[5]);
-
- switch ($a[0]) {
- case "V":
- $db['status'] = "Valid";
- break;
- case "R":
- $db['status'] = "Revoked";
- break;
- }
-
- // CA_cert_start/enddate
- // A date will be returned in this format
- // Feb 27 16:00:09 2020 GMT
- // Add a 'digital' sort key for digital date sorting later
- sscanf(CA_cert_startdate($a[3]),"%s%s%s%s", $mm,$dd,$tt,$yy);
- $db['issued'] = strftime("%Y-%b-%d", strtotime("$yy-$mm-$dd"));
- $db['issuedSort'] = strftime("%Y-%m-%d", strtotime("$yy-$mm-$dd"));
-
- sscanf(CA_cert_enddate($a[3]), "%s%s%s%s",$mm,$dd,$tt,$yy);
- $db['expires'] = strftime("%Y-%b-%d", strtotime("$yy-$mm-$dd"));
- $db['expiresSort'] = strftime("%Y-%m-%d", strtotime("$yy-$mm-$dd"));
-
- if (time() > strtotime("$yy-$mm-$dd")) {
- $db['status'] = "Expired";
- }
-
-
- // Compatibility with migrated certs from openvpn-bridge
- if(count($b) == 7){
- $db['serial'] = $a[3];
- $db['country'] = $b[1];
- $db['province'] = $b[2];
- $db['locality'] = '';
- $db['organization'] = $b[3];
- $db['issuer'] = '';
- $db['unit'] = $b[4];
- $db['common_name'] = $b[5];
- $db['email'] = $b[6];
- }
- // Compatibility with renewed certs from openvpn-bridge
- elseif(count($b) == 8){
- $db['serial'] = $a[3];
- $db['country'] = $b[1];
- $db['province'] = $b[2];
- $db['locality'] = $b[3];
- $db['organization'] = $b[4];
- $db['issuer'] = '';
- $db['unit'] = $b[5];
- $db['common_name'] = $b[6];
- $db['email'] = $b[7];
- }
- // Else, it's a certificate created with phpki
- else{
- $db['serial'] = $a[3];
- $db['country'] = $b[1];
- $db['province'] = $b[2];
- $db['locality'] = $b[3];
- $db['organization'] = $b[4];
- $db['issuer'] = $b[5];
- $db['unit'] = $b[6];
- $db['common_name'] = $b[7];
- $db['email'] = $b[8];
- }
+function CAdb_explode_entry($dbentry)
+{
+ $a = explode("\t", $dbentry);
+ $b = preg_split('/\/([A-Z]|[a-z])+=/', $a[5]);
+
+ switch ($a[0]) {
+ case "V":
+ $db['status'] = "Valid";
+ break;
+ case "R":
+ $db['status'] = "Revoked";
+ break;
+ }
+
+ // CA_cert_start/enddate
+ // A date will be returned in this format
+ // Feb 27 16:00:09 2020 GMT
+ // Add a 'digital' sort key for digital date sorting later
+ sscanf(CA_cert_startdate($a[3]), "%s%s%s%s", $mm, $dd, $tt, $yy);
+ $db['issued'] = strftime("%Y-%b-%d", strtotime("$yy-$mm-$dd"));
+ $db['issuedSort'] = strftime("%Y-%m-%d", strtotime("$yy-$mm-$dd"));
+
+ sscanf(CA_cert_enddate($a[3]), "%s%s%s%s", $mm, $dd, $tt, $yy);
+ $db['expires'] = strftime("%Y-%b-%d", strtotime("$yy-$mm-$dd"));
+ $db['expiresSort'] = strftime("%Y-%m-%d", strtotime("$yy-$mm-$dd"));
+
+ if (time() > strtotime("$yy-$mm-$dd")) {
+ $db['status'] = "Expired";
+ }
+
+
+ // Compatibility with migrated certs from openvpn-bridge
+ if (count($b) == 7) {
+ $db['serial'] = $a[3];
+ $db['country'] = $b[1];
+ $db['province'] = $b[2];
+ $db['locality'] = '';
+ $db['organization'] = $b[3];
+ $db['issuer'] = '';
+ $db['unit'] = $b[4];
+ $db['common_name'] = $b[5];
+ $db['email'] = $b[6];
+ } // Compatibility with renewed certs from openvpn-bridge
+ elseif (count($b) == 8) {
+ $db['serial'] = $a[3];
+ $db['country'] = $b[1];
+ $db['province'] = $b[2];
+ $db['locality'] = $b[3];
+ $db['organization'] = $b[4];
+ $db['issuer'] = '';
+ $db['unit'] = $b[5];
+ $db['common_name'] = $b[6];
+ $db['email'] = $b[7];
+ } // Else, it's a certificate created with phpki
+ else {
+ $db['serial'] = $a[3];
+ $db['country'] = $b[1];
+ $db['province'] = $b[2];
+ $db['locality'] = $b[3];
+ $db['organization'] = $b[4];
+ $db['issuer'] = $b[5];
+ $db['unit'] = $b[6];
+ $db['common_name'] = $b[7];
+ $db['email'] = $b[8];
+ }
- return $db;
+ return $db;
}
//
// Returns the date & time a specified certificate is revoked,
// Returns FALSE if the certificate is not revoked.
