diff options
| -rwxr-xr-x | config/freeradius2/freeradius.inc | 342 | ||||
| -rw-r--r-- | config/freeradius2/freeradius.xml | 15 | ||||
| -rw-r--r-- | config/freeradius2/freeradius_view_config.php | 17 | ||||
| -rw-r--r-- | config/freeradius2/freeradiuscerts.xml | 267 | ||||
| -rw-r--r-- | config/freeradius2/freeradiusclients.xml | 4 | ||||
| -rw-r--r-- | config/freeradius2/freeradiuseapconf.xml | 7 | ||||
| -rw-r--r-- | config/freeradius2/freeradiusinterfaces.xml | 4 | ||||
| -rw-r--r-- | config/freeradius2/freeradiussettings.xml | 4 | ||||
| -rw-r--r-- | config/freeradius2/freeradiussqlconf.xml | 4 | ||||
| -rw-r--r-- | pkg_config.8.xml | 2 | ||||
| -rw-r--r-- | pkg_config.8.xml.amd64 | 2 |
11 files changed, 661 insertions, 7 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index ad113469..28e209b0 100755 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -459,7 +459,8 @@ function freeradius_eapconf_resync() { # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" # check_cert_cn = %{User-Name} cipher_list = "DEFAULT" - make_cert_command = "\${certdir}/bootstrap" + ### we make this from Certificate tab on GUI at startup + # make_cert_command = "\${certdir}/bootstrap" ecdh_curve = "prime256v1" cache { enable = no @@ -1256,4 +1257,343 @@ EOD; restart_service('freeradius'); } + +function freeradius_cacertcnf_resync() { + global $config; + $conf = ''; + + $arrcerts = $config['installedpackages']['freeradiuscerts']['config'][0]; + + // General variables: CA, Server, Client + $varcertsdefaultdays = ($arrcerts['varcertsdefaultdays']?$arrcerts['varcertsdefaultdays']:'3650'); + $varcertsdefaultmd = ($arrcerts['varcertsdefaultmd']?$arrcerts['varcertsdefaultmd']:'md5'); + $varcertsdefaultbits = ($arrcerts['varcertsdefaultbits']?$arrcerts['varcertsdefaultbits']:'2048'); + $varcertspassword = ($arrcerts['varcertspassword']?$arrcerts['varcertspassword']:'whatever'); + $varcertscountryname = ($arrcerts['varcertscountryname']?$arrcerts['varcertscountryname']:'US'); + $varcertsstateorprovincename = ($arrcerts['varcertsstateorprovincename']?$arrcerts['varcertsstateorprovincename']:'Texas'); + $varcertslocalityname = ($arrcerts['varcertslocalityname']?$arrcerts['varcertslocalityname']:'Austin'); + $varcertsorganizationname = ($arrcerts['varcertsorganizationname']?$arrcerts['varcertsorganizationname']:'My Company Inc'); + + // Variables: Only for CA + $varcertscaemailaddress = ($arrcerts['varcertscaemailaddress']?$arrcerts['varcertscaemailaddress']:'admin@mycompany.com'); + $varcertscacommonname = ($arrcerts['varcertscacommonname']?$arrcerts['varcertscacommonname']:'internal-ca'); + + + + + $conf .= <<<EOD +[ ca ] +default_ca = CA_default + +[ CA_default ] +dir = ./ +certs = \$dir +crl_dir = \$dir/crl +database = \$dir/index.txt +new_certs_dir = \$dir +certificate = \$dir/ca.pem +serial = \$dir/serial +crl = \$dir/crl.pem +private_key = \$dir/ca.key +RANDFILE = \$dir/.rand +name_opt = ca_default +cert_opt = ca_default +default_days = $varcertsdefaultdays +default_crl_days = 30 +default_md = $varcertsdefaultmd +preserve = no +policy = policy_match + +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +prompt = no +distinguished_name = certificate_authority +default_bits = $varcertsdefaultbits +input_password = $varcertspassword +output_password = $varcertspassword +x509_extensions = v3_ca + +[certificate_authority] +countryName = $varcertscountryname +stateOrProvinceName = $varcertsstateorprovincename +localityName = $varcertslocalityname +organizationName = $varcertsorganizationname +emailAddress = $varcertscaemailaddress +commonName = "$varcertscacommonname" + +[v3_ca] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = CA:true + +EOD; + + $filename = RADDB . '/certs/ca.cnf'; + conf_mount_rw(); + file_put_contents($filename, $conf); + chmod($filename, 0600); + conf_mount_ro(); + +} + +function freeradius_servercertcnf_resync() { + global $config; + $conf = ''; + + $arrcerts = $config['installedpackages']['freeradiuscerts']['config'][0]; + + // General variables: CA, Server, Client + $varcertsdefaultdays = ($arrcerts['varcertsdefaultdays']?$arrcerts['varcertsdefaultdays']:'3650'); + $varcertsdefaultmd = ($arrcerts['varcertsdefaultmd']?$arrcerts['varcertsdefaultmd']:'md5'); + $varcertsdefaultbits = ($arrcerts['varcertsdefaultbits']?$arrcerts['varcertsdefaultbits']:'2048'); + $varcertspassword = ($arrcerts['varcertspassword']?$arrcerts['varcertspassword']:'whatever'); + $varcertscountryname = ($arrcerts['varcertscountryname']?$arrcerts['varcertscountryname']:'US'); + $varcertsstateorprovincename = ($arrcerts['varcertsstateorprovincename']?$arrcerts['varcertsstateorprovincename']:'Texas'); + $varcertslocalityname = ($arrcerts['varcertslocalityname']?$arrcerts['varcertslocalityname']:'Austin'); + $varcertsorganizationname = ($arrcerts['varcertsorganizationname']?$arrcerts['varcertsorganizationname']:'My Company Inc'); + + // Variables: Only for Server + $varcertsserveremailaddress = ($arrcerts['varcertsserveremailaddress']?$arrcerts['varcertsserveremailaddress']:'webadmin@mycompany.com'); + $varcertsservercommonname = ($arrcerts['varcertsservercommonname']?$arrcerts['varcertsservercommonname']:'server-cert'); + + + $conf .= <<<EOD +[ ca ] +default_ca = CA_default + +[ CA_default ] +dir = ./ +certs = \$dir +crl_dir = \$dir/crl +database = \$dir/index.txt +new_certs_dir = \$dir +certificate = \$dir/server.pem +serial = \$dir/serial +crl = \$dir/crl.pem +private_key = \$dir/server.key +RANDFILE = \$dir/.rand +name_opt = ca_default +cert_opt = ca_default +default_days = $varcertsdefaultdays +default_crl_days = 30 +default_md = $varcertsdefaultmd +preserve = no +policy = policy_match + +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +prompt = no +distinguished_name = server +default_bits = $varcertsdefaultbits +input_password = $varcertspassword +output_password = $varcertspassword + +[server] +countryName = $varcertscountryname +stateOrProvinceName = $varcertsstateorprovincename +localityName = $varcertslocalityname +organizationName = $varcertsorganizationname +emailAddress = $varcertsserveremailaddress +commonName = "$varcertsservercommonname" + +EOD; + + $filename = RADDB . '/certs/server.cnf'; + conf_mount_rw(); + file_put_contents($filename, $conf); + chmod($filename, 0600); + conf_mount_ro(); + +} + +function freeradius_clientcertcnf_resync() { + global $config; + $conf = ''; + + $arrcerts = $config['installedpackages']['freeradiuscerts']['config'][0]; + + // General variables: CA, Server, Client + $varcertsdefaultdays = ($arrcerts['varcertsdefaultdays']?$arrcerts['varcertsdefaultdays']:'3650'); + $varcertsdefaultmd = ($arrcerts['varcertsdefaultmd']?$arrcerts['varcertsdefaultmd']:'md5'); + $varcertsdefaultbits = ($arrcerts['varcertsdefaultbits']?$arrcerts['varcertsdefaultbits']:'2048'); + $varcertspassword = ($arrcerts['varcertspassword']?$arrcerts['varcertspassword']:'whatever'); + $varcertscountryname = ($arrcerts['varcertscountryname']?$arrcerts['varcertscountryname']:'US'); + $varcertsstateorprovincename = ($arrcerts['varcertsstateorprovincename']?