From f78c766ee65ecee6623bf911ac1dccd0fcfc7697 Mon Sep 17 00:00:00 2001
From: Alexander Wilke <nachtfalkeaw@web.de>
Date: Wed, 21 Dec 2011 22:37:06 +0000
Subject: Added GUI to create certificates for freeradius (CA, server, clients)

---
 config/freeradius2/freeradius.inc             | 342 +++++++++++++++++++++++++-
 config/freeradius2/freeradius.xml             |  15 +-
 config/freeradius2/freeradius_view_config.php |  17 +-
 config/freeradius2/freeradiuscerts.xml        | 267 ++++++++++++++++++++
 config/freeradius2/freeradiusclients.xml      |   4 +
 config/freeradius2/freeradiuseapconf.xml      |   7 +-
 config/freeradius2/freeradiusinterfaces.xml   |   4 +
 config/freeradius2/freeradiussettings.xml     |   4 +
 config/freeradius2/freeradiussqlconf.xml      |   4 +
 9 files changed, 659 insertions(+), 5 deletions(-)
 create mode 100644 config/freeradius2/freeradiuscerts.xml

(limited to 'config')

diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc
index ad113469..28e209b0 100755
--- a/config/freeradius2/freeradius.inc
+++ b/config/freeradius2/freeradius.inc
@@ -459,7 +459,8 @@ function freeradius_eapconf_resync() {
 		#   check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
 		#	check_cert_cn = %{User-Name}
 			cipher_list = "DEFAULT"
-			make_cert_command = "\${certdir}/bootstrap"
+		###	we make this from Certificate tab on GUI at startup
+		#	make_cert_command = "\${certdir}/bootstrap"
 			ecdh_curve = "prime256v1"
 			cache {
 			      enable = no
@@ -1256,4 +1257,343 @@ EOD;
 
 	restart_service('freeradius');
 }
+
+function freeradius_cacertcnf_resync() {
+	global $config;
+	$conf = '';
+
+	$arrcerts = $config['installedpackages']['freeradiuscerts']['config'][0];
+	
+	// General variables: CA, Server, Client
+	$varcertsdefaultdays = ($arrcerts['varcertsdefaultdays']?$arrcerts['varcertsdefaultdays']:'3650');
+	$varcertsdefaultmd = ($arrcerts['varcertsdefaultmd']?$arrcerts['varcertsdefaultmd']:'md5');
+	$varcertsdefaultbits = ($arrcerts['varcertsdefaultbits']?$arrcerts['varcertsdefaultbits']:'2048');
+	$varcertspassword = ($arrcerts['varcertspassword']?$arrcerts['varcertspassword']:'whatever');
+	$varcertscountryname = ($arrcerts['varcertscountryname']?$arrcerts['varcertscountryname']:'US');
+	$varcertsstateorprovincename = ($arrcerts['varcertsstateorprovincename']?$arrcerts['varcertsstateorprovincename']:'Texas');
+	$varcertslocalityname = ($arrcerts['varcertslocalityname']?$arrcerts['varcertslocalityname']:'Austin');
+	$varcertsorganizationname = ($arrcerts['varcertsorganizationname']?$arrcerts['varcertsorganizationname']:'My Company Inc');
+
+	// Variables: Only for CA
+	$varcertscaemailaddress = ($arrcerts['varcertscaemailaddress']?$arrcerts['varcertscaemailaddress']:'admin@mycompany.com');
+	$varcertscacommonname = ($arrcerts['varcertscacommonname']?$arrcerts['varcertscacommonname']:'internal-ca');
+	
+	
+	
+
+	$conf .= <<<EOD
+[ ca ]
+default_ca		= CA_default
+
+[ CA_default ]
+dir			= ./
+certs			= \$dir
+crl_dir			= \$dir/crl
+database		= \$dir/index.txt
+new_certs_dir		= \$dir
+certificate		= \$dir/ca.pem
+serial			= \$dir/serial
+crl			= \$dir/crl.pem
+private_key		= \$dir/ca.key
+RANDFILE		= \$dir/.rand
+name_opt		= ca_default
+cert_opt		= ca_default
+default_days		= $varcertsdefaultdays
+default_crl_days	= 30
+default_md		= $varcertsdefaultmd
+preserve		= no
+policy			= policy_match
+
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+[ req ]
+prompt			= no
+distinguished_name	= certificate_authority