//
-function CAdb_is_revoked($serial) {
- global $config;
- $regexp = "^R\t.*\t.*\t$serial\t.*\t.*$";
- $x = exec('egrep '.escshellarg($regexp).' '.$config['index']);
-
- if ($x) {
- list($j,$j,$revoke_date,$j,$j,$j) = explode("\t", $x);
- // Revoke date = 'R' + start date and is in this format
- // 200227162209Z
- sscanf($revoke_date, "%2s%2s%2s",$yy,$mm,$dd);
- return strftime("%b %d, %Y", strtotime("$yy-$mm-$dd"));
- }
- else
- return false;
+function CAdb_is_revoked($serial)
+{
+ global $config;
+ $regexp = "^R\t.*\t.*\t$serial\t.*\t.*$";
+ $x = exec('egrep '.escshellarg($regexp).' '.$config['index']);
+
+ if ($x) {
+ list($j,$j,$revoke_date,$j,$j,$j) = explode("\t", $x);
+ // Revoke date = 'R' + start date and is in this format
+ // 200227162209Z
+ sscanf($revoke_date, "%2s%2s%2s", $yy, $mm, $dd);
+ return strftime("%b %d, %Y", strtotime("$yy-$mm-$dd"));
+ } else {
+ return false;
+ }
}
//
// Returns TRUE if a certificate is valid, otherwise FALSE.
//
-function CAdb_is_valid($serial) {
- global $config;
- $regexp = "^V\t.*\t.*\t$serial\t.*\t.*$";
-
- if (exec('egrep '.escshellarg($regexp).' '.$config['index']))
- return true;
- else
- return false;
+function CAdb_is_valid($serial)
+{
+ global $config;
+ $regexp = "^V\t.*\t.*\t$serial\t.*\t.*$";
+
+ if (exec('egrep '.escshellarg($regexp).' '.$config['index'])) {
+ return true;
+ } else {
+ return false;
+ }
}
//
// Returns the long-form certificate description as output by
// openssl x509 -in certificatefile -text -purpose
//
-function CA_cert_text($serial) {
- global $config;
- $certfile = $config['new_certs_dir'] . '/' . $serial . '.pem';
- return(shell_exec(X509.' -in '.escshellarg($certfile).' -text -purpose 2>&1'));
+function CA_cert_text($serial)
+{
+ global $config;
+ $certfile = $config['new_certs_dir'] . '/' . $serial . '.pem';
+ return(shell_exec(X509.' -in '.escshellarg($certfile).' -text -purpose 2>&1'));
}
//
// Returns the long-form text of the Certificate Revocation List
-// openssl crl -in crlfile -text
+// openssl crl -in crlfile -text
//
-function CA_crl_text() {
- global $config;
- $crlfile = $config['cacrl_pem'];
- return(shell_exec(CRL.' -in '.escshellarg($crlfile).' -text 2>&1'));
+function CA_crl_text()
+{
+ global $config;
+ $crlfile = $config['cacrl_pem'];
+ return(shell_exec(CRL.' -in '.escshellarg($crlfile).' -text 2>&1'));
}
// Returns the static takey.pem file
-function ta_key_text() {
+function ta_key_text()
+{
global $config;
return(shell_exec('cat '.escshellarg($config['private_dir']).'/takey.pem 2>&1'));
}
// Returns the dhparam file
-function dhparam_text() {
+function dhparam_text()
+{
global $config;
return(shell_exec('cat '.escshellarg($config['private_dir']).'/dhparam2048.pem 2>&1'));
}
// Returns the root CA certificate file (PEM Encoded)
-function root_pem_text() {
+function root_pem_text()
+{
global $config;
return(shell_exec('cat '.escshellarg($config['cacert_pem']).' 2>&1'));
}
@@ -490,416 +536,447 @@
//
// Returns the subject of a certificate.