$arrcerts['varcertsstateorprovincename']:'Texas'); + $varcertslocalityname = ($arrcerts['varcertslocalityname']?$arrcerts['varcertslocalityname']:'Austin'); + $varcertsorganizationname = ($arrcerts['varcertsorganizationname']?$arrcerts['varcertsorganizationname']:'My Company Inc'); + + // Variables: Only for Client + $varcertsclientemailaddress = ($arrcerts['varcertsclientemailaddress']?$arrcerts['varcertsclientemailaddress']:'user@mycompany.com'); + $varcertsclientcommonname = ($arrcerts['varcertsclientcommonname']?$arrcerts['varcertsclientcommonname']:'client-cert'); + + + $conf .= <<<EOD +[ ca ] +default_ca = CA_default + +[ CA_default ] +dir = ./ +certs = \$dir +crl_dir = \$dir/crl +database = \$dir/index.txt +new_certs_dir = \$dir +certificate = \$dir/server.pem +serial = \$dir/serial +crl = \$dir/crl.pem +private_key = \$dir/server.key +RANDFILE = \$dir/.rand +name_opt = ca_default +cert_opt = ca_default +default_days = $varcertsdefaultdays +default_crl_days = 30 +default_md = $varcertsdefaultmd +preserve = no +policy = policy_match + +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +prompt = no +distinguished_name = client +default_bits = $varcertsdefaultbits +input_password = $varcertspassword +output_password = $varcertspassword + +[client] +countryName = $varcertscountryname +stateOrProvinceName = $varcertsstateorprovincename +localityName = $varcertslocalityname +organizationName = $varcertsorganizationname +emailAddress = $varcertsclientemailaddress +commonName = "$varcertsclientcommonname" + +EOD; + + $filename = RADDB . '/certs/client.cnf'; + conf_mount_rw(); + file_put_contents($filename, $conf); + chmod($filename, 0600); + conf_mount_ro(); + +} + +function freeradius_allcertcnf_resync() { + global $config; + + $arrcerts = $config['installedpackages']['freeradiuscerts']['config'][0]; + + // General variable for deleting/further generation of Client-Cert + $varcertscreateclient = ($arrcerts['varcertscreateclient']?$arrcerts['varcertscreateclient']:'no'); + + // General variables for deleting: CA, Server, Client + $varcertsdeleteall = ($arrcerts['varcertsdeleteall']?$arrcerts['varcertsdeleteall']:'yes'); + + + if ($arrcerts['varcertscreateclient'] == 'yes') { + + // delete all old certificates and keys + exec("rm -f /usr/local/etc/raddb/certs/client.csr"); + exec("rm -f /usr/local/etc/raddb/certs/client.crt"); + exec("rm -f /usr/local/etc/raddb/certs/client.key"); + exec("rm -f /usr/local/etc/raddb/certs/client.tar"); + + + // run fuction to create ONLY new client.cnf files based on user input from freeradiuscert.xml + freeradius_clientcertcnf_resync(); + + + // make bootstrap executable and run to create cert based on client.cnf files + exec("chmod 0770 /usr/local/etc/raddb/certs/bootstrap"); + exec("/usr/local/etc/raddb/certs/bootstrap"); + + // make bootstrap read-write only for root + exec("chmod 0600 /usr/local/etc/raddb/certs/bootstrap"); + exec("cd /usr/local/etc/raddb/certs && tar -cf client.tar client.crt client.csr client.key ca.der"); + exec("chmod 0600 /usr/local/etc/raddb/certs/client.tar"); + } + + + if ($arrcerts['varcertsdeleteall'] == 'yes') { + + // delete all old certificates and keys + exec("rm -f /usr/local/etc/raddb/certs/*.pem"); + exec("rm -f /usr/local/etc/raddb/certs/*.der"); + exec("rm -f /usr/local/etc/raddb/certs/*.csr"); + exec("rm -f /usr/local/etc/raddb/certs/*.crt"); + exec("rm -f /usr/local/etc/raddb/certs/*.key"); + exec("rm -f /usr/local/etc/raddb/certs/*.p12"); + exec("rm -f /usr/local/etc/raddb/certs/serial*"); + exec("rm -f /usr/local/etc/raddb/certs/index.txt*"); + exec("rm -f /usr/local/etc/raddb/certs/client.tar"); + + // run fuctions to create new .cnf files based on user input from freeradiuscert.xml + freeradius_cacertcnf_resync(); + freeradius_servercertcnf_resync(); + freeradius_clientcertcnf_resync(); + + // generate new DH and RANDOM file + exec("cd /usr/local/etc/raddb/certs && openssl dhparam -out dh 1024"); + exec("cd /usr/local/etc/raddb/certs && dd if=/dev/urandom of=./random count=10"); + + + // make bootstrap executable and run to create certs based on .cnf files + exec("chmod 0770 /usr/local/etc/raddb/certs/bootstrap"); + exec("/usr/local/etc/raddb/certs/bootstrap"); + + // make bootstrap read-write only for root + exec("chmod 0600 /usr/local/etc/raddb/certs/bootstrap"); + exec("cd /usr/local/etc/raddb/certs && tar -cf client.tar client.crt client.csr client.key ca.der"); + exec("chmod 0600 /usr/local/etc/raddb/certs/client.tar"); + + // If there were changes on the certificates we need to restart freeradius + restart_service('freeradius'); + } +} ?>
\ No newline at end of file diff --git a/config/freeradius2/freeradius.xml b/config/freeradius2/freeradius.xml index 78a0d984..e55720ac 100644 --- a/config/freeradius2/freeradius.xml +++ b/config/freeradius2/freeradius.xml @@ -90,6 +90,10 @@ <url>/pkg_edit.php?xml=freeradiussqlconf.xml&id=0</url> </tab> <tab> + <text>Certificates</text> + <url>/pkg_edit.php?xml=freeradiuscerts.xml&id=0</url> + </tab> + <tab> <text>View config</text> <url>/freeradius_view_config.php</url> </tab> @@ -123,7 +127,12 @@ <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> <item>http://www.pfsense.org/packages/config/freeradius2/freeradiusinterfaces.xml</item> - </additional_files_needed> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/freeradius2/freeradiuscerts.xml</item> + </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> @@ -302,6 +311,10 @@ freeradius_eapconf_resync(); freeradius_sqlconf_resync(); freeradius_serverdefault_resync(); + freeradius_clientcertcnf_resync(); + freeradius_servercertcnf_resync(); + freeradius_cacertcnf_resync(); + freeradius_allcertcnf_resync(); exec("rm -f /usr/local/etc/raddb/sites-enabled/control-socket"); exec("rm -f /usr/local/etc/raddb/sites-enabled/inner-tunnel"); </custom_php_install_command> diff --git a/config/freeradius2/freeradius_view_config.php b/config/freeradius2/freeradius_view_config.php index 9db6a682..7a5c52a4 100644 --- a/config/freeradius2/freeradius_view_config.php +++ b/config/freeradius2/freeradius_view_config.php @@ -35,6 +35,10 @@ function get_file($file){ $files['clients']="/usr/local/etc/raddb/clients.conf"; $files['users']="/usr/local/etc/raddb/users"; $files['virtual-server-default']="/usr/local/etc/raddb/sites-enabled/default"; + $files['ca']="/usr/local/etc/raddb/certs/ca.cnf"; + $files['server']="/usr/local/etc/raddb/certs/server.cnf"; + $files['client']="/usr/local/etc/raddb/certs/client.cnf"; + $files['index']="/usr/local/etc/raddb/certs/index.txt"; if ($files[$file]!="" && file_exists($files[$file])){ @@ -78,6 +82,7 @@ else{ $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=freeradiussettings.xml&id=0"); $tab_array[] = array(gettext("EAP"), false, "/pkg_edit.php?xml=freeradiuseapconf.xml&id=0"); $tab_array[] = array(gettext("SQL"), false, "/pkg_edit.php?xml=freeradiussqlconf.xml&id=0"); + $tab_array[] = array(gettext("Certificates"), false, "/pkg_edit.php?xml=freeradiuscerts.xml&id=0"); $tab_array[] = array(gettext("View config"), true, "/freeradius_view_config.php"); display_top_tabs($tab_array); ?