aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
authorStephane Lapie <stephane.lapie@asahinet.com>2014-01-20 16:03:33 +0900
committerStephane Lapie <stephane.lapie@asahinet.com>2014-01-20 16:14:59 +0900
commit9a33bc918c1078402479101249b770ebc7e64d6b (patch)
tree27ea512d8ddff5450bb700c64ebbcccfe0006d40 /config
parent9c277bf31b361546080ba3e66b977cf6465e7938 (diff)
downloadpfsense-packages-9a33bc918c1078402479101249b770ebc7e64d6b.tar.gz
pfsense-packages-9a33bc918c1078402479101249b770ebc7e64d6b.tar.bz2
pfsense-packages-9a33bc918c1078402479101249b770ebc7e64d6b.zip
Separate CAs for client certs and server cert chain
- Modified the VirtualHost screen to make more clear the difference between "server certificate chain" and "client certification authority" - Modified configuration generation accordingly with proper options (SSLCertificateChainFile for server cert chain, SSLCACertificateFile for client certificates) according to Apache documentation
Diffstat (limited to 'config')
-rw-r--r--config/apache_mod_security-dev/apache_mod_security.inc9
-rw-r--r--config/apache_mod_security-dev/apache_virtualhost.xml14
2 files changed, 19 insertions, 4 deletions
diff --git a/config/apache_mod_security-dev/apache_mod_security.inc b/config/apache_mod_security-dev/apache_mod_security.inc
index 31be95cf..2728e2e9 100644
--- a/config/apache_mod_security-dev/apache_mod_security.inc
+++ b/config/apache_mod_security-dev/apache_mod_security.inc
@@ -569,9 +569,14 @@ EOF;
$vh_config.= " SSLCertificateKeyFile ". APACHEDIR . "/etc/apache22/{$virtualhost["ssl_cert"]}.key\n";
}
}
- $svr_ca =lookup_ca($virtualhost["reverse_int_ca"]);
+ $svr_ca =lookup_ca($virtualhost["ssl_cert_chain"]);
if ($svr_ca != false) {
- file_put_contents(APACHEDIR . "/etc/apache22/{$virtualhost["reverse_int_ca"]}.crt",apache_textarea_decode($svr_ca['crt']),LOCK_EX);
+ file_put_contents(APACHEDIR . "/etc/apache22/{$virtualhost["ssl_cert_chain"]}.crt",apache_textarea_decode($svr_ca['crt']),LOCK_EX);
+ $vh_config.= " SSLCertificateChainFile ". APACHEDIR . "/etc/apache22/{$virtualhost["ssl_cert_chain"]}.crt\n";
+ }
+ $cli_ca =lookup_ca($virtualhost["reverse_int_ca"]);
+ if ($cli_ca != false) {
+ file_put_contents(APACHEDIR . "/etc/apache22/{$virtualhost["reverse_int_ca"]}.crt",apache_textarea_decode($cli_ca['crt']),LOCK_EX);
$vh_config.= " SSLCACertificateFile ". APACHEDIR . "/etc/apache22/{$virtualhost["reverse_int_ca"]}.crt\n";
}
}
diff --git a/config/apache_mod_security-dev/apache_virtualhost.xml b/config/apache_mod_security-dev/apache_virtualhost.xml
index 747ef975..7851e683 100644
--- a/config/apache_mod_security-dev/apache_virtualhost.xml
+++ b/config/apache_mod_security-dev/apache_virtualhost.xml
@@ -267,9 +267,19 @@
<show_disable_value>none</show_disable_value>
</field>
<field>
- <fielddescr>Intermediate CA certificate (optional)</fielddescr>
+ <fielddescr>HTTPS SSL certificate chain</fielddescr>
+ <fieldname>ssl_cert_chain</fieldname>
+ <description>Select intermediate CA assigned to server certificate. Not all certificates require this.</description>
+ <type>select_source</type>
+ <source><![CDATA[$config['ca']]]></source>
+ <source_name>descr</source_name>
+ <source_value>refid</source_value>
+ <show_disable_value>none</show_disable_value>
+ </field>
+ <field>
+ <fielddescr>Client certificates CA (optional)</fielddescr>
<fieldname>reverse_int_ca</fieldname>
- <description>Select intermediate CA assigned to certificate. Not all certificates require this.</description>
+ <description>Select CA assigned to client certificates.</description>
<type>select_source</type>
<source><![CDATA[$config['ca']]]></source>
<source_name>descr</source_name>