//
-function CA_cert_subject($serial) {
- global $config;
- $certfile = $config['new_certs_dir'] . '/' . $serial . '.pem';
- $x = exec(X509.' -in '.escshellarg($certfile).' -noout -subject 2>&1');
- return(str_replace('subject=', '', $x));
+function CA_cert_subject($serial)
+{
+ global $config;
+ $certfile = $config['new_certs_dir'] . '/' . $serial . '.pem';
+ $x = exec(X509.' -in '.escshellarg($certfile).' -noout -subject 2>&1');
+ return(str_replace('subject=', '', $x));
}
//
// Returns the common name of a certificate.
//
-function CA_cert_cname($serial) {
- global $config;
- #return(ereg_replace('^.*/CN=(.*)/.*','\\1',CA_cert_subject($serial)));
- return(preg_replace('/^.*\/CN=(.*)\/.*/','${1}',CA_cert_subject($serial)));
-
+function CA_cert_cname($serial)
+{
+ global $config;
+ #return(ereg_replace('^.*/CN=(.*)/.*','\\1',CA_cert_subject($serial)));
+ return(preg_replace('/^.*\/CN=(.*)\/.*/', '${1}', CA_cert_subject($serial)));
}
//
// Returns the email address of a certificate.
//
-function CA_cert_email($serial) {
- global $config;
- $certfile = $config['new_certs_dir'] . '/' . $serial . '.pem';
- $x = exec(X509.' -in '.escshellarg($certfile).' -noout -email 2>&1');
- return($x);
+function CA_cert_email($serial)
+{
+ global $config;
+ $certfile = $config['new_certs_dir'] . '/' . $serial . '.pem';
+ $x = exec(X509.' -in '.escshellarg($certfile).' -noout -email 2>&1');
+ return($x);
}
//
// Returns the effective date of a certificate.
//
-function CA_cert_startdate($serial) {
- global $config;
- $certfile = $config['new_certs_dir'] . '/' . $serial . '.pem';
- $x = exec(X509.' -in '.escshellarg($certfile).' -noout -startdate 2>&1');
- return(str_replace('notBefore=','',$x));
+function CA_cert_startdate($serial)
+{
+ global $config;
+ $certfile = $config['new_certs_dir'] . '/' . $serial . '.pem';
+ $x = exec(X509.' -in '.escshellarg($certfile).' -noout -startdate 2>&1');
+ return(str_replace('notBefore=', '', $x));
}
//
// Returns the expiration date of a certificate.
//
-function CA_cert_enddate($serial) {
- global $config;
- $certfile = $config['new_certs_dir'] . '/' . $serial . '.pem';
- $x = exec(X509.' -in '.escshellarg($certfile).' -noout -enddate 2>&1');
- return(str_replace('notAfter=','',$x));
+function CA_cert_enddate($serial)
+{
+ global $config;
+ $certfile = $config['new_certs_dir'] . '/' . $serial . '.pem';
+ $x = exec(X509.' -in '.escshellarg($certfile).' -noout -enddate 2>&1');
+ return(str_replace('notAfter=', '', $x));
}
//
// Revokes a specified certificate.
//
-function CA_revoke_cert($serial) {
- global $config;
-
- $fd = fopen($config['index'],'a');
- flock($fd, LOCK_EX);
+function CA_revoke_cert($serial)
+{
+ global $config;
+
+ $fd = fopen($config['index'], 'a');
+ flock($fd, LOCK_EX);
+
+ $certfile = $config['new_certs_dir'] . "/$serial.pem";
+ $cmd_output[] = 'Revoking the certificate.';
+ $configCa_pwd = $config['ca_pwd'];
+ $configOpenssl_cnf = $config['openssl_cnf'];
+ exec(CA." -config $configOpenssl_cnf -revoke ".escshellarg($certfile)." -passin pass:$ConfigCa_pwd 2>&1", $cmd_output, $ret);
+
+ if ($ret == 0) {
+ unset($cmd_output);
+ list($ret, $cmd_output[]) = CA_generate_crl();
+ }
- $certfile = "$config[new_certs_dir]/$serial.pem";
-
- $cmd_output[] = 'Revoking the certificate.';
- exec(CA." -config '$config[openssl_cnf]' -revoke ".escshellarg($certfile)." -passin pass:'$config[ca_pwd]' 2>&1", $cmd_output, $ret);
-
- if ($ret == 0) {
- unset($cmd_output);
- list($ret, $cmd_output[]) = CA_generate_crl();
- }
-
- fclose($fd);
+ fclose($fd);
- return array(($ret == true || $ret == 0 ? true : false), implode('This was likely caused by entering the wrong certificate password. ';
- else
- $cmd_output[] = 'Click on the "Help" link above for information on how to report this problem. ';
+ #Unlock the CA database
+ fclose($fd);
+
+ # https://github.com/radicand/phpki/issues/14
+ if (preg_match('E-mail Protection', $certtext) && preg_match('Code Signing', $certtest)) {
+ $cert_type = 'email_signing';
+ }
+ if (preg_match('E-mail Protection', $certtext)) {
+ $cert_type = 'email';
+ }
+
+ #Remove temporary openssl config file.