> @@ -97,7 +102,11 @@ else{ <input type="button" onClick="get_freeradius_file('sql');" id='btn_sql' value="sql.conf"> <input type="button" onClick="get_freeradius_file('clients');" id='btn_clients' value="clients.conf"> <input type="button" onClick="get_freeradius_file('users');" id='btn_users' value="users"> - <input type="button" onClick="get_freeradius_file('virtual-server-default');" id='btn_virtual-server-default' value="default"> + <input type="button" onClick="get_freeradius_file('virtual-server-default');" id='btn_virtual-server-default' value="virtual-server-default"> + <input type="button" onClick="get_freeradius_file('ca');" id='btn_ca' value="ca.cnf"> + <input type="button" onClick="get_freeradius_file('server');" id='btn_server' value="server.cnf"> + <input type="button" onClick="get_freeradius_file('client');" id='btn_client' value="client.cnf"> + <input type="button" onClick="get_freeradius_file('index');" id='btn_index' value="index.txt"> </td> </tr> <tr> @@ -132,7 +141,11 @@ else{ $('btn_sql').value="sql.conf"; $('btn_clients').value="clients.conf"; $('btn_users').value="users"; - $('btn_virtual').value="default"; + $('btn_virtual').value="virtual-server-default"; + $('btn_ca').value="ca.cnf"; + $('btn_server').value="server.cnf"; + $('btn_client').value="client.cnf"; + $('btn_index').value="index.txt"; scroll(0,0); } </script> diff --git a/config/freeradius2/freeradiuscerts.xml b/config/freeradius2/freeradiuscerts.xml new file mode 100644 index 00000000..7503fe49 --- /dev/null +++ b/config/freeradius2/freeradiuscerts.xml @@ -0,0 +1,267 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description><![CDATA[Describe your package here]]></description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>freeradiuscerts</name> + <version>none</version> + <title>FreeRADIUS: Certificates</title> + <aftersaveredirect>pkg_edit.php?xml=freeradiuscerts.xml&id=0</aftersaveredirect> + <include_file>/usr/local/pkg/freeradius.inc</include_file> + <tabs> + <tab> + <text>Users</text> + <url>/pkg.php?xml=freeradius.xml</url> + </tab> + <tab> + <text>NAS / Clients</text> + <url>/pkg.php?xml=freeradiusclients.xml</url> + </tab> + <tab> + <text>Interfaces</text> + <url>/pkg.php?xml=freeradiusinterfaces.xml</url> + </tab> + <tab> + <text>Settings</text> + <url>/pkg_edit.php?xml=freeradiussettings.xml&id=0</url> + </tab> + <tab> + <text>EAP</text> + <url>/pkg_edit.php?xml=freeradiuseapconf.xml&id=0</url> + </tab> + <tab> + <text>SQL</text> + <url>/pkg_edit.php?xml=freeradiussqlconf.xml&id=0</url> + </tab> + <tab> + <text>Certificates</text> + <url>/pkg_edit.php?xml=freeradiuscerts.xml&id=0</url> + <active/> + </tab> + <tab> + <text>View config</text> + <url>/freeradius_view_config.php</url> + </tab> + </tabs> + <fields> + <field> + <name>GENERAL CONFIGURATION</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Delete ALL existing Certificates ?</fielddescr> + <fieldname>varcertsdeleteall</fieldname> + <description><![CDATA[This will delete <b>ALL</b> existing CAs, Server-Certs and Client-Certs in freeradius certs folder!<br> + You <b>must</b> delete all existing if you want to create new ones. (Default: Yes)<br> + <b>Important:</b><br> + If you like to use certs created on another PC just disable this and click save.]]