diff --git a/etc/ssl/openssl.cnf b/etc/ssl/openssl.cnf
deleted file mode 100644
index 5f612fbd3..000000000
--- a/etc/ssl/openssl.cnf
+++ /dev/null
@@ -1,309 +0,0 @@
-# $FreeBSD: src/crypto/openssl/apps/openssl.cnf,v 1.6 2004/03/17 17:44:38 nectar Exp $
-#
-# OpenSSL example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-#
-# This definition stops the following lines choking if HOME isn't
-# defined.
-HOME = .
-RANDFILE = $ENV::HOME/.rnd
-
-# default SAN value if $ENV::SAN is not defined
-#
-SAN =
-
-# Extra OBJECT IDENTIFIER info:
-#oid_file = $ENV::HOME/.oid
-oid_section = new_oids
-
-# To use this configuration file with the "-extfile" option of the
-# "openssl x509" utility, name here the section containing the
-# X.509v3 extensions to use:
-# extensions =
-# (Alternatively, use a configuration file that has only
-# X.509v3 extensions in its main [= default] section.)
-
-[ new_oids ]
-
-# We can add new OIDs in here for use by 'ca' and 'req'.
-# Add a simple OID like this:
-# testoid1=1.2.3.4
-# Or use config file substitution like this:
-# testoid2=${testoid1}.5.6
-
-####################################################################
-[ ca ]
-default_ca = CA_default # The default ca section
-
-####################################################################
-[ CA_default ]
-
-dir = ./demoCA # Where everything is kept
-certs = $dir/certs # Where the issued certs are kept
-crl_dir = $dir/crl # Where the issued crl are kept
-database = $dir/index.txt # database index file.
-#unique_subject = no # Set to 'no' to allow creation of
- # several ctificates with same subject.
-new_certs_dir = $dir/newcerts # default place for new certs.
-
-certificate = $dir/cacert.pem # The CA certificate
-serial = $dir/serial # The current serial number
-#crlnumber = $dir/crlnumber # the current crl number
- # must be commented out to leave a V1 CRL
-crl = $dir/crl.pem # The current CRL
-private_key = $dir/private/cakey.pem# The private key
-RANDFILE = $dir/private/.rand # private random number file
-
-x509_extensions = usr_cert # The extentions to add to the cert
-
-# Comment out the following two lines for the "traditional"
-# (and highly broken) format.
-name_opt = ca_default # Subject Name options
-cert_opt = ca_default # Certificate field options
-
-# Extension copying option: use with caution.
-# copy_extensions = copy
-
-# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
-# so this is commented out by default to leave a V1 CRL.
-# crlnumber must also be commented out to leave a V1 CRL.
-# crl_extensions = crl_ext
-
-default_days = 365 # how long to certify for
-default_crl_days= 30 # how long before next CRL
-default_md = md5 # which md to use.
-preserve = no # keep passed DN ordering
-
-# A few difference way of specifying how similar the request should look
-# For type CA, the listed attributes must be the same, and the optional
-# and supplied fields are just that :-)
-policy = policy_match
-
-# For the CA policy
-[ policy_match ]
-countryName = match
-stateOrProvinceName = match
-organizationName = match
-organizationalUnitName = optional
-commonName = supplied
-emailAddress = optional
-
-# For the 'anything' policy
-# At this point in time, you must list all acceptable 'object'
-# types.
-[ policy_anything ]
-countryName = optional
-stateOrProvinceName = optional
-localityName = optional
-organizationName = optional
-organizationalUnitName = optional
-commonName = supplied
-emailAddress = optional
-
-####################################################################
-[ req ]
-distinguished_name=req_distinguished_name
-req_extensions = v3_req
-prompt=no
-
-default_bits = 2048
-default_keyfile = privkey.pem
-distinguished_name = req_distinguished_name
-attributes = req_attributes
-x509_extensions = v3_ca # The extentions to add to the self signed cert
-
-# Passwords for private keys if not present they will be prompted for
-#input_password=""
-#output_password=""
-
-# This sets a mask for permitted string types. There are several options.
-# default: PrintableString, T61String, BMPString.
-# pkix : PrintableString, BMPString.
-# utf8only: only UTF8Strings.
-# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
-# MASK:XXXX a literal mask value.
-# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
-# so use this option with caution!