+ if (file_exists($cnf_file)) {
+ unlink($cnf_file);
+ }
+
+ if ($ret == 0) {
+ return array(true, $serial);
+ } else {
+ # Not successful, so clean up before exiting.
+ CA_remove_cert($serial);
+
+ if (eregi_array('.*private key.*', $cmd_output)) {
+ $cmd_output[] = 'This was likely caused by entering the wrong certificate password. ';
+ } else {
+ $cmd_output[] = 'Click on the "Help" link above for information on how to report this problem. ';
+ }
- return array(false, implode('Root Certificate (PEM Encoded)
+
+
+
+
+
+ Root Certificate (PEM Encoded)
-
-
-
-
-
-
- Certificate Authority Issuer's Statement
+ Certificate Authority Issuer's Statement
+
-Certificate Authority Issuer's Statement
-
-This is a private Limited Liability certificate authority for use by member
-non-profit agencies.
-
-Certificate non-repudiation is achieved via identity verification by password
-authorized certificate managers from each member agency.
+
Certificate Authority Issuer's Statement
+
+ This is a private Limited Liability certificate authority for use by member non-profit agencies.
+
+ Certificate non-repudiation is achieved via identity verification by password authorized certificate managers from each member agency.
diff -ruN phpki-ng.old/phpki-ng-0.84/readme.php phpki-ng/phpki-ng-0.84/readme.php
--- phpki-ng.old/phpki-ng-0.84/readme.php 2020-04-02 14:22:47.000000000 +0200
+++ phpki-ng/phpki-ng-0.84/readme.php 2021-03-07 19:33:03.081323860 +0100
@@ -10,4 +10,3 @@
readfile('./README.md');
print '';
printFooter();
-?>
diff -ruN phpki-ng.old/phpki-ng-0.84/search.php phpki-ng/phpki-ng-0.84/search.php
--- phpki-ng.old/phpki-ng-0.84/search.php 2020-04-02 14:22:47.000000000 +0200
+++ phpki-ng/phpki-ng-0.84/search.php 2021-03-07 19:33:03.081323860 +0100
@@ -15,132 +15,137 @@
$show_expired = gpvar('show_expired');
# Force stage back to search form if search string is empty.
-if ($stage == "search" && ! $search) $stage = "";
+if ($stage == "search" && ! $search) {
+ $stage = "";
+}
# Force filter to (V)alid certs if no search status is selected.
-if ( !($show_valid.$show_revoked.$show_expired) ) $show_valid = 'V';
+if (!($show_valid.$show_revoked.$show_expired)) {
+ $show_valid = 'V';
+}
switch ($stage) {
-case 'display':
- printHeader('about');
+ case 'display':
+ printHeader('about');
+
+ print '
+ Certificate Details (#'.htvar($serial).') Certificate Details (#'.htvar($serial).') REVOKED '.htvar($revoke_date).' '.htvar(CA_cert_text($serial)).' ';
- break;
-
-case 'download':
- $rec = CAdb_get_entry($serial);
- upload("$config[cert_dir]/$serial.der", "$rec[common_name].cer", 'application/pkix-cert');
+ if ($revoke_date = CAdb_is_revoked($serial)) {
+ print 'REVOKED '.htvar($revoke_date).' '.htvar(CA_cert_text($serial)).' ';
break;
-case 'download_pem':
- $rec = CAdb_get_entry($serial);
- upload("$config[new_certs_dir]/$serial.pem", "$rec[common_name].pem", 'application/pkix-cert');
- break;
-
-case 'search':
- printHeader('public');
-
- $db = CAdb_to_array("^[${show_valid}${show_revoked}${show_expired}].*$search");
-
- print '';
- if (sizeof($db) == 0) {
- ?>
-
- Nothing Found
-
-
- ';
- print 'CERTIFICATE SEARCH RESULTS
+ Nothing Found
+
+
+ ';
+ print 'CERTIFICATE SEARCH RESULTS ';
+ foreach ($headings as $field => $head) {
+ print ''.htvar($head). ' ';
+ }
+ print ' ';
+
+ foreach ($db as $rec) {
+ $stcolor = array(Valid=>'green',Revoked=>'red',Expired=>'orange');
- print '';
- foreach($headings as $field=>$head) {
- print ''.htvar($head). ' ';
+ ?>
+
+ ';
+ }
+
+ ?>
+
+
+
+ 'green',Revoked=>'red',Expired=>'orange');
+ default:
+ printHeader('public');
- ?>
-
- ';
- }
-
- ?>
-
-
-
-
-
- Certificate Search
- Certificate Search
+ ERROR(S) IN FORM: ' . $er . ' Creating PHPki file store... Writing configuration files... Creating PHPki file store... Writing configuration files...