+default_bits		= $varcertsdefaultbits
+input_password		= $varcertspassword
+output_password		= $varcertspassword
+x509_extensions		= v3_ca
+
+[certificate_authority]
+countryName		= $varcertscountryname
+stateOrProvinceName	= $varcertsstateorprovincename
+localityName		= $varcertslocalityname
+organizationName	= $varcertsorganizationname
+emailAddress		= $varcertscaemailaddress
+commonName		= "$varcertscacommonname"
+
+[v3_ca]
+subjectKeyIdentifier	= hash
+authorityKeyIdentifier	= keyid:always,issuer:always
+basicConstraints	= CA:true
+
+EOD;
+
+	$filename = RADDB . '/certs/ca.cnf';
+	conf_mount_rw();
+	file_put_contents($filename, $conf);
+	chmod($filename, 0600);
+	conf_mount_ro();
+
+}
+
+function freeradius_servercertcnf_resync() {
+	global $config;
+	$conf = '';
+
+	$arrcerts = $config['installedpackages']['freeradiuscerts']['config'][0];
+	
+	// General variables: CA, Server, Client
+	$varcertsdefaultdays = ($arrcerts['varcertsdefaultdays']?$arrcerts['varcertsdefaultdays']:'3650');
+	$varcertsdefaultmd = ($arrcerts['varcertsdefaultmd']?$arrcerts['varcertsdefaultmd']:'md5');
+	$varcertsdefaultbits = ($arrcerts['varcertsdefaultbits']?$arrcerts['varcertsdefaultbits']:'2048');
+	$varcertspassword = ($arrcerts['varcertspassword']?$arrcerts['varcertspassword']:'whatever');
+	$varcertscountryname = ($arrcerts['varcertscountryname']?$arrcerts['varcertscountryname']:'US');
+	$varcertsstateorprovincename = ($arrcerts['varcertsstateorprovincename']?$arrcerts['varcertsstateorprovincename']:'Texas');
+	$varcertslocalityname = ($arrcerts['varcertslocalityname']?$arrcerts['varcertslocalityname']:'Austin');
+	$varcertsorganizationname = ($arrcerts['varcertsorganizationname']?$arrcerts['varcertsorganizationname']:'My Company Inc');
+
+	// Variables: Only for Server
+	$varcertsserveremailaddress = ($arrcerts['varcertsserveremailaddress']?$arrcerts['varcertsserveremailaddress']:'webadmin@mycompany.com');
+	$varcertsservercommonname = ($arrcerts['varcertsservercommonname']?$arrcerts['varcertsservercommonname']:'server-cert');
+	
+
+	$conf .= <<<EOD
+[ ca ]
+default_ca		= CA_default
+
+[ CA_default ]
+dir			= ./
+certs			= \$dir
+crl_dir			= \$dir/crl
+database		= \$dir/index.txt
+new_certs_dir		= \$dir
+certificate		= \$dir/server.pem
+serial			= \$dir/serial
+crl			= \$dir/crl.pem
+private_key		= \$dir/server.key
+RANDFILE		= \$dir/.rand
+name_opt		= ca_default
+cert_opt		= ca_default
+default_days		= $varcertsdefaultdays
+default_crl_days	= 30
+default_md		= $varcertsdefaultmd
+preserve		= no
+policy			= policy_match
+
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+[ req ]
+prompt			= no
+distinguished_name	= server
+default_bits		= $varcertsdefaultbits
+input_password		= $varcertspassword
+output_password		= $varcertspassword
+
+[server]
+countryName		= $varcertscountryname
+stateOrProvinceName	= $varcertsstateorprovincename
+localityName		= $varcertslocalityname
+organizationName	= $varcertsorganizationname
+emailAddress		= $varcertsserveremailaddress
+commonName		= "$varcertsservercommonname"
+
+EOD;
+
+	$filename = RADDB . '/certs/server.cnf';
+	conf_mount_rw();
+	file_put_contents($filename, $conf);
+	chmod($filename, 0600);
+	conf_mount_ro();
+
+}
+
+function freeradius_clientcertcnf_resync() {
+	global $config;
+	$conf = '';
+
+	$arrcerts = $config['installedpackages']['freeradiuscerts']['config'][0];
+	
+	// General variables: CA, Server, Client
+	$varcertsdefaultdays = ($arrcerts['varcertsdefaultdays']?$arrcerts['varcertsdefaultdays']:'3650');
