Integrated pfsense Cert Manager in freeradius package (Thanks to jimp and sullrich). Now it is possible to create certificates in pfsense Cert manager and use them for freeradius.

The freeradius cert builder script is still present because freeradius needs some default ca and cert to start the service.

3 files changed, 124 insertions, 54 deletions

diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc
index 5395fdd2..9409553b 100755
--- a/config/freeradius2/freeradius.inc
+++ b/config/freeradius2/freeradius.inc
@@ -393,6 +393,9 @@ function freeradius_eapconf_resync() {
 
 	$eapconf = $config['installedpackages']['freeradiuseapconf']['config'][0];
 	
+	// Choose pfsense Cert-Manager or freeradius Cert-Manager
+	$vareapconfchoosecertmanager = ($eapconf['vareapconfchoosecertmanager']?$eapconf['vareapconfchoosecertmanager']:'radiuscertmgr');
+	
 	// Variables: EAP
 	$vareapconfdefaulteaptype = ($eapconf['vareapconfdefaulteaptype']?$eapconf['vareapconfdefaulteaptype']:'md5');
 	$vareapconftimerexpire = ($eapconf['vareapconftimerexpire']?$eapconf['vareapconftimerexpire']:'60');
@@ -401,12 +404,7 @@ function freeradius_eapconf_resync() {
 	$vareapconfmaxsessions = ($eapconf['vareapconfmaxsessions']?$eapconf['vareapconfmaxsessions']:'4096');
 	
 	// Variables: EAP-TLS and EAP-TLS with OCSP support
-	$vareapconfprivatekeypassword = ($eapconf['vareapconfprivatekeypassword']?$eapconf['vareapconfprivatekeypassword']:'whatever');
-	$vareapconfprivatekeyfile = ($eapconf['vareapconfprivatekeyfile']?$eapconf['vareapconfprivatekeyfile']:'server.pem');
-	$vareapconfcertificatefile = ($eapconf['vareapconfcertificatefile']?$eapconf['vareapconfcertificatefile']:'server.pem');
-	$vareapconfcafile = ($eapconf['vareapconfcafile']?$eapconf['vareapconfcafile']:'ca.pem');
-	$vareapconfdhfile = ($eapconf['vareapconfdhfile']?$eapconf['vareapconfdhfile']:'dh');
-	$vareapconfrandomfile = ($eapconf['vareapconfrandomfile']?$eapconf['vareapconfrandomfile']:'random');
+	$vareapconfprivatekeypassword = ($eapconf['vareapconfprivatekeypassword']?$eapconf['vareapconfprivatekeypassword']:'');
 	$vareapconfocspenable = ($eapconf['vareapconfocspenable']?$eapconf['vareapconfocspenable']:'no');
 	$vareapconfocspoverridecerturl = ($eapconf['vareapconfocspoverridecerturl']?$eapconf['vareapconfocspoverridecerturl']:'no');
 	$vareapconfocspurl = ($eapconf['vareapconfocspurl']?$eapconf['vareapconfocspurl']:'http://127.0.0.1/ocsp/');
@@ -420,8 +418,62 @@ function freeradius_eapconf_resync() {
 	$vareapconfpeapdefaulteaptype = ($eapconf['vareapconfpeapdefaulteaptype']?$eapconf['vareapconfpeapdefaulteaptype']:'mschapv2');
 	$vareapconfpeapcopyrequesttotunnel = ($eapconf['vareapconfpeapcopyrequesttotunnel']?$eapconf['vareapconfpeapcopyrequesttotunnel']:'no');
 	$vareapconfpeapusetunneledreply = ($eapconf['vareapconfpeapusetunneledreply']?$eapconf['vareapconfpeapusetunneledreply']:'no');
-	
-	
+
+
+// The filenames of pfsense cert manager are different from freeradius cert manager so it is possible to store both in the same folder at any time.
+// This is for the pfsense cert manager	
+if ($vareapconfchoosecertmanager == 'pfsensecertmgr') {
+		
+		$ca_cert = lookup_ca($eapconf["ssl_ca_cert"]);
+		if ($ca_cert != false) {
+			if(base64_decode($ca_cert['prv'])) {
+				file_put_contents(RADDB . "/certs/ca_key.pem", 
+					base64_decode($ca_cert['prv']));
+				$conf['ssl_ca_key'] = RADDB . '/certs/ca_key.pem';
+			}
+
+
+			if(base64_decode($ca_cert['crt'])) {
+				file_put_contents(RADDB . "/certs/ca_cert.pem", 
+					base64_decode($ca_cert['crt']));
+				$conf['ssl_ca_cert'] = RADDB . "/certs/ca_cert.pem";
+			}
+
+
+			$svr_cert = lookup_cert($eapconf["ssl_server_cert"]);
+			if ($svr_cert != false) {
+				if(base64_decode($svr_cert['prv'])) {
+					file_put_contents(RADDB . "/certs/server_key.pem", 
+						base64_decode($svr_cert['prv']));
+					$conf['ssl_key'] = RADDB . '/certs/server_key.pem';
+				}
+			}
+
+
+			if(base64_decode($svr_cert['crt'])) {
+				file_put_contents(RADDB . "/certs/server_cert.pem", 
+					base64_decode($svr_cert['crt']));
+				$conf['ssl_server_cert'] = RADDB . "/certs/server_cert.pem";
+			}
+
+
+			$conf['ssl_cert_dir'] = RADDB . '/certs';
+		}
+
+	$vareapconfprivatekeyfile = 'server_key.pem';
+	$vareapconfcertificatefile = 'server_cert.pem';
+	$vareapconfcafile = 'ca_cert.pem';
+}
+
+// This is for freeradius cert manager
+if ($vareapconfchoosecertmanager == 'radiuscertmgr') {
+
+	$vareapconfprivatekeyfile = 'server.pem';
+	$vareapconfcertificatefile = 'server.pem';
+	$vareapconfcafile = 'ca.pem';
+
+}
+
 	$conf .= <<<EOD
 