EOS;
- #
- # Write out the CA configuration file.
- #
- $fd = fopen("$store_dir/config/config.php",'w');
- fwrite($fd, $config_main_txt);
- fclose($fd);
+ #
+ # Write out the CA configuration file.
+ #
+ $fd = fopen("$store_dir/config/config.php", 'w');
+ fwrite($fd, $config_main_txt);
+ fclose($fd);
- #
- # Create the bootstrap configuration
- #
- $config_boot_txt = <<
EOS;
- #
- # Write out the bootstrap config
- #
- $fd = fopen('./config.php','w');
- fwrite($fd, $config_boot_txt);
- fclose($fd);
-
-
- # Re-read the CA config file so the openssl_functions
- # can be used to create a CA root certificate.
- include("$store_dir/config/config.php");
-
- #
- # Now create a temporary openssl.cnf for creating a self-signed
- # CA root certificate, and create a generic openssl.cnf file
- # in the CA home
- #
- $config_txt1 = <<< EOS
-HOME = $config[home_dir]
-RANDFILE = $config[random]
-dir = $config[ca_dir]
-certs = $config[cert_dir]
-crl_dir = $config[crl_dir]
-database = $config[index]
-new_certs_dir = $config[new_certs_dir]
-private_dir = $config[private_dir]
-serial = $config[serial]
-certificate = $config[cacert_pem]
-crl = $config[cacrl_pem]
-private_key = $config[cakey]
-crl_extensions = crl_ext
-default_days = 365
-default_crl_days= 30
-preserve = no
-default_md = $config[default_md]
+ #
+ # Write out the bootstrap config
+ #
+ $fd = fopen('./config.php', 'w');
+ fwrite($fd, $config_boot_txt);
+ fclose($fd);
+
+
+ # Re-read the CA config file so the openssl_functions
+ # can be used to create a CA root certificate.
+ include("$store_dir/config/config.php");
+
+ #
+ # Now create a temporary openssl.cnf for creating a self-signed
+ # CA root certificate, and create a generic openssl.cnf file
+ # in the CA home
+ #
+
+ $configHOME = $config['home_dir'];
+ $configRANDFILE = $config['random'];
+ $configCa_dir = $config['ca_dir'];
+ $configCert_dir = $config['cert_dir'];
+ $configCrl_dir = $config['crl_dir'];
+ $configDatabase = $config['index'];
+ $configNew_certs_dir = $config['new_certs_dir'];
+ $configPrivate_dir = $config['private_dir'];
+ $configSerial = $config['serial'];
+ $configCacert_pem = $config['cacert_pem'];
+ $configCacrl_pem = $config['cacrl_pem'];
+ $configCakey = $config['cakey'];
+ $configDefault_md = $config['default_md'];
+ $configBase_url = $config['base_url'];
+ $configCrl_dist = $config['crl_distrib'];
+ $configComment_root = $config['comment_root'];
+ $configPolicy_url = $config['policy_url'];
+ $configRevoke_url = $config['revoke_url'];
+ $configComment_email = $config['comment_email'];
+ $configComment_sign = $config['comment_sign'];
+ $configComment_srv = $config['comment_srv'];
+
+
+ $config_txt1 = "
+
+HOME = $configHOME
+RANDFILE = $configRANDFILE
+dir = $configCa_dir
+certs = $configCert_dir
+crl_dir = $configCrl_dir
+database = $configDatabase
+new_certs_dir = $configNew_certs_dir
+private_dir = $configPrivate_dir
+serial = $configSerial
+certificate = $configCacert_pem
+crl = $configCacrl_pem
+private_key = $configCakey
+crl_extentions = crl_ext
+default_days = 365
+default_crl_days = 30
+preserve = no
+default_md = $configDefault_md
[ ca ]
-default_ca = email_cert
+default_ca = email_cert
[ root_cert ]
-x509_extensions = root_ext
-default_days = 3650
-policy = policy_supplied
+x509_extensions = root_ext
+default_days = 3650
+policy = policy_supplied
[ email_cert ]
-x509_extensions = email_ext
-default_days = 365
-policy = policy_supplied
+x509_extensions = email_ext
+default_days = 365
+policy = policy_supplied
[ email_signing_cert ]
-x509_extensions = email_signing_ext
-default_days = 365
-policy = policy_supplied
+x509_extensions = email_signing_ext
+default_days = 365
+policy = policy_supplied
[ server_cert ]
-x509_extensions = server_ext
-default_days = 365
-policy = policy_supplied
+x509_extensions = server_ext
+default_days = 365
+policy = policy_supplied
[ vpn_cert ]
-x509_extensions = vpn_client_server_ext
-default_days = 365
-policy = policy_supplied