+	$varcertsdefaultmd = ($arrcerts['varcertsdefaultmd']?$arrcerts['varcertsdefaultmd']:'md5');
+	$varcertsdefaultbits = ($arrcerts['varcertsdefaultbits']?$arrcerts['varcertsdefaultbits']:'2048');
+	$varcertspassword = ($arrcerts['varcertspassword']?$arrcerts['varcertspassword']:'whatever');
+	$varcertscountryname = ($arrcerts['varcertscountryname']?$arrcerts['varcertscountryname']:'US');
+	$varcertsstateorprovincename = ($arrcerts['varcertsstateorprovincename']?$arrcerts['varcertsstateorprovincename']:'Texas');
+	$varcertslocalityname = ($arrcerts['varcertslocalityname']?$arrcerts['varcertslocalityname']:'Austin');
+	$varcertsorganizationname = ($arrcerts['varcertsorganizationname']?$arrcerts['varcertsorganizationname']:'My Company Inc');
+
+	// Variables: Only for Client
+	$varcertsclientemailaddress = ($arrcerts['varcertsclientemailaddress']?$arrcerts['varcertsclientemailaddress']:'user@mycompany.com');
+	$varcertsclientcommonname = ($arrcerts['varcertsclientcommonname']?$arrcerts['varcertsclientcommonname']:'client-cert');
+	
+
+	$conf .= <<<EOD
+[ ca ]
+default_ca		= CA_default
+
+[ CA_default ]
+dir			= ./
+certs			= \$dir
+crl_dir			= \$dir/crl
+database		= \$dir/index.txt
+new_certs_dir		= \$dir
+certificate		= \$dir/server.pem
+serial			= \$dir/serial
+crl			= \$dir/crl.pem
+private_key		= \$dir/server.key
+RANDFILE		= \$dir/.rand
+name_opt		= ca_default
+cert_opt		= ca_default
+default_days		= $varcertsdefaultdays
+default_crl_days	= 30
+default_md		= $varcertsdefaultmd
+preserve		= no
+policy			= policy_match
+
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+[ req ]
+prompt			= no
+distinguished_name	= client
+default_bits		= $varcertsdefaultbits
+input_password		= $varcertspassword
+output_password		= $varcertspassword
+
+[client]
+countryName		= $varcertscountryname
+stateOrProvinceName	= $varcertsstateorprovincename
+localityName		= $varcertslocalityname
+organizationName	= $varcertsorganizationname
+emailAddress		= $varcertsclientemailaddress
+commonName		= "$varcertsclientcommonname"
+
+EOD;
+
+	$filename = RADDB . '/certs/client.cnf';
+	conf_mount_rw();
+	file_put_contents($filename, $conf);
+	chmod($filename, 0600);
+	conf_mount_ro();
+
+}
+
+function freeradius_allcertcnf_resync() {
+	global $config;
+
+	$arrcerts = $config['installedpackages']['freeradiuscerts']['config'][0];
+	
+	// General variable for deleting/further generation of Client-Cert
+	$varcertscreateclient = ($arrcerts['varcertscreateclient']?$arrcerts['varcertscreateclient']:'no');
+	
+	// General variables for deleting: CA, Server, Client
+	$varcertsdeleteall = ($arrcerts['varcertsdeleteall']?$arrcerts['varcertsdeleteall']:'yes');
+		
+	
+		if ($arrcerts['varcertscreateclient'] == 'yes') {
+		
+		// delete all old certificates and keys
+		exec("rm -f /usr/local/etc/raddb/certs/client.csr");
+		exec("rm -f /usr/local/etc/raddb/certs/client.crt");
+		exec("rm -f /usr/local/etc/raddb/certs/client.key");
+		exec("rm -f /usr/local/etc/raddb/certs/client.tar");
+	
+	
+		// run fuction to create ONLY new client.cnf files based on user input from freeradiuscert.xml
+		freeradius_clientcertcnf_resync();
+	
+	
+		// make bootstrap executable and run to create cert based on client.cnf files
+		exec("chmod 0770 /usr/local/etc/raddb/certs/bootstrap");
+		exec("/usr/local/etc/raddb/certs/bootstrap");
+	
+		// make bootstrap read-write only for root
+		exec("chmod 0600 /usr/local/etc/raddb/certs/bootstrap");
+		exec("cd /usr/local/etc/raddb/certs && tar -cf client.tar client.crt client.csr client.key ca.der");