></description> + <type>select</type> + <default_value>yes</default_value> + <options> + <option><name>Yes</name><value>yes</value></option> + <option><name>No</name><value>no</value></option> + </options> + </field> + <field> + <name>Distinguished Name for CA, Server and Client</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Country Code</fielddescr> + <fieldname>varcertscountryname</fieldname> + <description><![CDATA[Enter your country Code. (Default: US)]]></description> + <type>input</type> + <default_value>US</default_value> + </field> + <field> + <fielddescr>State or Province</fielddescr> + <fieldname>varcertsstateorprovincename</fieldname> + <description><![CDATA[Enter your state or province. (Default: Texas)]]></description> + <type>input</type> + <default_value>Texas</default_value> + </field> + <field> + <fielddescr>City</fielddescr> + <fieldname>varcertslocalityname</fieldname> + <description><![CDATA[Enter your city. (Default: Austin)]]></description> + <type>input</type> + <default_value>Austin</default_value> + </field> + <field> + <fielddescr>Organization</fielddescr> + <fieldname>varcertsorganizationname</fieldname> + <description><![CDATA[Enter your organization. (Default: My Company Inc)]]></description> + <type>input</type> + <default_value>My Company Inc</default_value> + </field> + <field> + <fielddescr>Lifetime</fielddescr> + <fieldname>varcertsdefaultdays</fieldname> + <description><![CDATA[Enter the time after which the CA, Server and Client should expire in days. (Default: 3650)]]></description> + <type>input</type> + <default_value>3650</default_value> + </field> + <field> + <fielddescr>Key Length</fielddescr> + <fieldname>varcertsdefaultbits</fieldname> + <description><![CDATA[Enter the key length of CA, Server and Client. (Default: 2048)]]></description> + <type>select</type> + <default_value>2048</default_value> + <options> + <option><name>512</name><value>512</value></option> + <option><name>1024</name><value>1024</value></option> + <option><name>2048</name><value>2048</value></option> + <option><name>4096</name><value>4096</value></option> + </options> + </field> + <field> + <fielddescr>Key Creation Algorithm</fielddescr> + <fieldname>varcertsdefaultmd</fieldname> + <description><![CDATA[Choose the algotithem which should be used to create the key.<br> + There seems to be some OS do not support all algorithms. (Default: md5)]]></description> + <type>select</type> + <default_value>md5</default_value> + <options> + <option><name>MD5</name><value>md5</value></option> + <option><name>SHA1</name><value>sha1</value></option> + </options> + </field> + <field> + <fielddescr>Certificate Password (CA, Server and Client)</fielddescr> + <fieldname>varcertspassword</fieldname> + <description><![CDATA[Enter the password for the CA, Server and Client.<br> + This is the password you need to enter in eap.conf so that freeradius can read the cert. (Default: whatever)]]></description> + <type>password</type> + <default_value>whatever</default_value> + </field> + <field> + <name>CA specific Configuration</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>E-Mail Address</fielddescr> + <fieldname>varcertscaemailaddress</fieldname> + <description><![CDATA[Enter the E-Mail address for the CA. (Default: admin@mycompany.com)]]></description> + <type>input</type> + <default_value>admin@mycompany.com</default_value> + </field> + <field> + <fielddescr>Common Name</fielddescr> + <fieldname>varcertscacommonname</fieldname> + <description><![CDATA[Enter the common name for the CA. (Default: internal-ca)]]></description> + <type>input</type> + <default_value>internal-ca</default_value> + </field> + <field> + <name>Server