+x509_extensions = vpn_client_server_ext
+default_days = 365
+policy = policy_supplied
[ time_stamping_cert ]
-x509_extensions = time_stamping_ext
-default_days = 365
-policy = policy_supplied
+x509_extensions = time_stamping_ext
+default_days = 365
+policy = policy_supplied
[ policy_supplied ]
-countryName = supplied
-stateOrProvinceName = supplied
-localityName = supplied
-organizationName = supplied
-organizationalUnitName = supplied
-commonName = supplied
-emailAddress = supplied
+countryName = supplied
+stateOrProvinceName = supplied
+localityName = supplied
+organizationName = supplied
+organizationalUnitName = supplied
+commonName = supplied
+emailAddress = supplied
[ root_ext ]
-basicConstraints = CA:true
-keyUsage = cRLSign, keyCertSign
-nsCertType = sslCA, emailCA, objCA
-subjectKeyIdentifier = hash
-subjectAltName = email:copy
-crlDistributionPoints = URI:$config[base_url]$config[crl_distrib]
-nsComment = $config[comment_root]
-#nsCaRevocationUrl =
-nsCaPolicyUrl = $config[base_url]$config[policy_url]
+basicConstraints = CA:true
+keyUsage = cRLSign, keyCertSign
+nsCertType = sslCA, emailCA, objCA
+subjectKeyIdentifier = hash
+subjectAltName = email:copy
+crlDistributionPoints = URI:$configBase_url$configCrl_dist
+nsComment = $configComment_root
+#nsCaRevocationUrl =
+nsCaPolicyUrl = $configBase_url$configPolicy_url
[ email_ext ]
-basicConstraints = critical, CA:false
-keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
-extendedKeyUsage = critical, emailProtection, clientAuth
-nsCertType = critical, client, email
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always, issuer:always
-subjectAltName = email:copy
-issuerAltName = issuer:copy
-crlDistributionPoints = URI:$config[base_url]$config[crl_distrib]
-nsComment = $config[comment_email]
-nsBaseUrl = $config[base_url]
-nsRevocationUrl = $config[revoke_url]
-#nsRenewalUrl =
-nsCaPolicyUrl = $config[base_url]$config[policy_url]
-#nsSslServerName =
+basicConstraints = critical, CA:false
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = critical, emailProtection, clientAuth
+nsCertType = critical, client, email
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always, issuer:always
+subjectAltName = email:copy
+issuerAltName = issuer:copy
+crlDistributionPoints = URI:$configBase_url$configCrl_dist
+nsComment = $configComment_email
+nsBaseUrl = $configBase_url
+nsRevocationUrl = $configRevoke_url
+#nsRenewalUrl =
+nsCaPolicyUrl = $configBase_url$configPolicy_url
+#nsSslServerName =
[ email_signing_ext ]
-basicConstraints = critical, CA:false
-keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
-extendedKeyUsage = critical, emailProtection, clientAuth, codeSigning
-nsCertType = critical, client, email
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always, issuer:always
-subjectAltName = email:copy
-issuerAltName = issuer:copy
-crlDistributionPoints = URI:$config[base_url]$config[crl_distrib]
-nsComment = $config[comment_sign]
-nsBaseUrl = $config[base_url]
-nsRevocationUrl = $config[revoke_url]
-#nsRenewalUrl =
-nsCaPolicyUrl = $config[base_url]$config[policy_url]
-#nsSslServerName =
+basicConstraints = critical, CA:false
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = critical, emailProtection, clientAuth, codeSigning
+nsCertType = critical, client, email
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always, issuer:always
+subjectAltName = email:copy
+issuerAltName = issuer:copy
+crlDistributionPoints = URI:$configBase_url$configCrl_dist
+nsComment = $configComment_sign
+nsBaseUrl = $configBase_url
+nsRevocationUrl = $configRevoke_url
+#nsRenewalUrl =
+nsCaPolicyUrl = $configBase_url$configPolicy_url
+#nsSslServerName =
[ server_ext ]
-basicConstraints = CA:false
-keyUsage = critical, digitalSignature, keyEncipherment
-nsCertType = critical, server
-extendedKeyUsage = critical, serverAuth, 1.3.6.1.5.5.7.3.1
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always, issuer:always
-subjectAltName = DNS:$common_name,email:copy
