gettext("Create an internal Certificate Authority"), "existing" => gettext("Import an existing Certificate Authority"), "intermediate" => gettext("Create an intermediate Certificate Authority")); $ca_keylens = array("1024", "2048", "3072", "4096", "6144", "7680", "8192", "15360", "16384"); $ca_keytypes = array("RSA", "ECDSA"); global $openssl_digest_algs; global $cert_strict_values; $max_lifetime = cert_get_max_lifetime(); $default_lifetime = min(3650, $max_lifetime); $openssl_ecnames = cert_build_curve_list(); $class = "success"; init_config_arr(array('ca')); $a_ca = &$config['ca']; init_config_arr(array('cert')); $a_cert = &$config['cert']; init_config_arr(array('crl')); $a_crl = &$config['crl']; $act = $_REQUEST['act']; if (isset($_REQUEST['id']) && ctype_alnum($_REQUEST['id'])) { $id = $_REQUEST['id']; } if (!empty($id)) { $thisca =& lookup_ca($id); } /* Actions other than 'new' require an ID. * 'del' action must be submitted via POST. */ if ((!empty($act) && ($act != 'new') && !$thisca) || (($act == 'del') && empty($_POST))) { pfSenseHeader("system_camanager.php"); exit; } switch ($act) { case 'del': $name = htmlspecialchars($thisca['descr']); if (cert_in_use($id)) { $savemsg = sprintf(gettext("Certificate %s is in use and cannot be deleted"), $name); $class = "danger"; } else { /* Only remove CA reference when deleting. It can be reconnected if a new matching CA is imported */ foreach ($a_cert as $cid => $acrt) { if ($acrt['caref'] == $thisca['refid']) { unset($a_cert[$cid]['caref']); } } /* Remove any CRLs for this CA, there is no way to recover the connection once the CA has been removed. */ foreach ($a_crl as $cid => $acrl) { if ($acrl['caref'] == $thisca['refid']) { unset($a_crl[$cid]); } } /* Delete the CA */ foreach ($a_ca as $cid => $aca) { if ($aca['refid'] == $thisca['refid']) { unset($a_ca[$cid]); } } $savemsg = sprintf(gettext("Deleted Certificate Authority %s and associated CRLs"), htmlspecialchars($name)); write_config($savemsg); ca_setup_trust_store(); } unset($act); break; case 'edit': /* Editing an existing CA, so populate values. */ $pconfig['method'] = 'existing'; $pconfig['descr'] = $thisca['descr']; $pconfig['refid'] = $thisca['refid']; $pconfig['cert'] = base64_decode($thisca['crt']); $pconfig['serial'] = $thisca['serial']; $pconfig['trust'] = ($thisca['trust'] == 'enabled'); $pconfig['randomserial'] = ($thisca['randomserial'] == 'enabled'); if (!empty($thisca['prv'])) { $pconfig['key'] = base64_decode($thisca['prv']); } break; case 'new': /* New CA, so set default values */ $pconfig['method'] = $_POST['method']; $pconfig['keytype'] = "RSA"; $pconfig['keylen'] = "2048"; $pconfig['ecname'] = "prime256v1"; $pconfig['digest_alg'] = "sha256"; $pconfig['lifetime'] = $default_lifetime; $pconfig['dn_commonname'] = "internal-ca"; break; case 'exp': /* Exporting a ca */ send_user_download('data', base64_decode($thisca['crt']), "{$thisca['descr']}.crt"); break; case 'expkey': /* Exporting a private key */ send_user_download('data', base64_decode($thisca['prv']), "{$thisca['descr']}.key"); break; default: break; } if ($_POST['save']) { unset($input_errors); $input_errors = array(); $pconfig = $_POST; /* input validation */ switch ($pconfig['method']) { case 'existing': $reqdfields = explode(" ", "descr cert"); $reqdfieldsn = array( gettext("Descriptive name"), gettext("Certificate data")); /* Make sure we do not have invalid characters in the fields for the certificate */ if (preg_match("/[\?\>\<\&\/\\\"\']/", $_POST['descr'])) { array_push($input_errors, gettext("The field 'Descriptive Name' contains invalid characters.")); } if ($_POST['cert'] && (!strstr($_POST['cert'], "BEGIN CERTIFICATE") || !strstr($_POST['cert'], "END CERTIFICATE"))) { $input_errors[] = gettext("This certificate does not appear to be valid."); } if ($_POST['key'] && strstr($_POST['key'], "ENCRYPTED")) { $input_errors[] = gettext("Encrypted private keys are not yet supported."); } if (!$input_errors && !empty($_POST['key']) && cert_get_publickey($_POST['cert'], false) != cert_get_publickey($_POST['key'], false, 'prv')) { $input_errors[] = gettext("The submitted private key does not match the submitted certificate data."); } /* we must ensure the certificate is capable of acting as a CA * https://redmine.pfsense.org/issues/7885 */ if (!