diff options
author | Alexander Wilke <nachtfalkeaw@web.de> | 2011-12-22 23:17:44 +0000 |
---|---|---|
committer | Alexander Wilke <nachtfalkeaw@web.de> | 2011-12-22 23:17:44 +0000 |
commit | 32fd2a716b6619debba6b6a5e5775f71b7432449 (patch) | |
tree | 53a10580a420bf24b0b1843b9a4f0f76e84af417 /config/freeradius2 | |
parent | b8dde24254b9093b679a90f3470fce1fada69c89 (diff) | |
download | pfsense-packages-32fd2a716b6619debba6b6a5e5775f71b7432449.tar.gz pfsense-packages-32fd2a716b6619debba6b6a5e5775f71b7432449.tar.bz2 pfsense-packages-32fd2a716b6619debba6b6a5e5775f71b7432449.zip |
Added information on freeradius cert-manager that there are some disadvantages compared to built-in pfsense Cert-Manager. Explainaition how to use pfsense built-in cert-manager with freeradius.
some small fixes on cert-creation and some typos.
Diffstat (limited to 'config/freeradius2')
-rwxr-xr-x | config/freeradius2/freeradius.inc | 41 | ||||
-rw-r--r-- | config/freeradius2/freeradiuscerts.xml | 21 | ||||
-rw-r--r-- | config/freeradius2/freeradiuseapconf.xml | 25 |
3 files changed, 57 insertions, 30 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index 28e209b0..5395fdd2 100755 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -1533,7 +1533,7 @@ function freeradius_allcertcnf_resync() { $varcertscreateclient = ($arrcerts['varcertscreateclient']?$arrcerts['varcertscreateclient']:'no'); // General variables for deleting: CA, Server, Client - $varcertsdeleteall = ($arrcerts['varcertsdeleteall']?$arrcerts['varcertsdeleteall']:'yes'); + $varcertsdeleteall = ($arrcerts['varcertsdeleteall']?$arrcerts['varcertsdeleteall']:'no'); if ($arrcerts['varcertscreateclient'] == 'yes') { @@ -1543,8 +1543,8 @@ function freeradius_allcertcnf_resync() { exec("rm -f /usr/local/etc/raddb/certs/client.crt"); exec("rm -f /usr/local/etc/raddb/certs/client.key"); exec("rm -f /usr/local/etc/raddb/certs/client.tar"); - - + + // run fuction to create ONLY new client.cnf files based on user input from freeradiuscert.xml freeradius_clientcertcnf_resync(); @@ -1552,11 +1552,18 @@ function freeradius_allcertcnf_resync() { // make bootstrap executable and run to create cert based on client.cnf files exec("chmod 0770 /usr/local/etc/raddb/certs/bootstrap"); exec("/usr/local/etc/raddb/certs/bootstrap"); - - // make bootstrap read-write only for root - exec("chmod 0600 /usr/local/etc/raddb/certs/bootstrap"); - exec("cd /usr/local/etc/raddb/certs && tar -cf client.tar client.crt client.csr client.key ca.der"); - exec("chmod 0600 /usr/local/etc/raddb/certs/client.tar"); + + // rename client generated XX.pem to client.pem // use regex to replace spaces and so on. + $varserial = preg_replace("/\s/","",file_get_contents('/usr/local/etc/raddb/certs/serial.old')); + if (file_exists("/usr/local/etc/raddb/certs/$varserial.pem")) + rename("/usr/local/etc/raddb/certs/$varserial.pem","/usr/local/etc/raddb/certs/client.pem"); + + + // tar client-cert files + exec("cd /usr/local/etc/raddb/certs && tar -cf client.tar client.crt client.csr client.key ca.der client.pem"); + + // Make all files in certs folder re-only for root + exec("chmod -R 0600 /usr/local/etc/raddb/certs/"); } @@ -1570,8 +1577,11 @@ function freeradius_allcertcnf_resync() { exec("rm -f /usr/local/etc/raddb/certs/*.key"); exec("rm -f /usr/local/etc/raddb/certs/*.p12"); exec("rm -f /usr/local/etc/raddb/certs/serial*"); - exec("rm -f /usr/local/etc/raddb/certs/index.txt*"); + exec("rm -f /usr/local/etc/raddb/certs/index*"); + exec("rm -f /usr/local/etc/raddb/certs/dh"); + exec("rm -f /usr/local/etc/raddb/certs/random"); exec("rm -f /usr/local/etc/raddb/certs/client.tar"); + // run fuctions to create new .cnf files based on user input from freeradiuscert.xml freeradius_cacertcnf_resync(); @@ -1586,11 +1596,14 @@ function freeradius_allcertcnf_resync() { // make bootstrap executable and run to create certs based on .cnf files exec("chmod 0770 /usr/local/etc/raddb/certs/bootstrap"); exec("/usr/local/etc/raddb/certs/bootstrap"); - - // make bootstrap read-write only for root - exec("chmod 0600 /usr/local/etc/raddb/certs/bootstrap"); - exec("cd /usr/local/etc/raddb/certs && tar -cf client.tar client.crt client.csr client.key ca.der"); - exec("chmod 0600 /usr/local/etc/raddb/certs/client.tar"); + + // rename client generated 02.pem to client.pem + if (file_exists("/usr/local/etc/raddb/certs/02.pem")) + rename("/usr/local/etc/raddb/certs/02.pem","/usr/local/etc/raddb/certs/client.pem"); + + // tar client-cert files + exec("cd /usr/local/etc/raddb/certs && tar -cf client.tar client.crt client.csr client.key ca.der client.pem"); + exec("chmod -R 0600 /usr/local/etc/raddb/certs/"); // If there were changes on the certificates we need to restart freeradius restart_service('freeradius'); diff --git a/config/freeradius2/freeradiuscerts.xml b/config/freeradius2/freeradiuscerts.xml index 7503fe49..a0b4ac0f 100644 --- a/config/freeradius2/freeradiuscerts.xml +++ b/config/freeradius2/freeradiuscerts.xml @@ -94,7 +94,7 @@ <fielddescr>Delete ALL existing Certificates ?</fielddescr> <fieldname>varcertsdeleteall</fieldname> <description><![CDATA[This will delete <b>ALL</b> existing CAs, Server-Certs and Client-Certs in freeradius certs folder!<br> - You <b>must</b> delete all existing if you want to create new ones. (Default: Yes)<br> + You <b>must</b> delete all existing if you want to create new ones. (Default: No)<br> <b>Important:</b><br> If you like to use certs created on another PC just disable this and click save.]]></description> <type>select</type> @@ -105,6 +105,21 @@ </options> </field> <field> + <fielddescr>READ BEFORE DOING ANYTHING HERE!</fielddescr> + <fieldname>varcertsREADBEFORE</fieldname> + <description><![CDATA[<b>This field is just to make sure you know what you are doing here!</b><br> + <b>If you enter anything the changes here will take effect after "save" - if it's empty - nothing will happen</b><br><br> + + This page uses the freeradius2 built-in script called "bootstrap" to create CA and certs. The disatvantage of this script is that nothing of your changes will be saved in the global config.xml file. So after a systemcrash or reinstallation of freeradius2 package + all your CA and certs will be lost. If you have a backup of all these files on an USB stick or another server than you can copy them back in the freeradius certs folder.<br><br> + + <b>The better way is to use the pfsense built-in Cert Manager (SYSTEM-> Cert Manager).</b> The CA-Cert and Server-Cert you created there you just have to copy to the freeradius certs folder and pointing to these certs in eap. + The advantage of this is that all your CA and certs will be saved in global config.xml and can be restored.]]></description> + <type>input</type> + <required/> + <default_value></default_value> + </field> + <field> <name>Distinguished Name for CA, Server and Client</name> <type>listtopic</type> </field> @@ -171,8 +186,8 @@ <field> <fielddescr>Certificate Password (CA, Server and Client)</fielddescr> <fieldname>varcertspassword</fieldname> - <description><![CDATA[Enter the password for the CA, Server and Client.