From e5d1c85b5f4e79ac50fbda51850dbfcf073996a3 Mon Sep 17 00:00:00 2001 From: Alexander Wilke Date: Fri, 23 Dec 2011 16:27:28 +0000 Subject: Integrated pfsense Cert Manager in freeradius package (Thanks to jimp and sullrich). Now it is possible to create certificates in pfsense Cert manager and use them for freeradius. The freeradius cert builder script is still present because freeradius needs some default ca and cert to start the service. --- config/freeradius2/freeradius.inc | 97 ++++++++++++++++++++++++++++---- config/freeradius2/freeradiuscerts.xml | 8 ++- config/freeradius2/freeradiuseapconf.xml | 73 +++++++++++------------- 3 files changed, 124 insertions(+), 54 deletions(-) (limited to 'config/freeradius2') diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index 5395fdd2..9409553b 100755 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -393,6 +393,9 @@ function freeradius_eapconf_resync() { $eapconf = $config['installedpackages']['freeradiuseapconf']['config'][0]; + // Choose pfsense Cert-Manager or freeradius Cert-Manager + $vareapconfchoosecertmanager = ($eapconf['vareapconfchoosecertmanager']?$eapconf['vareapconfchoosecertmanager']:'radiuscertmgr'); + // Variables: EAP $vareapconfdefaulteaptype = ($eapconf['vareapconfdefaulteaptype']?$eapconf['vareapconfdefaulteaptype']:'md5'); $vareapconftimerexpire = ($eapconf['vareapconftimerexpire']?$eapconf['vareapconftimerexpire']:'60'); @@ -401,12 +404,7 @@ function freeradius_eapconf_resync() { $vareapconfmaxsessions = ($eapconf['vareapconfmaxsessions']?$eapconf['vareapconfmaxsessions']:'4096'); // Variables: EAP-TLS and EAP-TLS with OCSP support - $vareapconfprivatekeypassword = ($eapconf['vareapconfprivatekeypassword']?$eapconf['vareapconfprivatekeypassword']:'whatever'); - $vareapconfprivatekeyfile = ($eapconf['vareapconfprivatekeyfile']?$eapconf['vareapconfprivatekeyfile']:'server.pem'); - $vareapconfcertificatefile = ($eapconf['vareapconfcertificatefile']?$eapconf['vareapconfcertificatefile']:'server.pem'); - $vareapconfcafile = ($eapconf['vareapconfcafile']?$eapconf['vareapconfcafile']:'ca.pem'); - $vareapconfdhfile = ($eapconf['vareapconfdhfile']?$eapconf['vareapconfdhfile']:'dh'); - $vareapconfrandomfile = ($eapconf['vareapconfrandomfile']?$eapconf['vareapconfrandomfile']:'random'); + $vareapconfprivatekeypassword = ($eapconf['vareapconfprivatekeypassword']?$eapconf['vareapconfprivatekeypassword']:''); $vareapconfocspenable = ($eapconf['vareapconfocspenable']?$eapconf['vareapconfocspenable']:'no'); $vareapconfocspoverridecerturl = ($eapconf['vareapconfocspoverridecerturl']?$eapconf['vareapconfocspoverridecerturl']:'no'); $vareapconfocspurl = ($eapconf['vareapconfocspurl']?$eapconf['vareapconfocspurl']:'http://127.0.0.1/ocsp/'); @@ -420,8 +418,62 @@ function freeradius_eapconf_resync() { $vareapconfpeapdefaulteaptype = ($eapconf['vareapconfpeapdefaulteaptype']?$eapconf['vareapconfpeapdefaulteaptype']:'mschapv2'); $vareapconfpeapcopyrequesttotunnel = ($eapconf['vareapconfpeapcopyrequesttotunnel']?$eapconf['vareapconfpeapcopyrequesttotunnel']:'no'); $vareapconfpeapusetunneledreply = ($eapconf['vareapconfpeapusetunneledreply']?$eapconf['vareapconfpeapusetunneledreply']:'no'); - - + + +// The filenames of pfsense cert manager are different from freeradius cert manager so it is possible to store both in the same folder at any time. +// This is for the pfsense cert manager +if ($vareapconfchoosecertmanager == 'pfsensecertmgr') { + + $ca_cert = lookup_ca($eapconf["ssl_ca_cert"]); + if ($ca_cert != false) { + if(base64_decode($ca_cert['prv'])) { + file_put_contents(RADDB . "/certs/ca_key.pem", + base64_decode($ca_cert['prv'])); + $conf['ssl_ca_key'] = RADDB . '/certs/ca_key.pem'; + } + + + if(base64_decode($ca_cert['crt'])) { + file_put_contents(RADDB . "/certs/ca_cert.pem", + base64_decode($ca_cert['crt'])); + $conf['ssl_ca_cert'] = RADDB . "/certs/ca_cert.pem"; + } + + + $svr_cert = lookup_cert($eapconf["ssl_server_cert"]); + if ($svr_cert != false) { + if(base64_decode($svr_cert['prv'])) { + file_put_contents(RADDB . "/certs/server_key.pem", + base64_decode($svr_cert['prv'])); + $conf['ssl_key'] = RADDB . '/certs/server_key.pem'; + } + } + + + if(base64_decode($svr_cert['crt'])) { + file_put_contents(RADDB . "/certs/server_cert.pem", + base64_decode($svr_cert['crt'])); + $conf['ssl_server_cert'] = RADDB . "/certs/server_cert.pem"; + } + + + $conf['ssl_cert_dir'] = RADDB . '/certs'; + } + + $vareapconfprivatekeyfile = 'server_key.pem'; + $vareapconfcertificatefile = 'server_cert.pem'; + $vareapconfcafile = 'ca_cert.pem'; +} + +// This is for freeradius cert manager +if ($vareapconfchoosecertmanager == 'radiuscertmgr') { + + $vareapconfprivatekeyfile = 'server.pem'; + $vareapconfcertificatefile = 'server.pem'; + $vareapconfcafile = 'ca.pem'; + +} + $conf .