$input_errors) { $purpose = cert_get_purpose($_POST['cert'], false); if ($purpose['ca'] != 'Yes') { $input_errors[] = gettext("The submitted certificate does not appear to be a Certificate Authority, import it on the Certificates tab instead."); } } break; case 'internal': $reqdfields = explode(" ", "descr keylen ecname keytype lifetime dn_commonname"); $reqdfieldsn = array( gettext("Descriptive name"), gettext("Key length"), gettext("Elliptic Curve Name"), gettext("Key type"), gettext("Lifetime"), gettext("Common Name")); break; case 'intermediate': $reqdfields = explode(" ", "descr caref keylen ecname keytype lifetime dn_commonname"); $reqdfieldsn = array( gettext("Descriptive name"), gettext("Signing Certificate Authority"), gettext("Key length"), gettext("Elliptic Curve Name"), gettext("Key type"), gettext("Lifetime"), gettext("Common Name")); break; default: break; } do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); if ($pconfig['method'] != "existing") { /* Make sure we do not have invalid characters in the fields for the certificate */ if (preg_match("/[\?\>\<\&\/\\\"\']/", $_POST['descr'])) { array_push($input_errors, gettext("The field 'Descriptive Name' contains invalid characters.")); } $pattern = '/[^a-zA-Z0-9\ \'\/~`\!@#\$%\^&\*\(\)_\-\+=\{\}\[\]\|;:"\<\>,\.\?\\\]/'; if (!empty($_POST['dn_commonname']) && preg_match($pattern, $_POST['dn_commonname'])) { $input_errors[] = gettext("The field 'Common Name' contains invalid characters."); } if (!empty($_POST['dn_state']) && preg_match($pattern, $_POST['dn_state'])) { $input_errors[] = gettext("The field 'State or Province' contains invalid characters."); } if (!empty($_POST['dn_city']) && preg_match($pattern, $_POST['dn_city'])) { $input_errors[] = gettext("The field 'City' contains invalid characters."); } if (!empty($_POST['dn_organization']) && preg_match($pattern, $_POST['dn_organization'])) { $input_errors[] = gettext("The field 'Organization' contains invalid characters."); } if (!empty($_POST['dn_organizationalunit']) && preg_match($pattern, $_POST['dn_organizationalunit'])) { $input_errors[] = gettext("The field 'Organizational Unit' contains invalid characters."); } if (!in_array($_POST["keytype"], $ca_keytypes)) { array_push($input_errors, gettext("Please select a valid Key Type.")); } if (!in_array($_POST["keylen"], $ca_keylens)) { array_push($input_errors, gettext("Please select a valid Key Length.")); } if (!in_array($_POST["ecname"], array_keys($openssl_ecnames))) { array_push($input_errors, gettext("Please select a valid Elliptic Curve Name.")); } if (!in_array($_POST["digest_alg"], $openssl_digest_algs)) { array_push($input_errors, gettext("Please select a valid Digest Algorithm.")); } if ($_POST['lifetime'] > $max_lifetime) { $input_errors[] = gettext("Lifetime is longer than the maximum allowed value. Use a shorter lifetime."); } } if (!empty($_POST['serial']) && !cert_validate_serial($_POST['serial'])) { $input_errors[] = gettext("Please enter a valid integer serial number."); } /* save modifications */ if (!$input_errors) { $ca = array(); if (!isset($pconfig['refid']) || empty($pconfig['refid'])) { $ca['refid'] = uniqid(); } else { $ca['refid'] = $pconfig['refid']; } if (isset($id) && $thisca) { $ca = $thisca; } $ca['descr'] = $pconfig['descr']; $ca['trust'] = ($pconfig['trust'] == 'yes') ? "enabled" : "disabled"; $ca['randomserial'] = ($pconfig['randomserial'] == 'yes') ? "enabled" : "disabled"; if ($act == "edit") { $ca['descr'] = $pconfig['descr']; $ca['refid'] = $pconfig['refid']; $ca['serial'] = $pconfig['serial']; $ca['crt'] = base64_encode($pconfig['cert']); $ca['prv'] = base64_encode($pconfig['key']); $savemsg = sprintf(gettext("Updated Certificate Authority %s"), $ca['descr']); } else { $old_err_level = error_reporting(0); /* otherwise openssl_ functions throw warnings directly to a page screwing menu tab */ if ($pconfig['method'] == "existing") { ca_import($ca, $pconfig['cert'], $pconfig['key'], $pconfig['serial']); $savemsg = sprintf(gettext("Imported Certificate Authority %s"), $ca['descr']); } else if ($pconfig['method'] == "internal") { $dn = array('commonName' => $pconfig['dn_commonname']); if (!empty($pconfig['dn_country'])) { $dn['countryName'] = $pconfig['dn_country']; } if (!empty($pconfig['dn_state'])) { $dn['stateOrProvinceName'] = $pconfig['dn_state']; } if (!empty($pconfig['dn_city'])) { $dn['localityName'] = $pconfig['dn_city']; } if (!empty($pconfig['dn_organization'])) { $dn['organizationName'] = $pconfig['dn_organization']; } if (!empty($pconfig['dn_organizationalunit'])) { $dn['organizationalUnitName'] = $pconfig['dn_organizationalunit']; } if (!ca_create($ca, $pconfig['keylen'], $pconfig['lifetime'], $dn, $pconfig['digest_alg'], $pconfig['keytype'], $pconfig['ecname'])) { $input_errors = array(); while ($ssl_err = openssl_error_string()) { if (strpos($ssl_err, 'NCONF_get_string:no value') === false) { array_push($input_errors, "openssl library returns: " . $ssl_err); } } } $savemsg = sprintf(gettext("Created internal Certificate Authority %s"), $ca['descr']); } else if ($pconfig['method'] == "intermediate") { $dn = array('commonName' => $pconfig['dn_commonname']); if (!empty($pconfig['dn_country'])) { $dn['countryName'] = $pconfig['dn_country']; } if (!empty($pconfig['dn_state'])) { $dn['stateOrProvinceName'] = $pconfig['dn_state']; } if (!empty($pconfig['dn_city'])) { $dn['localityName'] = $pconfig['dn_city']; } if (!empty($pconfig['dn_organization'])) { $dn['organizationName'] = $pconfig['dn_organization']; } if (!empty($pconfig['dn_organizationalunit'])) { $dn['organizationalUnitName'] = $pconfig['dn_organizationalunit']; } if (!ca_inter_create($ca, $pconfig['keylen'], $pconfig['lifetime'], $dn, $pconfig['caref'], $pconfig['digest_alg'], $pconfig['keytype'], $pconfig['ecname'])) { $input_errors = array(); while ($ssl_err = openssl_error_string()) { if (strpos($ssl_err, 'NCONF_get_string:no value') === false) { array_push($input_errors, "openssl library returns: " . $ssl_err); } } } $savemsg = sprintf(gettext("Created internal intermediate Certificate Authority %s"), $ca['descr']); } error_reporting($old_err_level); } if (isset($id) && $thisca) { $thisca = $ca; } else { $a_ca[] = $ca; } if (!$input_errors) { write_config($savemsg); ca_setup_trust_store(); pfSenseHeader("system_camanager.php"); } } } $pgtitle = array(gettext('System'), gettext('Certificate'), gettext('Authorities')); $pglinks = array("", "system_camanager.php", "system_camanager.php"); if ($act == "new" || $act == "edit" || $act == gettext("Save") || $input_errors) { $pgtitle[] = gettext('Edit'); $pglinks[] = "@self"; } include("head.inc"); if ($input_errors) { print_input_errors($input_errors); } if ($savemsg) { print_info_box($savemsg, $class); } $tab_array = array(); $tab_array[] = array(gettext('Authorities'), true, 'system_camanager.php'); $tab_array[] = array(gettext('Certificates'), false, 'system_certmanager.php'); $tab_array[] = array(gettext('Revocation'), false, 'system_crlmanager.php'); display_top_tabs($tab_array); if (!($act == "new" || $act == "edit" || $act == gettext("Save") || $input_errors)) { ?>

" class="btn btn-primary btn-sm"> " class="btn btn-info btn-sm">

">


" href="system_camanager.php?act=edit&id="> " href="system_camanager.php?act=exp&id="> " href="system_camanager.php?act=expkey&id="> "> " href="system_camanager.php?act=del&id=" usepost >
setAction('system_camanager.php?act=edit'); if (isset($id) && $thisca) { $form->addGlobal(new Form_Input( 'id', null, 'hidden', $id )); } if ($act == "edit") { $form->addGlobal(new Form_Input( 'refid', null, 'hidden', $pconfig['refid'] )); } $section = new Form_Section('Create / Edit CA'); $section->addInput(new Form_Input( 'descr', '*Descriptive name', 'text', $pconfig['descr'] ))->setHelp('The name of this entry as displayed in the GUI for reference.%s' . 'This name can contain spaces but it cannot contain any of the ' . 'following characters: %s', '