specific Configuration</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>E-Mail Address</fielddescr> + <fieldname>varcertsserveremailaddress</fieldname> + <description><![CDATA[Enter the E-Mail address for the Server-Cert. (Default: webadmin@mycompany.com)]]></description> + <type>input</type> + <default_value>webadmin@mycompany.com</default_value> + </field> + <field> + <fielddescr>Common Name</fielddescr> + <fieldname>varcertsservercommonname</fieldname> + <description><![CDATA[Enter the common name for the Server-Cert. (Default: server-cert)]]></description> + <type>input</type> + <default_value>server-cert</default_value> + </field> + <field> + <name>Client specific Configuration</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Create a further Client-Certificate</fielddescr> + <fieldname>varcertscreateclient</fieldname> + <description><![CDATA[This will delete existing <b>Client-Certs</b> in freeradius certs folder!<br> + Choose this option if you need multiple Client-Certs.<br> + <b>Important:</b> You must backup your old Client-Cert before enabling this option. The new Client-Cert <b>must not</b> have any Common Name as other certificates your created before. (Default: No)<br><br> + + This is what you should do the very first time when creating certs here:<br> + 1. Check "Delete ALL Certs...", fill out all fields and create a new CA, new Server and Client Cert<br> + 2. If you need more than one Client-Cert than backup your first cert using DIAGNOSTICS->COMMAND PROMPT->Download<br> + /usr/local/etc/raddb/certs/client.tar<br> + 3. Disable "Delete ALL Certs..." and enable "Create a further Client-Certificate" and fill out the Client fields<br> + 4. Repeat step 2. as long as you need.<br><br> + + + <b>Limitations:</b><br> + There is no CRL at the moment. Deleting of existing certs from the database (../certs/index.txt) isn't possible from GUI.<br> + If you choose a Common Name which already exists in the database (check view config) the .crt will be zero bytes.<br> + Choose other Common Name and create a new Client-Cert. + ]]></description> + <type>select</type> + <default_value>no</default_value> + <options> + <option><name>Yes</name><value>yes</value></option> + <option><name>No</name><value>no</value></option> + </options> + </field> + <field> + <fielddescr>E-Mail Address</fielddescr> + <fieldname>varcertsclientemailaddress</fieldname> + <description><![CDATA[Enter the E-Mail address for the Client-Cert. (Default: user@mycompany.com)]]></description> + <type>input</type> + <default_value>user@mycompany.com</default_value> + </field> + <field> + <fielddescr>Common Name</fielddescr> + <fieldname>varcertsclientcommonname</fieldname> + <description><![CDATA[Enter the common name for the Client-Cert. (Default: client-cert)]]></description> + <type>input</type> + <default_value>client-cert</default_value> + </field> + </fields> + <custom_delete_php_command> + freeradius_allcertcnf_resync(); + </custom_delete_php_command> + <custom_php_resync_config_command> + freeradius_allcertcnf_resync(); + </custom_php_resync_config_command> +</packagegui>
