aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlexander Wilke <nachtfalkeaw@web.de>2011-12-22 23:17:44 +0000
committerAlexander Wilke <nachtfalkeaw@web.de>2011-12-22 23:17:44 +0000
commit32fd2a716b6619debba6b6a5e5775f71b7432449 (patch)
tree53a10580a420bf24b0b1843b9a4f0f76e84af417
parentb8dde24254b9093b679a90f3470fce1fada69c89 (diff)
downloadpfsense-packages-32fd2a716b6619debba6b6a5e5775f71b7432449.tar.gz
pfsense-packages-32fd2a716b6619debba6b6a5e5775f71b7432449.tar.bz2
pfsense-packages-32fd2a716b6619debba6b6a5e5775f71b7432449.zip
Added information on freeradius cert-manager that there are some disadvantages compared to built-in pfsense Cert-Manager. Explainaition how to use pfsense built-in cert-manager with freeradius.
some small fixes on cert-creation and some typos.
-rwxr-xr-xconfig/freeradius2/freeradius.inc41
-rw-r--r--config/freeradius2/freeradiuscerts.xml21
-rw-r--r--config/freeradius2/freeradiuseapconf.xml25
-rw-r--r--pkg_config.8.xml3
-rw-r--r--pkg_config.8.xml.amd643
5 files changed, 59 insertions, 34 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc
index 28e209b0..5395fdd2 100755
--- a/config/freeradius2/freeradius.inc
+++ b/config/freeradius2/freeradius.inc
@@ -1533,7 +1533,7 @@ function freeradius_allcertcnf_resync() {
$varcertscreateclient = ($arrcerts['varcertscreateclient']?$arrcerts['varcertscreateclient']:'no');
// General variables for deleting: CA, Server, Client
- $varcertsdeleteall = ($arrcerts['varcertsdeleteall']?$arrcerts['varcertsdeleteall']:'yes');
+ $varcertsdeleteall = ($arrcerts['varcertsdeleteall']?$arrcerts['varcertsdeleteall']:'no');
if ($arrcerts['varcertscreateclient'] == 'yes') {
@@ -1543,8 +1543,8 @@ function freeradius_allcertcnf_resync() {
exec("rm -f /usr/local/etc/raddb/certs/client.crt");
exec("rm -f /usr/local/etc/raddb/certs/client.key");
exec("rm -f /usr/local/etc/raddb/certs/client.tar");
-
-
+
+
// run fuction to create ONLY new client.cnf files based on user input from freeradiuscert.xml
freeradius_clientcertcnf_resync();
@@ -1552,11 +1552,18 @@ function freeradius_allcertcnf_resync() {
// make bootstrap executable and run to create cert based on client.cnf files
exec("chmod 0770 /usr/local/etc/raddb/certs/bootstrap");
exec("/usr/local/etc/raddb/certs/bootstrap");
-
- // make bootstrap read-write only for root
- exec("chmod 0600 /usr/local/etc/raddb/certs/bootstrap");
- exec("cd /usr/local/etc/raddb/certs && tar -cf client.tar client.crt client.csr client.key ca.der");
- exec("chmod 0600 /usr/local/etc/raddb/certs/client.tar");
+
+ // rename client generated XX.pem to client.pem // use regex to replace spaces and so on.