', "?, >, <, &, /, \, \", '"); if (!isset($id) || $act == "edit") { $section->addInput(new Form_Select( 'method', '*Method', $pconfig['method'], $ca_methods ))->toggles(); } $section->addInput(new Form_Checkbox( 'trust', 'Trust Store', 'Add this Certificate Authority to the Operating System Trust Store', $pconfig['trust'] ))->setHelp('When enabled, the contents of the CA will be added to the trust ' . 'store so that they will be trusted by the operating system.'); $section->addInput(new Form_Checkbox( 'randomserial', 'Randomize Serial', 'Use random serial numbers when signing certificates', $pconfig['randomserial'] ))->setHelp('When enabled, if this CA is capable of signing certificates then ' . 'serial numbers for certificates signed by this CA will be ' . 'automatically randomized and checked for uniqueness instead of ' . 'using the sequential value from Next Certificate Serial.'); $form->add($section); $section = new Form_Section('Existing Certificate Authority'); $section->addClass('toggle-existing collapse'); $section->addInput(new Form_Textarea( 'cert', '*Certificate data', $pconfig['cert'] ))->setHelp('Paste a certificate in X.509 PEM format here.'); $section->addInput(new Form_Textarea( 'key', 'Certificate Private Key (optional)', $pconfig['key'] ))->setHelp('Paste the private key for the above certificate here. This is '. 'optional in most cases, but is required when generating a '. 'Certificate Revocation List (CRL).'); $section->addInput(new Form_Input( 'serial', 'Next Certificate Serial', 'number', $pconfig['serial'] ))->setHelp('Enter a decimal number to be used as a sequential serial number for ' . 'the next certificate to be signed by this CA. This value is ignored ' . 'when Randomize Serial is checked.'); $form->add($section); $section = new Form_Section('Internal Certificate Authority'); $section->addClass('toggle-internal', 'toggle-intermediate', 'collapse'); $allCas = array(); foreach ($a_ca as $ca) { if (!$ca['prv']) { continue; } $allCas[ $ca['refid'] ] = $ca['descr']; } $group = new Form_Group('*Signing Certificate Authority'); $group->addClass('toggle-intermediate', 'collapse'); $group->add(new Form_Select( 'caref', null, $pconfig['caref'], $allCas )); $section->add($group); $section->addInput(new Form_Select( 'keytype', '*Key type', $pconfig['keytype'], array_combine($ca_keytypes, $ca_keytypes) )); $group = new Form_Group($i == 0 ? '*Key length':''); $group->addClass('rsakeys'); $group->add(new Form_Select( 'keylen', null, $pconfig['keylen'], array_combine($ca_keylens, $ca_keylens) ))->setHelp('The length to use when generating a new RSA key, in bits. %1$s' . 'The Key Length should not be lower than 2048 or some platforms ' . 'may consider the certificate invalid.', '
'); $section->add($group); $group = new Form_Group($i == 0 ? '*Elliptic Curve Name':''); $group->addClass('ecnames'); $group->add(new Form_Select( 'ecname', null, $pconfig['ecname'], $openssl_ecnames ))->setHelp('Curves may not be compatible with all uses. Known compatible curve uses are denoted in brackets.'); $section->add($group); $section->addInput(new Form_Select( 'digest_alg', '*Digest Algorithm', $pconfig['digest_alg'], array_combine($openssl_digest_algs, $openssl_digest_algs) ))->setHelp('The digest method used when the CA is signed. %1$s' . 'The best practice is to use SHA256 or higher. '. 'Some services and platforms, such as the GUI web server and OpenVPN, consider weaker digest algorithms invalid.', '
'); $section->addInput(new Form_Input( 'lifetime', '*Lifetime (days)', 'number', $pconfig['lifetime'], ['max' => $max_lifetime] )); $section->addInput(new Form_Input( 'dn_commonname', '*Common Name', 'text', $pconfig['dn_commonname'], ['placeholder' => 'e.g. internal-ca'] )); $section->addInput(new Form_StaticText( null, gettext('The following certificate authority subject components are optional and may be left blank.') )); $section->addInput(new Form_Select( 'dn_country', 'Country Code', $pconfig['dn_country'], get_cert_country_codes() )); $section->addInput(new Form_Input( 'dn_state', 'State or Province', 'text', $pconfig['dn_state'], ['placeholder' => 'e.g. Texas'] )); $section->addInput(new Form_Input( 'dn_city', 'City', 'text', $pconfig['dn_city'], ['placeholder' => 'e.g. Austin'] )); $section->addInput(new Form_Input( 'dn_organization', 'Organization', 'text', $pconfig['dn_organization'], ['placeholder' => 'e.g. My Company Inc'] )); $section->addInput(new Form_Input( 'dn_organizationalunit', 'Organizational Unit', 'text', $pconfig['dn_organizationalunit'], ['placeholder' => 'e.g. My Department Name (optional)'] )); $form->add($section); print $form; $internal_ca_count = 0; foreach ($a_ca as $ca) { if ($ca['prv']) { $internal_ca_count++; } } ?>