\ No newline at end of file diff --git a/config/freeradius2/freeradiusclients.xml b/config/freeradius2/freeradiusclients.xml index b88eccf8..1e72cf2b 100644 --- a/config/freeradius2/freeradiusclients.xml +++ b/config/freeradius2/freeradiusclients.xml @@ -76,6 +76,10 @@ <url>/pkg_edit.php?xml=freeradiussqlconf.xml&id=0</url> </tab> <tab> + <text>Certificates</text> + <url>/pkg_edit.php?xml=freeradiuscerts.xml&id=0</url> + </tab> + <tab> <text>View config</text> <url>/freeradius_view_config.php</url> </tab> diff --git a/config/freeradius2/freeradiuseapconf.xml b/config/freeradius2/freeradiuseapconf.xml index f427ab84..504e9bed 100644 --- a/config/freeradius2/freeradiuseapconf.xml +++ b/config/freeradius2/freeradiuseapconf.xml @@ -77,6 +77,10 @@ <url>/pkg_edit.php?xml=freeradiussqlconf.xml&id=0</url> </tab> <tab> + <text>Certificates</text> + <url>/pkg_edit.php?xml=freeradiuscerts.xml&id=0</url> + </tab> + <tab> <text>View config</text> <url>/freeradius_view_config.php</url> </tab> @@ -141,7 +145,8 @@ <field> <fielddescr>Private Key Password</fielddescr> <fieldname>vareapconfprivatekeypassword</fieldname> - <description><![CDATA[Enter the password of the private key. (Default: whatever)]]></description> + <description><![CDATA[Enter the password of the private key.<br> + This is the password which you chose in "Certificates" tab. (Default: whatever)]]></description> <type>password</type> <default_value>whatever</default_value> </field> diff --git a/config/freeradius2/freeradiusinterfaces.xml b/config/freeradius2/freeradiusinterfaces.xml index a50cf8b1..0bebf057 100644 --- a/config/freeradius2/freeradiusinterfaces.xml +++ b/config/freeradius2/freeradiusinterfaces.xml @@ -76,6 +76,10 @@ <url>/pkg_edit.php?xml=freeradiussqlconf.xml&id=0</url> </tab> <tab> + <text>Certificates</text> + <url>/pkg_edit.php?xml=freeradiuscerts.xml&id=0</url> + </tab> + <tab> <text>View config</text> <url>/freeradius_view_config.php</url> </tab> diff --git a/config/freeradius2/freeradiussettings.xml b/config/freeradius2/freeradiussettings.xml index 25a9a2dd..689e4b16 100644 --- a/config/freeradius2/freeradiussettings.xml +++ b/config/freeradius2/freeradiussettings.xml @@ -77,6 +77,10 @@ <url>/pkg_edit.php?xml=freeradiussqlconf.xml&id=0</url> </tab> <tab> + <text>Certificates</text> + <url>/pkg_edit.php?xml=freeradiuscerts.xml&id=0</url> + </tab> + <tab> <text>View config</text> <url>/freeradius_view_config.php</url> </tab> diff --git a/config/freeradius2/freeradiussqlconf.xml b/config/freeradius2/freeradiussqlconf.xml index 15e9ee76..fa4f99e0 100644 --- a/config/freeradius2/freeradiussqlconf.xml +++ b/config/freeradius2/freeradiussqlconf.xml @@ -77,6 +77,10 @@ <active/> </tab> <tab> + <text>Certificates</text> + <url>/pkg_edit.php?xml=freeradiuscerts.xml&id=0</url> + </tab> + <tab> <text>View config</text> <url>/freeradius_view_config.php</url> </tab> diff --git a/pkg_config.8.xml b/pkg_config.8.xml index d02e6422..9cf55f31 100644 --- a/pkg_config.8.xml +++ b/pkg_config.8.xml @@ -764,7 +764,7 @@ Do not use together with freeradius package. Both are using the same XML files.]]></descr> <pkginfolink>http://forum.pfsense.org/index.php/topic,43675.0.html</pkginfolink> <category>System</category> - <version>2.1.12 pkg v1.3.3</version> + <version>2.1.12 pkg v1.3.4</version> <status>BETA</status> <required_version>2.0</required_version> <maintainer>Nachtfalke</maintainer> diff --git a/pkg_config.8.xml.amd64 b/pkg_config.8.xml.amd64 index dbb7e281..39a2eed2 100644 --- a/pkg_config.8.xml.amd64 +++ b/pkg_config.8.xml.amd64 @@ -806,7 +806,7 @@ Do not use together with freeradius package. Both are using the same XML files.]]></descr> <pkginfolink>http://forum.pfsense.org/index.php/topic,43675.0.html</pkginfolink> <category>System</category> - <version>2.1.12 pkg v1.3.3</version> + <version>2.1.12 pkg v1.3.4</version> <status>BETA</status> <required_version>2.0</required_version> <maintainer>Nachtfalke</maintainer> |