-string_mask = nombstr
-
-# req_extensions = v3_req # The extensions to add to a certificate request
-
-[ req_distinguished_name ]
-countryName = US
-#countryName_default = AU
-#countryName_min = 2
-#countryName_max = 2
-
-stateOrProvinceName = Somewhere
-#stateOrProvinceName_default = Somestate
-
-localityName = Somecity
-
-0.organizationName = CompanyName
-#0.organizationName_default = SampleNameDefault
-
-# we can do this but it is not needed normally :-)
-#1.organizationName = Second Organization Name (eg, company)
-#1.organizationName_default = World Wide Web Pty Ltd
-
-organizationalUnitName = Organizational Unit Name (eg, section)
-#organizationalUnitName_default =
-
-commonName = Common Name (eg, YOUR name)
-#commonName_max = 64
-
-emailAddress = Email Address
-#emailAddress_max = 64
-
-# SET-ex3 = SET extension number 3
-
-[ req_attributes ]
-challengePassword = A challenge password
-#challengePassword_min = 4
-#challengePassword_max = 20
-
-unstructuredName = An optional company name
-
-[ usr_cert ]
-
-# These extensions are added when 'ca' signs a request.
-
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType = server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-# This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-nsComment = "OpenSSL Generated User Certificate"
-
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-# subjectAltName=email:copy
-# An alternative to produce certificates that aren't
-# deprecated according to PKIX.
-# subjectAltName=email:move
-
-# Copy subject details
-# issuerAltName=issuer:copy
-
-#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-[ usr_cert_san ]
-
-# copy of [ usr_cert ] plus nonempty Subject Alternative Names
-basicConstraints=CA:FALSE
-nsComment = "OpenSSL Generated User Certificate"
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-subjectAltName=$ENV::SAN
-
-[ server ]
-
-# Make a cert with nsCertType=server
-basicConstraints=CA:FALSE
-nsCertType = server
-nsComment = "OpenSSL Generated Server Certificate"
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-extendedKeyUsage=serverAuth
-keyUsage = digitalSignature, keyEncipherment
-
-[ server_san ]
-
-# copy of [ server ] plus nonempty Subject Alternative Names
-basicConstraints=CA:FALSE
-nsCertType = server
-nsComment = "OpenSSL Generated Server Certificate"
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-extendedKeyUsage=serverAuth
-keyUsage = digitalSignature, keyEncipherment
-subjectAltName=$ENV::SAN
-
-[ v3_req ]
-
-# Extensions to add to a certificate request
-
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-[ v3_ca ]
-
-
-# Extensions for a typical CA
-
-
-# PKIX recommendation.
-
-subjectKeyIdentifier=hash
-
-authorityKeyIdentifier=keyid:always,issuer:always
-
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
-
-# Key usage: this is typical for a CA certificate. However since it will
-# prevent it being used as an test self-signed certificate it is best
-# left out by default.
-# keyUsage = cRLSign, keyCertSign
-
-# Some might want this also
-# nsCertType = sslCA, emailCA
-
-# Include email address in subject alt name: another PKIX recommendation
-# subjectAltName=email:copy
-# Copy issuer details
-# issuerAltName=issuer:copy
-
-# DER hex encoding of an extension: beware experts only!
-# obj=DER:02:03
-# Where 'obj' is a standard or added object
-# You can even override a supported extension:
-# basicConstraints= critical, DER:30:03:01:01:FF
-
-[ v3_ca_san ]
-
-# copy of [ v3_ca ] plus nonempty Subject Alternative Names
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = CA:true
-subjectAltName=$ENV::SAN
-
-[ crl_ext ]
-
-# CRL extensions.
-# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
-
-# issuerAltName=issuer:copy
-authorityKeyIdentifier=keyid:always,issuer:always
diff --git a/usr/local/etc/inc/certs.inc b/usr/local/etc/inc/certs.inc
index 8df3e5d21..943e91879 100644
--- a/usr/local/etc/inc/certs.inc
+++ b/usr/local/etc/inc/certs.inc
@@ -1,5 +1,5 @@
@@ -268,7 +268,7 @@ function cert_import(& $cert, $crt_str, $key_str) {
return true;
}
-function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $digest_alg = "sha256") {
+function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $digest_alg = "sha256") {
$ca =& lookup_ca($caref);
if (!$ca)
@@ -281,18 +281,6 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $di
if(!$ca_res_key) return false;
$ca_serial = ++$ca['serial'];
- switch ($type) {
- case "ca":
- $cert_type = "v3_ca";
- break;
- case "server":
- $cert_type = "server";
- break;
- default:
- $cert_type = "usr_cert";
- break;
- }
-
// in case of using Subject Alternative Names use other sections (with postfix '_san')
// pass subjectAltName over environment variable 'SAN'
if ($dn['subjectAltName']) {
@@ -302,7 +290,7 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $di
}
$args = array(
- "x509_extensions" => $cert_type,
+ "x509_extensions" => "usr_cert",
"digest_alg" => $digest_alg,
"private_key_bits" => (int)$keylen,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
@@ -330,7 +318,6 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $di
$cert['caref'] = $caref;
$cert['crt'] = base64_encode($str_crt);
$cert['prv'] = base64_encode($str_key);
- $cert['type'] = $type;
return true;
}
diff --git a/usr/local/etc/inc/system.inc b/usr/local/etc/inc/system.inc
index 717092500..ab22936bc 100644
--- a/usr/local/etc/inc/system.inc
+++ b/usr/local/etc/inc/system.inc
@@ -862,12 +862,17 @@ function system_webgui_start() {
$cert = array();
$cert['refid'] = uniqid();
$cert['descr'] = gettext("webConfigurator default");
- mwexec("/usr/bin/openssl genrsa 1024 > {$g['tmp_path']}/ssl.key");
- mwexec("/usr/bin/openssl req -new -x509 -nodes -sha256 -days 2000 -key {$g['tmp_path']}/ssl.key > {$g['tmp_path']}/ssl.crt");
- $crt = file_get_contents("{$g['tmp_path']}/ssl.crt");
- $key = file_get_contents("{$g['tmp_path']}/ssl.key");
- unlink("{$g['tmp_path']}/ssl.key");
- unlink("{$g['tmp_path']}/ssl.crt");
+ /* mind the gap ->.<- */
+ $openssl_args = ' req -new -newkey rsa:4096 -sha256';
+ $openssl_args .= ' -days 365 -nodes -x509';
+ $openssl_args .= ' -subj "/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense"';
+ $openssl_args .= ' -keyout /tmp/ssl.key';
+ $openssl_args .= ' -out /tmp/ssl.crt';
+ mwexec('/usr/bin/openssl' . $openssl_args);
+ $crt = file_get_contents('/tmp/ssl.crt');
+ $key = file_get_contents('/tmp/ssl.key');
+ unlink('/tmp/ssl.key');
+ unlink('/tmp/ssl.crt');
cert_import($cert, $crt, $key);
$a_cert[] = $cert;
$config['system']['webgui']['ssl-certref'] = $cert['refid'];
diff --git a/usr/local/www/system_certmanager.php b/usr/local/www/system_certmanager.php
index 0292619f0..6e79f5446 100644
--- a/usr/local/www/system_certmanager.php
+++ b/usr/local/www/system_certmanager.php
@@ -1,7 +1,6 @@
"Certificate Authority",
- "server" => "Server Certificate",
- "user" => "User Certificate");
$altname_types = array("DNS", "IP", "email", "URI");
$openssl_digest_algs = array("sha1", "sha224", "sha256", "sha384", "sha512");
@@ -113,7 +109,6 @@ if ($act == "new") {
$pconfig['digest_alg'] = "sha256";
$pconfig['csr_keylen'] = "2048";
$pconfig['csr_digest_alg'] = "sha256";
- $pconfig['type'] = "user";
$pconfig['lifetime'] = "3650";
}
@@ -211,13 +206,12 @@ if ($_POST) {
if ($pconfig['method'] == "internal") {
$reqdfields = explode(" ",
- "descr caref keylen type lifetime dn_country dn_state dn_city ".
+ "descr caref keylen lifetime dn_country dn_state dn_city ".
"dn_organization dn_email dn_commonname");
$reqdfieldsn = array(
gettext("Descriptive name"),
gettext("Certificate authority"),
gettext("Key length"),
- gettext("Certificate Type"),
gettext("Lifetime"),
gettext("Distinguished name Country Code"),
gettext("Distinguished name State or Province"),
@@ -359,7 +353,7 @@ if ($_POST) {
$dn['subjectAltName'] = implode(",", $altnames_tmp);
}
if (!cert_create($cert, $pconfig['caref'], $pconfig['keylen'],
- $pconfig['lifetime'], $dn, $pconfig['type'], $pconfig['digest_alg'])){
+ $pconfig['lifetime'], $dn, $pconfig['digest_alg'])){
while($ssl_err = openssl_error_string()){
$input_errors = array();
array_push($input_errors, "openssl library returns: " . $ssl_err);
@@ -722,23 +716,6 @@ function internalca_change() {
-
-
-
-
-
-
-
-
@@ -1134,9 +1111,6 @@ function internalca_change() {