= << 'none', 'descr' => 'none'); + + foreach ($config['ca'] as $ca) { + $ca_arr[] = array('refid' => $ca['refid'], 'descr' => $ca['descr']); + } + return $ca_arr; +} + +function freeradius_get_server_certs() { + global $config; + $cert_arr = array(); + $cert_arr[] = array('refid' => 'none', 'descr' => 'none'); + + foreach ($config['cert'] as $cert) { + $cert_arr[] = array('refid' => $cert['refid'], 'descr' => $cert['descr']); + } + return $cert_arr; +} + + + function freeradius_sqlconf_resync() { global $config; $conf = ''; diff --git a/config/freeradius2/freeradiuscerts.xml b/config/freeradius2/freeradiuscerts.xml index a0b4ac0f..9cdf656a 100644 --- a/config/freeradius2/freeradiuscerts.xml +++ b/config/freeradius2/freeradiuscerts.xml @@ -98,7 +98,7 @@ Important:
If you like to use certs created on another PC just disable this and click save.]]> select - yes + no @@ -113,7 +113,7 @@ This page uses the freeradius2 built-in script called "bootstrap" to create CA and certs. The disatvantage of this script is that nothing of your changes will be saved in the global config.xml file. So after a systemcrash or reinstallation of freeradius2 package all your CA and certs will be lost. If you have a backup of all these files on an USB stick or another server than you can copy them back in the freeradius certs folder.

- The better way is to use the pfsense built-in Cert Manager (SYSTEM-> Cert Manager). The CA-Cert and Server-Cert you created there you just have to copy to the freeradius certs folder and pointing to these certs in eap. + The better way is to use the pfsense built-in Cert Manager (SYSTEM-> Cert Manager). The CA-Cert and Server-Cert you created there you just have to choose in EAP. The advantage of this is that all your CA and certs will be saved in global config.xml and can be restored.]]> input @@ -247,7 +247,7 @@ Limitations:
- There is no CRL at the moment. Deleting of existing certs from the database (../certs/index.txt) isn't possible from GUI.
+ There is no CRL. Deleting of existing certs from the database (../certs/index.txt) isn't possible from GUI.
If you choose a Common Name which already exists in the database (check view config) the .crt will be zero bytes.
Choose other Common Name and create a new Client-Cert. ]]> @@ -275,8 +275,10 @@ freeradius_allcertcnf_resync(); + freeradius_eapconf_resync(); freeradius_allcertcnf_resync(); + freeradius_eapconf_resync(); \ No newline at end of file diff --git a/config/freeradius2/freeradiuseapconf.xml b/config/freeradius2/freeradiuseapconf.xml index 40b161f8..495a61ee 100644 --- a/config/freeradius2/freeradiuseapconf.xml +++ b/config/freeradius2/freeradiuseapconf.xml @@ -143,53 +143,44 @@ listtopic - Private Key Password - vareapconfprivatekeypassword - - This field could be empty. (Default: whatever)]]> - password - whatever - - - Server Private Key File - vareapconfprivatekeyfile - must be in /usr/local/etc/raddb/certs/ (Default: server.pem)
- TIP: You could use "SYSTEM-> Cert Manager" instead of the freeradius Cert script.
- You just have to export it there and copy it in the freeradius certs folder.]]>
- input - server.pem -
- - Server Certificate File - vareapconfcertificatefile - must be in /usr/local/etc/raddb/certs/ (Default: server.pem)
- TIP: You could use "SYSTEM-> Cert Manager" instead of the freeradius Cert script.
- You just have to export it there and copy it in the freeradius certs folder.]]>
- input - server.pem + Choose your Cert Manager + vareapconfchoosecertmanager + + To use the pfsense Cert Manager you have to create a CA and an Server Certificate first. (SYSTEM -> Cert Manager). (Default: freeRADIUS)]]> + select + radiuscertmgr + + + +
- CA File - vareapconfcafile - must be in /usr/local/etc/raddb/certs/ (Default: server.pem)
- TIP: You could use "SYSTEM-> Cert Manager" instead of the freeradius Cert script.
- You just have to export it there and copy it in the freeradius certs folder.]]>
- input - ca.pem + SSL CA Certificate + ssl_ca_cert + + Choose "none" if you do not use any kind of certificates or the freeradius Cert Manager. (Default: none)]]> + select_source + + descr + refid
- DH File - vareapconfdhfile - must be in /usr/local/etc/raddb/certs/ (Default: dh)]]> - input - dh + SSL Server Certificate + ssl_server_cert + + Choose "none" if you do not use any kind of certificates or the freeradius Cert Manager. (Default: none)]]> + select_source + + descr + refid - Random File - vareapconfrandomfile - must be in /usr/local/etc/raddb/certs/ (Default: random)]]> - input - random + Private Key Password + vareapconfprivatekeypassword + + The certificates created by pfSense Cert Manager are not protected so you must leave this field empty. (Default: whatever)]]> + password + whatever EAP-TLS with OCSP support -- cgit v1.2.3