 	### EAP
@@ -450,8 +502,8 @@ function freeradius_eapconf_resync() {
 			private_key_file = \${certdir}/$vareapconfprivatekeyfile
 			certificate_file = \${certdir}/$vareapconfcertificatefile
 			CA_file = \${cadir}/$vareapconfcafile
-			dh_file = \${certdir}/$vareapconfdhfile
-			random_file = \${certdir}/$vareapconfrandomfile
+			dh_file = \${certdir}/dh
+			random_file = \${certdir}/random
 		#	fragment_size = 1024
 		#	include_length = yes
 		#	check_crl = yes
@@ -516,6 +568,31 @@ EOD;
 	restart_service('freeradius');
 }
 
+
+function freeradius_get_ca_certs() {
+	global $config;
+	$ca_arr = array();
+	$ca_arr[] = array('refid' => 'none', 'descr' => 'none');
+
+	foreach ($config['ca'] as $ca) {
+		$ca_arr[] = array('refid' => $ca['refid'], 'descr' => $ca['descr']);
+	}
+	return $ca_arr;
+}
+
+function freeradius_get_server_certs() {
+	global $config;
+	$cert_arr = array();
+	$cert_arr[] = array('refid' => 'none', 'descr' => 'none');
+
+	foreach ($config['cert'] as $cert) {
+		$cert_arr[] = array('refid' => $cert['refid'], 'descr' => $cert['descr']);
+	}
+	return $cert_arr;
+}
+
+
+
 function freeradius_sqlconf_resync() {
 	global $config;
 	$conf = '';
diff --git a/config/freeradius2/freeradiuscerts.xml b/config/freeradius2/freeradiuscerts.xml
index a0b4ac0f..9cdf656a 100644
--- a/config/freeradius2/freeradiuscerts.xml
+++ b/config/freeradius2/freeradiuscerts.xml
@@ -98,7 +98,7 @@
 								<b>Important:</b><br>
 								If you like to use certs created on another PC just disable this and click save.]]></description>
 			<type>select</type>
-			<default_value>yes</default_value>
+			<default_value>no</default_value>
 					<options>
 						<option><name>Yes</name><value>yes</value></option>
 						<option><name>No</name><value>no</value></option>
@@ -113,7 +113,7 @@
 									This page uses the freeradius2 built-in script called "bootstrap" to create CA and certs. The disatvantage of this script is that nothing of your changes will be saved in the global config.xml file. So after a systemcrash or reinstallation of freeradius2 package
 									all your CA and certs will be lost. If you have a backup of all these files on an USB stick or another server than you can copy them back in the freeradius certs folder.<br><br>
 									