+		exec("chmod 0600 /usr/local/etc/raddb/certs/client.tar");
+		}
+
+		
+		if ($arrcerts['varcertsdeleteall'] == 'yes') {
+	
+		// delete all old certificates and keys
+		exec("rm -f /usr/local/etc/raddb/certs/*.pem");
+		exec("rm -f /usr/local/etc/raddb/certs/*.der");
+		exec("rm -f /usr/local/etc/raddb/certs/*.csr");
+		exec("rm -f /usr/local/etc/raddb/certs/*.crt");
+		exec("rm -f /usr/local/etc/raddb/certs/*.key");
+		exec("rm -f /usr/local/etc/raddb/certs/*.p12");
+		exec("rm -f /usr/local/etc/raddb/certs/serial*");
+		exec("rm -f /usr/local/etc/raddb/certs/index.txt*");
+		exec("rm -f /usr/local/etc/raddb/certs/client.tar");
+	
+		// run fuctions to create new .cnf files based on user input from freeradiuscert.xml
+		freeradius_cacertcnf_resync();
+		freeradius_servercertcnf_resync();
+		freeradius_clientcertcnf_resync();
+		
+		// generate new DH and RANDOM file
+		exec("cd /usr/local/etc/raddb/certs && openssl dhparam -out dh 1024");
+		exec("cd /usr/local/etc/raddb/certs && dd if=/dev/urandom of=./random count=10");
+	
+	
+		// make bootstrap executable and run to create certs based on .cnf files
+		exec("chmod 0770 /usr/local/etc/raddb/certs/bootstrap");
+		exec("/usr/local/etc/raddb/certs/bootstrap");
+	
+		// make bootstrap read-write only for root
+		exec("chmod 0600 /usr/local/etc/raddb/certs/bootstrap");
+		exec("cd /usr/local/etc/raddb/certs && tar -cf client.tar client.crt client.csr client.key ca.der");
+		exec("chmod 0600 /usr/local/etc/raddb/certs/client.tar");
+	
+		// If there were changes on the certificates we need to restart freeradius
+		restart_service('freeradius');
+		}
+}
 ?>
\ No newline at end of file
diff --git a/config/freeradius2/freeradius.xml b/config/freeradius2/freeradius.xml
index 78a0d984..e55720ac 100644
--- a/config/freeradius2/freeradius.xml
+++ b/config/freeradius2/freeradius.xml
@@ -89,6 +89,10 @@
 			<text>SQL</text>
 			<url>/pkg_edit.php?xml=freeradiussqlconf.xml&amp;id=0</url>
 		</tab>
+		<tab>
+			<text>Certificates</text>
+			<url>/pkg_edit.php?xml=freeradiuscerts.xml&amp;id=0</url>
+		</tab>		
 		<tab>
 			<text>View config</text>
 			<url>/freeradius_view_config.php</url>
@@ -123,7 +127,12 @@
 		<prefix>/usr/local/pkg/</prefix>
 		<chmod>0755</chmod>
 		<item>http://www.pfsense.org/packages/config/freeradius2/freeradiusinterfaces.xml</item>
-	</additional_files_needed>	
+	</additional_files_needed>
+	<additional_files_needed>
+		<prefix>/usr/local/pkg/</prefix>
+		<chmod>0755</chmod>
+		<item>http://www.pfsense.org/packages/config/freeradius2/freeradiuscerts.xml</item>
+	</additional_files_needed>
 	<additional_files_needed>
 		<prefix>/usr/local/pkg/</prefix>
 		<chmod>0755</chmod>
@@ -302,6 +311,10 @@
 		freeradius_eapconf_resync();
 		freeradius_sqlconf_resync();
 		freeradius_serverdefault_resync();
+		freeradius_clientcertcnf_resync();
+		freeradius_servercertcnf_resync();
+		freeradius_cacertcnf_resync();
+		freeradius_allcertcnf_resync();
 		exec("rm -f /usr/local/etc/raddb/sites-enabled/control-socket");
 		exec("rm -f /usr/local/etc/raddb/sites-enabled/inner-tunnel");
 	</custom_php_install_command>
diff --git a/config/freeradius2/freeradius_view_config.php b/config/freeradius2/freeradius_view_config.php
index 9db6a682..7a5c52a4 100644
--- a/config/freeradius2/freeradius_view_config.php
+++ b/config/freeradius2/freeradius_view_config.php
@@ -35,6 +35,10 @@ function get_file($file){
 	$files['clients']="/usr/local/etc/raddb/clients.conf";