+ $varserial = preg_replace("/\s/","",file_get_contents('/usr/local/etc/raddb/certs/serial.old'));
+ if (file_exists("/usr/local/etc/raddb/certs/$varserial.pem"))
+ rename("/usr/local/etc/raddb/certs/$varserial.pem","/usr/local/etc/raddb/certs/client.pem");
+
+
+ // tar client-cert files
+ exec("cd /usr/local/etc/raddb/certs && tar -cf client.tar client.crt client.csr client.key ca.der client.pem");
+
+ // Make all files in certs folder re-only for root
+ exec("chmod -R 0600 /usr/local/etc/raddb/certs/");
}
@@ -1570,8 +1577,11 @@ function freeradius_allcertcnf_resync() {
exec("rm -f /usr/local/etc/raddb/certs/*.key");
exec("rm -f /usr/local/etc/raddb/certs/*.p12");
exec("rm -f /usr/local/etc/raddb/certs/serial*");
- exec("rm -f /usr/local/etc/raddb/certs/index.txt*");
+ exec("rm -f /usr/local/etc/raddb/certs/index*");
+ exec("rm -f /usr/local/etc/raddb/certs/dh");
+ exec("rm -f /usr/local/etc/raddb/certs/random");
exec("rm -f /usr/local/etc/raddb/certs/client.tar");
+
// run fuctions to create new .cnf files based on user input from freeradiuscert.xml
freeradius_cacertcnf_resync();
@@ -1586,11 +1596,14 @@ function freeradius_allcertcnf_resync() {
// make bootstrap executable and run to create certs based on .cnf files
exec("chmod 0770 /usr/local/etc/raddb/certs/bootstrap");
exec("/usr/local/etc/raddb/certs/bootstrap");
-
- // make bootstrap read-write only for root
- exec("chmod 0600 /usr/local/etc/raddb/certs/bootstrap");
- exec("cd /usr/local/etc/raddb/certs && tar -cf client.tar client.crt client.csr client.key ca.der");
- exec("chmod 0600 /usr/local/etc/raddb/certs/client.tar");
+
+ // rename client generated 02.pem to client.pem
+ if (file_exists("/usr/local/etc/raddb/certs/02.pem"))
+ rename("/usr/local/etc/raddb/certs/02.pem","/usr/local/etc/raddb/certs/client.pem");
+
+ // tar client-cert files
+ exec("cd /usr/local/etc/raddb/certs && tar -cf client.tar client.crt client.csr client.key ca.der client.pem");
+ exec("chmod -R 0600 /usr/local/etc/raddb/certs/");
// If there were changes on the certificates we need to restart freeradius
restart_service('freeradius');
diff --git a/config/freeradius2/freeradiuscerts.xml b/config/freeradius2/freeradiuscerts.xml
index 7503fe49..a0b4ac0f 100644
--- a/config/freeradius2/freeradiuscerts.xml
+++ b/config/freeradius2/freeradiuscerts.xml
@@ -94,7 +94,7 @@
<fielddescr>Delete ALL existing Certificates ?</fielddescr>
<fieldname>varcertsdeleteall</fieldname>
<description><![CDATA[This will delete <b>ALL</b> existing CAs, Server-Certs and Client-Certs in freeradius certs folder!<br>
- You <b>must</b> delete all existing if you want to create new ones. (Default: Yes)<br>
+ You <b>must</b> delete all existing if you want to create new ones. (Default: No)<br>
<b>Important:</b><br>
If you like to use certs created on another PC just disable this and click save.]]></description>
<type>select</type>
@@ -105,6 +105,21 @@
</options>
</field>
<field>
+ <fielddescr>READ BEFORE DOING ANYTHING HERE!</fielddescr>
+ <fieldname>varcertsREADBEFORE</fieldname>
+ <description><![CDATA[<b>This field is just to make sure you know what you are doing here!</b><br>
+ <b>If you enter anything the changes here will take effect after "save" - if it's empty - nothing will happen</b><br><br>
+
+ This page uses the freeradius2 built-in script called "bootstrap" to create CA and certs. The disatvantage of this script is that nothing of your changes will be saved in the global config.xml file. So after a systemcrash or reinstallation of freeradius2 package
+ all your CA and certs will be lost. If you have a backup of all these files on an USB stick or another server than you can copy them back in the freeradius certs folder.<br><br>
+
+ <b>The better way is to use the pfsense built-in Cert Manager (SYSTEM-> Cert Manager).</b> The CA-Cert and Server-Cert you created there you just have to copy to the freeradius certs folder and pointing to these certs in eap.
+ The advantage of this is that all your CA and certs will be saved in global config.xml and can be restored.]]></description>
+ <type>input</type>
+ <required/>
+ <default_value></default_value>
+ </field>
+ <field>
<name>Distinguished Name for CA, Server and Client</name>
<type>listtopic</type>
</field>
@@ -171,8 +186,8 @@
<field>
<fielddescr>Certificate Password (CA, Server and Client)</fielddescr>
<fieldname>varcertspassword</fieldname>
- <description><![CDATA[Enter the password for the CA, Server and Client.<br>
- This is the password you need to enter in eap.conf so that freeradius can read the cert. (Default: whatever)]]></description>
+ <description><![CDATA[Enter the password for the CA, Server and Client. This is the password you need to enter in eap.conf
+ so that freeradius can read the cert. This field could be empty. (Default: whatever)]]></description>
