Allow import of PKCS12 (pfx) certificates. Issue #8645
Renew cert with IP Address SAN. Issue #10362
Require service-utils.inc before using a function from it. Fixes #10360
Server cert lifetime reduced to 398. Fixes #9825
New requirements coming this fall will require new certs to be valid for at most398 days. Setup this new requirement now, rather than waiting.
While here, reduce usage of hardcoded value where possible.
This is 2020. Issue #9245
Merge pull request #4132 from vktg/hidenoprvcerts
parenthesis fix
fix
Merge pull request #4122 from vktg/ecdsarenew
do not show certs without prv by default
curve_compatible_list - array of all compat curves
typo
prime256v1 ec curve for renew
When refreshing CRLs, increment suffix, do not clean up. Fixes #9915
While here, fix a bug with refresh path.
Correctly populate CRL issuer in crl_contains_cert. Fixes #9924
Add 'none' option to cert_build_list. Issue #9923
Restructure OpenVPN settings directory layout
Add select_source compatible output to cert_build_list(). Implements #9923
Update OpenVPN EC list based on testing. Issue #9744
OpenVPN ECDH/ECDSA filtering. Fixes #9744
Can be revisited in the future if the corresponding OpenVPN bug isresolved.
Move CA random serial option to upper section. Issue #9883
This allows it to be set when creating a new CA, so it doesn't have tobe edited in later.
Also show the next serial/random status in the CA info blockHide trust store line from non-CA entries since it's not relevant to...
Rename IPsec "RSA" options to "Certificate". Implements #9903
Attempt to fetch EC curve OID if name is blank. Issue #9745
Certificate date calculation changes. Fixes #9899
Make the certificate date calculation more general and also try multiple waysto determine the date (both timestamp and unix timestamp).
Catch cases where one or the other date fails to calculate to avoid errors....
GUI improvements for ECDSA certificate handling
Change default ECSDA curve to prime256v1. Issue #9843
Previous default was brainpool, but brainpool curves are not (widely?)supported by browsers and were deprecated by IETF for TLS v1.3
Use more accurate date calculations for CA/Cert operations.
Otherwise calculations could fail on ARM
Validate CA/CRL serial input. Issue #9883 Issue #9869
Enforce a max lifetime for CA/Cert/CRL. Issue #3956
Add support for randomized cert serial numbers. Implements #9883
CRL management overhaul
Add option to trust local CA entries. Implements #4068
Similar to closed PR #3558 from overhacked, but with a number ofchanges.
Make value of cert notify setting consistent with others. Issue #7332
Certificate strength improvements. Fixes #9825
Add daily certificate expiration notice. Issue #7332
Add missing newline after Must Staple cert info.
Add settings to control certificate expiration notifications. Issue #7332
Note that the notices themselves do not yet exist. Those are still awork in progress.
Add certificate lifetime to infoblock. Issue #7332
Show detailed infoblock on CA and Cert pages. Implements #9856
Add GUI code and more backend for CA/Cert Renewal. Issue #9842
Merge pull request #4104 from vktg/geneckey
Add ca/certificate renew function backend (no GUI code yet). Issue #9842
spaces to tabs
fixes
initial version
Fix copyright message years to reflect BSDP -> ESF -> Netgate
Correct OSCP Must-Staple cert check for OpenSSL 1.1.1. Fixes #9408
Update copyright notices to 2019. Happy New Year
If the cert date is negative, use DateTime instead of date. Fixes #9100
Prevent CRL from using too large a lifetime on ARM. Fixes #9098
Change CRL generation to a pure PHP implementation which works with PHP 7.2 (and 5.6)
The old OpenSSL CRL patch we had been using does not work with 7.2, and this way alsoopens up some new possibilities for enhancing the CRL settings we can offer in the...
Remove constants that were defined by an OpenSSL patch that has been removed.
Fix function name typo
Add function to detect OCSP Must Staple certs. Ticket #8418 and Ticket #8299
Update the Copyright notice for pfSense.
Change how SANs are generated from the CN, considering that not all CNs will produce a valid SAN. Fixes #8252
When retrieving a public key for a certificate, private key, or signing request, write the certificate data out to a temp file instead of echoing it through a pipe. Fixes #8153
Revert "Mitigate possible vuln in cert manager"
This reverts commit 1a68f4badd58de8694ac6a4208e11d7265c97df3.
Mitigate possible vuln in cert manager
Fix handling of wildcard CN/SAN entries in certificates. Fixes #7994
Add a field to pick a digest algo when signing a CSR, otherwise it ends up with SHA1. Fixes #7853While here, add the cert serial number and sig digest type to the info block for each cert.
Fix CA reference so serial increases properly. Remove variable for feature that didn't work out. Ticket #7527
Restructure how certificate types and SANs are handled in the cert manager when making a Cert/CSR/Signing, so each section can properly use the controls without duplicating. It is now possible to add SANs and EKUs to certificates when signing using the certificate manager. Fixes #7527 and also Fixes #7677...
Add the ability to set certificate type and SAN attributes in a CSR. Ticket #7527TODO: They are not carried over after signing in the GUI
Fix some additional cases for CN->SAN handling, and move some code to a function to avoid duplication for other pending uses. Ticket #7666
Allow a wider range of characters to be used in certificate fields, as laid out by RFC 4514. Fixes #7540
Show SAN, KU, and EKU info in the certificate list. Implements #7505While here, also fix "server" cert detection to key off of the EKU For "TLS Web Server Authentication" since nsCertType has been deprecated.
Merge pull request #3699 from PiBa-NL/20170417-certificatemanager-ca-crl-inuse
certificate manager, allow importing of ECC certificates, change multiple 'if' to 'switch'
certificate manager, show 'in use' also for CA and CRL where certificates are in use by packages.
certificate manager, allow importing of ECC certificates
Remove whirlpool from the list of CA/Cert digest algorithms as it does not work properly. OpenSSL claims it's not valid ("unknown signature algorithm"). Fixes #7370While I'm here, stop needlessly repeating the algo list, it's a global in certs.inc, so use that single copy of the list.
certificatemanager, link certificate to the proper CA after completing the CSR request
Fix certificate generation for CAs without a serial set on import. Fixes #6952
Add some CA in-use test utility functions. Ticket #6947
Put original match back
Did not mean to remove SSL substring from the check...
Fix nsCertType matching for some certificates (Bug #6877)
See https://redmine.pfsense.org/issues/6877#note-4
Move copyright from ESF to Netgate
Move to Apache License 2.0
Review license / copyright on all files (1st round)
Merge pull request #2994 from stilez/patch-31
Get modulus keysize
Useful utility function when it's necessary to verify that existing keys meets current practices
Add missing recommended digest
Do not allow certificate to be deleted if it's been used by a package. Fixes #4142
Update license on files from /etc/inc
Remove all pfSense_MODULE and pfSense_BUILDER_BINARIES definitions, whatever was the reason they were added, it was never finished and it's not being used
etc inc delete $Id comments
and bits of white space.Note: There are plenty of files still with old-format copyright sectionsin here.
Add 'caref' attribute to the ca object passed into ca_inter_create so arelationship to the signing CA can be maintained. Fixes #5313.
Move main pfSense content to src/