-issuerAltName = issuer:copy
-crlDistributionPoints = URI:$config[base_url]$config[crl_distrib]
-nsComment = $config[comment_srv]
-nsBaseUrl = $config[base_url]
-nsRevocationUrl = $config[revoke_url]
-nsCaPolicyUrl = $config[base_url]$config[policy_url]
+basicConstraints = critical, CA:false
+keyUsage = critical, digitalSignature, keyEncipherment
+nsCertType = server
+extendedKeyUsage = critical, serverAuth
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always, issuer:always
+subjectAltName = $server_altnames
+issuerAltName = issuer:copy
+crlDistributionPoints = URI:$configBase_url$configCrl_dist
+nsComment = $configComment_srv
+nsBaseUrl = $configBase_url
+nsRevocationUrl = $configRevoke_url
+nsCaPolicyUrl = $configBase_url$configPolicy_url
[ time_stamping_ext ]
-basicConstraints = CA:false
-keyUsage = critical, nonRepudiation, digitalSignature
-extendedKeyUsage = timeStamping
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always, issuer:always
-subjectAltName = DNS:$common_name,email:copy
-issuerAltName = issuer:copy
-crlDistributionPoints = URI:$config[base_url]$config[crl_distrib]
-nsComment = $config[comment_stamp]
-nsBaseUrl = $config[base_url]
-nsRevocationUrl = $config[revoke_url]
-nsCaPolicyUrl = $config[base_url]$config[policy_url]
+basicConstraints = CA:false
+keyUsage = critical, nonRepudiation, digitalSignature
+extendedKeyUsage = timeStamping
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always, issuer:always
+subjectAltName = DNS:$common_name,email:copy
+issuerAltName = issuer:copy
+crlDistributionPoints = URI:$configBase_url$configCrl_dist
+nsComment = $config[comment_stamp]
+nsBaseUrl = $configBase_url
+nsRevocationUrl = $configRevoke_url
+nsCaPolicyUrl = $configBase_url$configPolicy_url
[ vpn_client_ext ]
-basicConstraints = critical, CA:false
-keyUsage = critical, digitalSignature
-extendedKeyUsage = critical, clientAuth
-nsCertType = critical, client
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always, issuer:always
-subjectAltName = DNS:$common_name,email:copy
+basicConstraints = critical, CA:false
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, clientAuth
+nsCertType = critical, client
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always, issuer:always
+subjectAltName = DNS:$common_name,email:copy
[ vpn_server_ext ]
-basicConstraints = critical, CA:false
-keyUsage = critical, digitalSignature, keyEncipherment
-extendedKeyUsage = critical, serverAuth
-nsCertType = critical, server
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always, issuer:always
-subjectAltName = DNS:$common_name,email:copy
+basicConstraints = critical, CA:false
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = critical, serverAuth
+nsCertType = critical, server
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always, issuer:always
+subjectAltName = DNS:$common_name,email:copy
[ vpn_client_server_ext ]
-basicConstraints = critical, CA:false
-keyUsage = critical, digitalSignature, keyEncipherment
-extendedKeyUsage = critical, serverAuth, clientAuth
-nsCertType = critical, server, client
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always, issuer:always
-subjectAltName = DNS:$common_name,email:copy
+basicConstraints = critical, CA:false
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = critical, serverAuth, clientAuth
+nsCertType = critical, server, client
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always, issuer:always
+subjectAltName = DNS:$common_name,email:copy
[ crl_ext ]
issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
+";
-EOS;
-
- $config_txt2 = <<< EOS
+ $config_txt2 = <<< EOS
[ req ]
-default_bits = 2048
-default_keyfile = privkey.pem
-distinguished_name = req_name
-string_mask = nombstr
-req_extensions = req_ext
+default_bits = 2048
+default_keyfile = privkey.pem
+distinguished_name = req_name
+string_mask = nombstr
+req_extensions = req_ext
[ req_name]
-countryName = Country Name (2 letter code)
-countryName_default = US