 	$files['users']="/usr/local/etc/raddb/users";
 	$files['virtual-server-default']="/usr/local/etc/raddb/sites-enabled/default";
+	$files['ca']="/usr/local/etc/raddb/certs/ca.cnf";
+	$files['server']="/usr/local/etc/raddb/certs/server.cnf";
+	$files['client']="/usr/local/etc/raddb/certs/client.cnf";
+	$files['index']="/usr/local/etc/raddb/certs/index.txt";
 
 
 	if ($files[$file]!="" && file_exists($files[$file])){
@@ -78,6 +82,7 @@ else{
 		$tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=freeradiussettings.xml&id=0");
 		$tab_array[] = array(gettext("EAP"), false, "/pkg_edit.php?xml=freeradiuseapconf.xml&id=0");
 		$tab_array[] = array(gettext("SQL"), false, "/pkg_edit.php?xml=freeradiussqlconf.xml&id=0");
+		$tab_array[] = array(gettext("Certificates"), false, "/pkg_edit.php?xml=freeradiuscerts.xml&id=0");
 		$tab_array[] = array(gettext("View config"), true, "/freeradius_view_config.php");
 		display_top_tabs($tab_array);
 	?>
@@ -97,7 +102,11 @@ else{
 							<input type="button" onClick="get_freeradius_file('sql');" id='btn_sql' value="sql.conf">&nbsp;
 							<input type="button" onClick="get_freeradius_file('clients');" id='btn_clients' value="clients.conf">&nbsp;
 							<input type="button" onClick="get_freeradius_file('users');" id='btn_users' value="users">&nbsp;
-							<input type="button" onClick="get_freeradius_file('virtual-server-default');" id='btn_virtual-server-default' value="default">&nbsp;
+							<input type="button" onClick="get_freeradius_file('virtual-server-default');" id='btn_virtual-server-default' value="virtual-server-default">&nbsp;
+							<input type="button" onClick="get_freeradius_file('ca');" id='btn_ca' value="ca.cnf">&nbsp;
+							<input type="button" onClick="get_freeradius_file('server');" id='btn_server' value="server.cnf">&nbsp;
+							<input type="button" onClick="get_freeradius_file('client');" id='btn_client' value="client.cnf">&nbsp;
+							<input type="button" onClick="get_freeradius_file('index');" id='btn_index' value="index.txt">&nbsp;
 							</td>
 								</tr>
 								<tr>
@@ -132,7 +141,11 @@ else{
 			$('btn_sql').value="sql.conf";
 			$('btn_clients').value="clients.conf";
 			$('btn_users').value="users";
-			$('btn_virtual').value="default";
+			$('btn_virtual').value="virtual-server-default";
+			$('btn_ca').value="ca.cnf";
+			$('btn_server').value="server.cnf";
+			$('btn_client').value="client.cnf";
+			$('btn_index').value="index.txt";
 			scroll(0,0);
 		}
 	</script>
diff --git a/config/freeradius2/freeradiuscerts.xml b/config/freeradius2/freeradiuscerts.xml
new file mode 100644
index 00000000..7503fe49
--- /dev/null
+++ b/config/freeradius2/freeradiuscerts.xml
@@ -0,0 +1,267 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?>
+<packagegui>
+		<copyright>
+		<![CDATA[
+/* $Id$ */
+/* ========================================================================== */
+/*
+    authng.xml
+    part of pfSense (http://www.pfSense.com)
+    Copyright (C) 2007 to whom it may belong
+    All rights reserved.
+
+    Based on m0n0wall (http://m0n0.ch/wall)
+    Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
+    All rights reserved.
+                                                                              */
+/* ========================================================================== */
+/*
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+     1. Redistributions of source code must retain the above copyright notice,
+        this list of conditions and the following disclaimer.