<br> - This is the password you need to enter in eap.conf so that freeradius can read the cert. (Default: whatever)]]></description> + <description><![CDATA[Enter the password for the CA, Server and Client. This is the password you need to enter in eap.conf + so that freeradius can read the cert. This field could be empty. (Default: whatever)]]></description> <type>password</type> <default_value>whatever</default_value> </field> diff --git a/config/freeradius2/freeradiuseapconf.xml b/config/freeradius2/freeradiuseapconf.xml index 504e9bed..40b161f8 100644 --- a/config/freeradius2/freeradiuseapconf.xml +++ b/config/freeradius2/freeradiuseapconf.xml @@ -145,36 +145,35 @@ <field> <fielddescr>Private Key Password</fielddescr> <fieldname>vareapconfprivatekeypassword</fieldname> - <description><![CDATA[Enter the password of the private key.<br> - This is the password which you chose in "Certificates" tab. (Default: whatever)]]></description> + <description><![CDATA[Enter the password of the private key. This is the password which you have to choose in "Certificates" tab.<br> + This field could be empty. (Default: whatever)]]></description> <type>password</type> <default_value>whatever</default_value> </field> <field> - <fielddescr>Private Key File</fielddescr> + <fielddescr>Server Private Key File</fielddescr> <fieldname>vareapconfprivatekeyfile</fieldname> - <description><![CDATA[Enter the filename of the private key file. The file <b>must</b> be in /usr/local/etc/raddb/certs/ (Default: server.pem)]]></description> - <type>input</type> - <default_value>server.pem</default_value> - </field> - <field> - <fielddescr>Private Key File</fielddescr> - <fieldname>vareapconfprivatekeyfile</fieldname> - <description><![CDATA[Enter the filename of the private key file. The file <b>must</b> be in /usr/local/etc/raddb/certs/ (Default: server.pem)]]></description> + <description><![CDATA[Enter the filename of the private key file. The file <b>must</b> be in /usr/local/etc/raddb/certs/ (Default: server.pem)<br> + <b>TIP:</b> You could use "SYSTEM-> Cert Manager" instead of the freeradius Cert script.<br> + You just have to export it there and copy it in the freeradius certs folder.]]></description> <type>input</type> <default_value>server.pem</default_value> </field> <field> <fielddescr>Server Certificate File</fielddescr> <fieldname>vareapconfcertificatefile</fieldname> - <description><![CDATA[Enter the filename of the Certificate file. The file <b>must</b> be in /usr/local/etc/raddb/certs/ (Default: server.pem)]]></description> + <description><![CDATA[Enter the filename of the server certificate file. The file <b>must</b> be in /usr/local/etc/raddb/certs/ (Default: server.pem)<br> + <b>TIP:</b> You could use "SYSTEM-> Cert Manager" instead of the freeradius Cert script.<br> + You just have to export it there and copy it in the freeradius certs folder.]]></description> <type>input</type> <default_value>server.pem</default_value> </field> <field> <fielddescr>CA File</fielddescr> <fieldname>vareapconfcafile</fieldname> - <description><![CDATA[Enter the filename of the CA file. The file <b>must</b> be in /usr/local/etc/raddb/certs/ (Default: ca.pem)]]></description> + <description><![CDATA[Enter the filename of the CA file. The file <b>must</b> be in /usr/local/etc/raddb/certs/ (Default: server.pem)<br> + <b>TIP:</b> You could use "SYSTEM-> Cert Manager" instead of the freeradius Cert script.<br> + You just have to export it there and copy it in the freeradius certs folder.]]></description> <type>input</type> <default_value>ca.pem</default_value> </field> |