-countryName_min = 2
-countryName_max = 2
+countryName = Country Name (2 letter code)
+countryName_default = US
+countryName_min = 2
+countryName_max = 2
-stateOrProvinceName = State or Province Name (full name)
-stateOrProvinceName_default =
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default =
-localityName = Locality Name (eg, city)
-localityName_default =
+localityName = Locality Name (eg, city)
+localityName_default =
-0.organizationName = Organization Name (eg, company)
-0.organizationName_default =
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default =
-1.organizationName = Second Organization Name (eg, company)
-1.organizationName_default =
+1.organizationName = Second Organization Name (eg, company)
+1.organizationName_default =
-organizationalUnitName = Organizational Unit Name (eg, section)
-organizationalUnitName_default =
+organizationalUnitName = Organizational Unit Name (eg, section)
+organizationalUnitName_default =
-commonName = Common Name (eg, YOUR name)
+commonName = Common Name (eg, YOUR name)
-emailAddress = Email Address or Web URL
+emailAddress = Email Address or Web URL
[ req_ext ]
basicConstraints = critical, CA:false
@@ -545,23 +625,31 @@
EOS;
- $config_txt3 = <<< EOS
+ $configCountry = $config['country'];
+ $configProvince = $config['province'];
+ $configLocality = $config['locality'];
+ $configOrganization = $config['organization'];
+ $configUnit = $config['unit'];
+ $configCommon_name = $config['common_name'];
+ $configEmailaddress = $config['contact'];
+
+ $config_txt3 = <<< EOS
[ req ]
-default_bits = 2048
-default_keyfile = privkey.pem
-distinguished_name = req_name
-string_mask = nombstr
-req_extensions = req_ext
-prompt = no
+default_bits = 2048
+default_keyfile = privkey.pem
+distinguished_name = req_name
+string_mask = nombstr
+req_extensions = req_ext
+prompt = no
[ req_name ]
-C = $config[country]
-ST = $config[province]
-L = $config[locality]
-O = $config[organization]
-OU = $config[unit]
-CN = $config[common_name]
-emailAddress = $config[contact]
+C = $configCountry
+ST = $configProvince
+L = $configLocality
+O = $configOrganization
+OU = $configUnit
+CN = $configCommon_name
+emailAddress = $configEmailaddress
[ req_ext ]
basicConstraints = critical, CA:true
@@ -569,163 +657,217 @@
EOS;
- #
- # Write the permanent OpenSSL config
- #
- $fd = fopen($config['openssl_cnf'],'w');
- fwrite($fd, $config_txt1 . $config_txt2);
- fclose($fd);
-
- #
- # Write the temporary OpenSSL config
- #
- $tmp_cnf = "$config[home_dir]/tmp/openssl.cnf";
- $fd = fopen($tmp_cnf,'w');
- fwrite($fd, $config_txt1 . $config_txt3);
- fclose($fd);
-
- #
- # Intialize index.txt and serial files
- #
- $fd = fopen($config['index'],'w');
- fwrite($fd, "");
- fclose($fd);
- #
- $fd = fopen($config['serial'],'w');
- fwrite($fd, "100001");
- fclose($fd);
-
- #
- # Convert expiry years to approximate days.
- #
- $days = $config['expiry'] * 365.25;
-
-
- #
- # Create a new self-signed CA certificate in PEM format.
- #
- print 'Creating root certificate... Generating certificate revocation list... Creating 1024 bit Diffie-Hellman parameters used by OpenVPN.
Creating 2048 bit Diffie-Hellman parameters used by OpenVPN.
Creating a TLS authentication key used by OpenVPN. Creating root certificate... Generating certificate revocation list...
Creating 1024 bit Diffie-Hellman parameters used by OpenVPN.
Creating 2048 bit Diffie-Hellman parameters used by OpenVPN.
- Setup is complete. Your CA root certificate as been created.
- SECURITY WARNING! Be sure to run the secure.sh shell script as the root user. ';
- }
- ?>
-
-
- Creating a TLS authentication key used by OpenVPN.
+ Setup is complete. Your CA root certificate as been created.
+ SECURITY WARNING! Be sure to run the secure.sh shell script as the root user. ';
+ }
+ ?>
+
+
+ Contact:someone@somewhere.com E-mail is preferred. 
';
-
- if ($rec['status'] == 'Valid') {
- print '
- '.
- '
- '.
- '
';
- }
- print '
- '.
- '
- 
-
-
-
-
-
-
-
-
-
-