<type>password</type>
<default_value>whatever</default_value>
</field>
diff --git a/config/freeradius2/freeradiuseapconf.xml b/config/freeradius2/freeradiuseapconf.xml
index 504e9bed..40b161f8 100644
--- a/config/freeradius2/freeradiuseapconf.xml
+++ b/config/freeradius2/freeradiuseapconf.xml
@@ -145,36 +145,35 @@
<field>
<fielddescr>Private Key Password</fielddescr>
<fieldname>vareapconfprivatekeypassword</fieldname>
- <description><![CDATA[Enter the password of the private key.<br>
- This is the password which you chose in "Certificates" tab. (Default: whatever)]]></description>
+ <description><![CDATA[Enter the password of the private key. This is the password which you have to choose in "Certificates" tab.<br>
+ This field could be empty. (Default: whatever)]]></description>
<type>password</type>
<default_value>whatever</default_value>
</field>
<field>
- <fielddescr>Private Key File</fielddescr>
+ <fielddescr>Server Private Key File</fielddescr>
<fieldname>vareapconfprivatekeyfile</fieldname>
- <description><![CDATA[Enter the filename of the private key file. The file <b>must</b> be in /usr/local/etc/raddb/certs/ (Default: server.pem)]]></description>
- <type>input</type>
- <default_value>server.pem</default_value>
- </field>
- <field>
- <fielddescr>Private Key File</fielddescr>
- <fieldname>vareapconfprivatekeyfile</fieldname>
- <description><![CDATA[Enter the filename of the private key file. The file <b>must</b> be in /usr/local/etc/raddb/certs/ (Default: server.pem)]]></description>
+ <description><![CDATA[Enter the filename of the private key file. The file <b>must</b> be in /usr/local/etc/raddb/certs/ (Default: server.pem)<br>
+ <b>TIP:</b> You could use "SYSTEM-> Cert Manager" instead of the freeradius Cert script.<br>
+ You just have to export it there and copy it in the freeradius certs folder.]]></description>
<type>input</type>
<default_value>server.pem</default_value>
</field>
<field>
<fielddescr>Server Certificate File</fielddescr>
<fieldname>vareapconfcertificatefile</fieldname>
- <description><![CDATA[Enter the filename of the Certificate file. The file <b>must</b> be in /usr/local/etc/raddb/certs/ (Default: server.pem)]]></description>
+ <description><![CDATA[Enter the filename of the server certificate file. The file <b>must</b> be in /usr/local/etc/raddb/certs/ (Default: server.pem)<br>
+ <b>TIP:</b> You could use "SYSTEM-> Cert Manager" instead of the freeradius Cert script.<br>
+ You just have to export it there and copy it in the freeradius certs folder.]]></description>
<type>input</type>
<default_value>server.pem</default_value>
</field>
<field>
<fielddescr>CA File</fielddescr>
<fieldname>vareapconfcafile</fieldname>
- <description><![CDATA[Enter the filename of the CA file. The file <b>must</b> be in /usr/local/etc/raddb/certs/ (Default: ca.pem)]]></description>
+ <description><![CDATA[Enter the filename of the CA file. The file <b>must</b> be in /usr/local/etc/raddb/certs/ (Default: server.pem)<br>
+ <b>TIP:</b> You could use "SYSTEM-> Cert Manager" instead of the freeradius Cert script.<br>
+ You just have to export it there and copy it in the freeradius certs folder.]]></description>
<type>input</type>
<default_value>ca.pem</default_value>
</field>
diff --git a/pkg_config.8.xml b/pkg_config.8.xml
index c6a52aec..520df97f 100644
--- a/pkg_config.8.xml
+++ b/pkg_config.8.xml
@@ -764,10 +764,9 @@
Do not use together with freeradius package. Both are using the same XML files.]]></descr>
<pkginfolink>http://forum.pfsense.org/index.php/topic,43675.0.html</pkginfolink>
<category>System</category>
- <version>2.1.12 pkg v1.3.4</version>
+ <version>2.1.12 pkg v1.3.5</version>
<status>BETA</status>
<required_version>2.0</required_version>
- <maximum_version>2.0.1</maximum_version>
<maintainer>Nachtfalke</maintainer>
<depends_on_package_base_url>http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8-stable/All/</depends_on_package_base_url>
<depends_on_package>freeradius-2.1.12.tbz</depends_on_package>
diff --git a/pkg_config.8.xml.amd64 b/pkg_config.8.xml.amd64
index 52c0ecc5..d49c9bb3 100644
--- a/pkg_config.8.xml.amd64
+++ b/pkg_config.8.xml.amd64
@@ -806,10 +806,9 @@
Do not use together with freeradius package. Both are using the same XML files.]]></descr>
<pkginfolink>http://forum.pfsense.org/index.php/topic,43675.0.html</pkginfolink>
<category>System</category>
- <version>2.1.12 pkg v1.3.4</version>
+ <version>2.1.12 pkg v1.3.5</version>
<status>BETA</status>
<required_version>2.0</required_version>
- <maximum_version>2.0.1</maximum_version>
<maintainer>Nachtfalke</maintainer>
<depends_on_package_base_url>http://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8-stable/All/</depends_on_package_base_url>
<depends_on_package>freeradius-2.1.12.tbz</depends_on_package>