-									<b>The better way is to use the pfsense built-in Cert Manager (SYSTEM-> Cert Manager).</b> The CA-Cert and Server-Cert you created there you just have to copy to the freeradius certs folder and pointing to these certs in eap.
+									<b>The better way is to use the pfsense built-in Cert Manager (SYSTEM-> Cert Manager).</b> The CA-Cert and Server-Cert you created there you just have to choose in EAP.
 									The advantage of this is that all your CA and certs will be saved in global config.xml and can be restored.]]></description>
 			<type>input</type>
 			<required/>
@@ -247,7 +247,7 @@
 								
 								
 								<b>Limitations:</b><br>
-								There is no CRL at the moment. Deleting of existing certs from the database (../certs/index.txt) isn't possible from GUI.<br>
+								There is no CRL. Deleting of existing certs from the database (../certs/index.txt) isn't possible from GUI.<br>
 								If you choose a Common Name which already exists in the database (check view config) the .crt will be zero bytes.<br>
 								Choose other Common Name and create a new Client-Cert.
 								]]></description>
@@ -275,8 +275,10 @@
 	</fields>
 	<custom_delete_php_command>
 	freeradius_allcertcnf_resync();
+	freeradius_eapconf_resync();
 	</custom_delete_php_command>
 	<custom_php_resync_config_command>
 	freeradius_allcertcnf_resync();
+	freeradius_eapconf_resync();
 	</custom_php_resync_config_command>
 </packagegui>
\ No newline at end of file
diff --git a/config/freeradius2/freeradiuseapconf.xml b/config/freeradius2/freeradiuseapconf.xml
index 40b161f8..495a61ee 100644
--- a/config/freeradius2/freeradiuseapconf.xml
+++ b/config/freeradius2/freeradiuseapconf.xml
@@ -143,53 +143,44 @@
 			<type>listtopic</type>
 		</field>
 		<field>
-			<fielddescr>Private Key Password</fielddescr>
-			<fieldname>vareapconfprivatekeypassword</fieldname>
-			<description><![CDATA[Enter the password of the private key. This is the password which you have to choose in "Certificates" tab.<br>
-							This field could be empty. (Default: whatever)]]></description>
-			<type>password</type>
-			<default_value>whatever</default_value>
-		</field>
-		<field>
-			<fielddescr>Server Private Key File</fielddescr>
-			<fieldname>vareapconfprivatekeyfile</fieldname>
-			<description><![CDATA[Enter the filename of the private key file. The file <b>must</b> be in /usr/local/etc/raddb/certs/ (Default: server.pem)<br>
-									<b>TIP:</b> You could use "SYSTEM-> Cert Manager" instead of the freeradius Cert script.<br>
-									You just have to export it there and copy it in the freeradius certs folder.]]></description>
-			<type>input</type>
-			<default_value>server.pem</default_value>
-		</field>
-		<field>
-			<fielddescr>Server Certificate File</fielddescr>
-			<fieldname>vareapconfcertificatefile</fieldname>
-			<description><![CDATA[Enter the filename of the server certificate file. The file <b>must</b> be in /usr/local/etc/raddb/certs/ (Default: server.pem)<br>
-									<b>TIP:</b> You could use "SYSTEM-> Cert Manager" instead of the freeradius Cert script.<br>
-									You just have to export it there and copy it in the freeradius certs folder.]]></description>
-			<type>input</type>
-			<default_value>server.pem</default_value>
+			<fielddescr>Choose your Cert Manager</fielddescr>
+			<fieldname>vareapconfchoosecertmanager</fieldname>