+
+     2. Redistributions in binary form must reproduce the above copyright
+        notice, this list of conditions and the following disclaimer in the
+        documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+                                                                              */
+/* ========================================================================== */
+		]]>
+	</copyright>
+	<description><![CDATA[Describe your package here]]></description>
+	<requirements>Describe your package requirements here</requirements>
+	<faq>Currently there are no FAQ items provided.</faq>
+	<name>freeradiuscerts</name>
+	<version>none</version>
+	<title>FreeRADIUS: Certificates</title>
+	<aftersaveredirect>pkg_edit.php?xml=freeradiuscerts.xml&amp;id=0</aftersaveredirect>
+	<include_file>/usr/local/pkg/freeradius.inc</include_file>
+	<tabs>
+		<tab>
+			<text>Users</text>
+			<url>/pkg.php?xml=freeradius.xml</url>
+		</tab>
+		<tab>
+			<text>NAS / Clients</text>
+			<url>/pkg.php?xml=freeradiusclients.xml</url>
+		</tab>
+		<tab>
+			<text>Interfaces</text>
+			<url>/pkg.php?xml=freeradiusinterfaces.xml</url>
+		</tab>
+		<tab>
+			<text>Settings</text>
+			<url>/pkg_edit.php?xml=freeradiussettings.xml&amp;id=0</url>
+		</tab>
+		<tab>
+			<text>EAP</text>
+			<url>/pkg_edit.php?xml=freeradiuseapconf.xml&amp;id=0</url>
+		</tab>
+		<tab>
+			<text>SQL</text>
+			<url>/pkg_edit.php?xml=freeradiussqlconf.xml&amp;id=0</url>
+		</tab>
+		<tab>
+			<text>Certificates</text>
+			<url>/pkg_edit.php?xml=freeradiuscerts.xml&amp;id=0</url>
+			<active/>
+		</tab>
+		<tab>
+			<text>View config</text>
+			<url>/freeradius_view_config.php</url>
+		</tab>
+	</tabs>
+	<fields>
+		<field>
+			<name>GENERAL CONFIGURATION</name>
+			<type>listtopic</type>
+		</field>
+		<field>
+			<fielddescr>Delete ALL existing Certificates ?</fielddescr>
+			<fieldname>varcertsdeleteall</fieldname>
+			<description><![CDATA[This will delete <b>ALL</b> existing CAs, Server-Certs and Client-Certs in freeradius certs folder!<br>
+								You <b>must</b> delete all existing if you want to create new ones. (Default: Yes)<br>
+								<b>Important:</b><br>
+								If you like to use certs created on another PC just disable this and click save.]]></description>
+			<type>select</type>
+			<default_value>yes</default_value>
+					<options>
+						<option><name>Yes</name><value>yes</value></option>
+						<option><name>No</name><value>no</value></option>
+					</options>
+		</field>
+		<field>
+			<name>Distinguished Name for CA, Server and Client</name>
+			<type>listtopic</type>
+		</field>
+		<field>
+			<fielddescr>Country Code</fielddescr>
+			<fieldname>varcertscountryname</fieldname>
+			<description><![CDATA[Enter your country Code. (Default: US)]]></description>
+			<type>input</type>
+			<default_value>US</default_value>
+		</field>
+		<field>
+			<fielddescr>State or Province</fielddescr>
+			<fieldname>varcertsstateorprovincename</fieldname>
+			<description><![CDATA[Enter your state or province. (Default: Texas)]]></description>
+			<type>input</type>
+			<default_value>Texas</default_value>
+		</field>
+		<field>
+			<fielddescr>City</fielddescr>
+			<fieldname>varcertslocalityname</fieldname>
+			<description><![CDATA[Enter your city. (Default: Austin)]]></description>
+			<type>input</type>
+			<default_value>Austin</default_value>
+		</field>
+		<field>
+			<fielddescr>Organization</fielddescr>
+			<fieldname>varcertsorganizationname</fieldname>
+			<description><![CDATA[Enter your organization. (Default: My Company Inc)]]></description>
+			<type>input</type>
+			<default_value>My Company Inc</default_value>
+		</field>
+				<field>
+			<fielddescr>Lifetime</fielddescr>
+			<fieldname>varcertsdefaultdays</fieldname>
+			<description><![CDATA[Enter the time after which the CA, Server and Client should expire in days. (Default: 3650)]]></description>
+			<type>input</type>
+			<default_value>3650</default_value>
+		</field>
+		<field>
+			<fielddescr>Key Length</fielddescr>
+			<fieldname>varcertsdefaultbits</fieldname>
+			<description><![CDATA[Enter the key length of CA, Server and Client. (Default: 2048)]]></description>
+			<type>select</type>