+			<description><![CDATA[Choose your Cert manager. By default it is the freeradius cert manager because the server needs some default certs to start service. For more information take al look at "Certificates"-Tab.<br>
+									To use the pfsense Cert Manager you have to create a CA and an Server Certificate first. (SYSTEM -> Cert Manager). (Default: freeRADIUS)]]></description>
+			<type>select</type>
+			<default_value>radiuscertmgr</default_value>
+					<options>
+						<option><name>freeRADIUS Cert Manager (not recommended)</name><value>radiuscertmgr</value></option>
+						<option><name>pfSense Cert Manager (recommended)</name><value>pfsensecertmgr</value></option>
+					</options>
 		</field>
 		<field>
-			<fielddescr>CA File</fielddescr>
-			<fieldname>vareapconfcafile</fieldname>
-			<description><![CDATA[Enter the filename of the CA file. The file <b>must</b> be in /usr/local/etc/raddb/certs/ (Default: server.pem)<br>
-									<b>TIP:</b> You could use "SYSTEM-> Cert Manager" instead of the freeradius Cert script.<br>
-									You just have to export it there and copy it in the freeradius certs folder.]]></description>
-			<type>input</type>
-			<default_value>ca.pem</default_value>
+			<fielddescr>SSL CA Certificate</fielddescr>
+			<fieldname>ssl_ca_cert</fieldname>
+			<description><![CDATA[Choose the SSL CA Certficate here which you created with the pfSense Cert Manager.<br>
+									Choose "none" if you do not use any kind of certificates or the freeradius Cert Manager. (Default: none)]]></description>
+			<type>select_source</type>
+			<source><![CDATA[freeradius_get_ca_certs()]]></source>
+			<source_name>descr</source_name>
+			<source_value>refid</source_value>
 		</field>
 		<field>
-			<fielddescr>DH File</fielddescr>
-			<fieldname>vareapconfdhfile</fieldname>
-			<description><![CDATA[Enter the filename of the DH file. The file <b>must</b> be in /usr/local/etc/raddb/certs/ (Default: dh)]]></description>
-			<type>input</type>
-			<default_value>dh</default_value>
+			<fielddescr>SSL Server Certificate</fielddescr>
+			<fieldname>ssl_server_cert</fieldname>
+			<description><![CDATA[Choose the SSL Server Certficate here which you created with the pfSense Cert Manager.<br>
+									Choose "none" if you do not use any kind of certificates or the freeradius Cert Manager. (Default: none)]]></description>
+			<type>select_source</type>
+			<source><![CDATA[freeradius_get_server_certs()]]></source>
+			<source_name>descr</source_name>
+			<source_value>refid</source_value>
 		</field>
 		<field>
-			<fielddescr>Random File</fielddescr>
-			<fieldname>vareapconfrandomfile</fieldname>
-			<description><![CDATA[Enter the filename of the random file. The file <b>must</b> be in /usr/local/etc/raddb/certs/ (Default: random)]]></description>
-			<type>input</type>
-			<default_value>random</default_value>
+			<fielddescr>Private Key Password</fielddescr>
+			<fieldname>vareapconfprivatekeypassword</fieldname>
+			<description><![CDATA[By default the certificates created by freeradius are protected with an "input/ouput" password from reaading the certificate.<b>
+								The certificates created by pfSense Cert Manager are not protected so you must leave this field empty. (Default: whatever)]]></description>
+			<type>password</type>
+			<default_value>whatever</default_value>
 		</field>
 		<field>
 			<name>EAP-TLS with OCSP support</name>