+			<default_value>2048</default_value>
+					<options>
+						<option><name>512</name><value>512</value></option>
+						<option><name>1024</name><value>1024</value></option>
+						<option><name>2048</name><value>2048</value></option>
+						<option><name>4096</name><value>4096</value></option>
+					</options>
+		</field>
+		<field>
+			<fielddescr>Key Creation Algorithm</fielddescr>
+			<fieldname>varcertsdefaultmd</fieldname>
+			<description><![CDATA[Choose the algotithem which should be used to create the key.<br>
+								There seems to be some OS do not support all algorithms. (Default: md5)]]></description>
+			<type>select</type>
+			<default_value>md5</default_value>
+					<options>
+						<option><name>MD5</name><value>md5</value></option>
+						<option><name>SHA1</name><value>sha1</value></option>
+					</options>
+		</field>
+		<field>
+			<fielddescr>Certificate Password (CA, Server and Client)</fielddescr>
+			<fieldname>varcertspassword</fieldname>
+			<description><![CDATA[Enter the password for the CA, Server and Client.<br>
+								This is the password you need to enter in eap.conf so that freeradius can read the cert. (Default: whatever)]]></description>
+			<type>password</type>
+			<default_value>whatever</default_value>
+		</field>
+		<field>
+			<name>CA specific Configuration</name>
+			<type>listtopic</type>
+		</field>
+		<field>
+			<fielddescr>E-Mail Address</fielddescr>
+			<fieldname>varcertscaemailaddress</fieldname>
+			<description><![CDATA[Enter the E-Mail address for the CA. (Default: admin@mycompany.com)]]></description>
+			<type>input</type>
+			<default_value>admin@mycompany.com</default_value>
+		</field>
+		<field>
+			<fielddescr>Common Name</fielddescr>
+			<fieldname>varcertscacommonname</fieldname>
+			<description><![CDATA[Enter the common name for the CA. (Default: internal-ca)]]></description>
+			<type>input</type>
+			<default_value>internal-ca</default_value>
+		</field>
+		<field>
+			<name>Server specific Configuration</name>
+			<type>listtopic</type>
+		</field>
+		<field>
+			<fielddescr>E-Mail Address</fielddescr>
+			<fieldname>varcertsserveremailaddress</fieldname>
+			<description><![CDATA[Enter the E-Mail address for the Server-Cert. (Default: webadmin@mycompany.com)]]></description>
+			<type>input</type>
+			<default_value>webadmin@mycompany.com</default_value>
+		</field>
+		<field>
+			<fielddescr>Common Name</fielddescr>
+			<fieldname>varcertsservercommonname</fieldname>
+			<description><![CDATA[Enter the common name for the Server-Cert. (Default: server-cert)]]></description>
+			<type>input</type>
+			<default_value>server-cert</default_value>
+		</field>
+		<field>
+			<name>Client specific Configuration</name>
+			<type>listtopic</type>
+		</field>
+		<field>
+			<fielddescr>Create a further Client-Certificate</fielddescr>
+			<fieldname>varcertscreateclient</fieldname>
+			<description><![CDATA[This will delete existing <b>Client-Certs</b> in freeradius certs folder!<br>
+								Choose this option if you need multiple Client-Certs.<br>
+								<b>Important:</b> You must backup your old Client-Cert before enabling this option. The new Client-Cert <b>must not</b> have any Common Name as other certificates your created before. (Default: No)<br><br>
+								
+								This is what you should do the very first time when creating certs here:<br>
+								1. Check "Delete ALL Certs...", fill out all fields and create a new CA, new Server and Client Cert<br>
+								2. If you need more than one Client-Cert than backup your first cert using DIAGNOSTICS->COMMAND PROMPT->Download<br>
+								/usr/local/etc/raddb/certs/client.tar<br>
+								3. Disable "Delete ALL Certs..." and enable "Create a further Client-Certificate" and fill out the Client fields<br>
+								4. Repeat step 2. as long as you need.<br><br>
+								
+								
+								<b>Limitations:</b><br>
+								There is no CRL at the moment. Deleting of existing certs from the database (../certs/index.txt) isn't possible from GUI.<br>
+								If you choose a Common Name which already exists in the database (check view config) the .crt will be zero bytes.<br>
+								Choose other Common Name and create a new Client-Cert.
+								]]></description>
+			<type>select</type>
+			<default_value>no</default_value>
+					<options>
+						<option><name>Yes</name><value>yes</value></option>
+						<option><name>No</name><value>no</value></option>
+					</options>
+		</field>
+		<field>
+			<fielddescr>E-Mail Address</fielddescr>
+			<fieldname>varcertsclientemailaddress</fieldname>
+			<description><![CDATA[Enter the E-Mail address for the Client-Cert. (Default: user@mycompany.com)]]></description>
+			<type>input</type>
+			<default_value>user@mycompany.com</default_value>
+		</field>
+		<field>
+			<fielddescr>Common Name</fielddescr>
+			<fieldname>varcertsclientcommonname</fieldname>
+			<description><![CDATA[Enter the common name for the Client-Cert. (Default: client-cert)]]></description>
+			<type>input</type>
+			<default_value>client-cert</default_value>
+		</field>
+	</fields>
+	<custom_delete_php_command>
+	freeradius_allcertcnf_resync();
+	</custom_delete_php_command>
+	<custom_php_resync_config_command>
+	freeradius_allcertcnf_resync();
+	</custom_php_resync_config_command>
+</packagegui>
\ No newline at end of file
diff --git a/config/freeradius2/freeradiusclients.xml b/config/freeradius2/freeradiusclients.xml
index b88eccf8..1e72cf2b 100644
--- a/config/freeradius2/freeradiusclients.xml
+++ b/config/freeradius2/freeradiusclients.xml
@@ -75,6 +75,10 @@
 			<text>SQL</text>
 			<url>/pkg_edit.php?xml=freeradiussqlconf.xml&amp;id=0</url>
 		</tab>
+		<tab>
+			<text>Certificates</text>
+			<url>/pkg_edit.php?xml=freeradiuscerts.xml&amp;id=0</url>
+		</tab>		
 		<tab>
 			<text>View config</text>
 			<url>/freeradius_view_config.php</url>
diff --git a/config/freeradius2/freeradiuseapconf.xml b/config/freeradius2/freeradiuseapconf.xml
index f427ab84..504e9bed 100644
--- a/config/freeradius2/freeradiuseapconf.xml
+++ b/config/freeradius2/freeradiuseapconf.xml
@@ -76,6 +76,10 @@
 			<text>SQL</text>
 			<url>/pkg_edit.php?xml=freeradiussqlconf.xml&amp;id=0</url>
 		</tab>
+		<tab>
+			<text>Certificates</text>
+			<url>/pkg_edit.php?xml=freeradiuscerts.xml&amp;id=0</url>
+		</tab>		
 		<tab>
 			<text>View config</text>
 			<url>/freeradius_view_config.php</url>
@@ -141,7 +145,8 @@
 		<field>
 			<fielddescr>Private Key Password</fielddescr>
 			<fieldname>vareapconfprivatekeypassword</fieldname>
-			<description><![CDATA[Enter the password of the private key. (Default: whatever)]]></description>
+			<description><![CDATA[Enter the password of the private key.<br>
+								This is the password which you chose in "Certificates" tab. (Default: whatever)]]></description>
 			<type>password</type>
 			<default_value>whatever</default_value>
 		</field>
diff --git a/config/freeradius2/freeradiusinterfaces.xml b/config/freeradius2/freeradiusinterfaces.xml
index a50cf8b1..0bebf057 100644
--- a/config/freeradius2/freeradiusinterfaces.xml
+++ b/config/freeradius2/freeradiusinterfaces.xml
@@ -75,6 +75,10 @@
 			<text>SQL</text>
 			<url>/pkg_edit.php?xml=freeradiussqlconf.xml&amp;id=0</url>
 		</tab>
+		<tab>
+			<text>Certificates</text>
+			<url>/pkg_edit.php?xml=freeradiuscerts.xml&amp;id=0</url>
+		</tab>		
 		<tab>
 			<text>View config</text>
 			<url>/freeradius_view_config.php</url>
diff --git a/config/freeradius2/freeradiussettings.xml b/config/freeradius2/freeradiussettings.xml
index 25a9a2dd..689e4b16 100644
--- a/config/freeradius2/freeradiussettings.xml
+++ b/config/freeradius2/freeradiussettings.xml
@@ -76,6 +76,10 @@
 			<text>SQL</text>
 			<url>/pkg_edit.php?xml=freeradiussqlconf.xml&amp;id=0</url>
 		</tab>
+		<tab>
+			<text>Certificates</text>
+			<url>/pkg_edit.php?xml=freeradiuscerts.xml&amp;id=0</url>
+		</tab>		
 		<tab>
 			<text>View config</text>
 			<url>/freeradius_view_config.php</url>
diff --git a/config/freeradius2/freeradiussqlconf.xml b/config/freeradius2/freeradiussqlconf.xml
index 15e9ee76..fa4f99e0 100644
--- a/config/freeradius2/freeradiussqlconf.xml
+++ b/config/freeradius2/freeradiussqlconf.xml
@@ -76,6 +76,10 @@
 			<url>/pkg_edit.php?xml=freeradiussqlconf.xml&amp;id=0</url>
 			<active/>
 		</tab>
+		<tab>
+			<text>Certificates</text>
+			<url>/pkg_edit.php?xml=freeradiuscerts.xml&amp;id=0</url>
+		</tab>		
 		<tab>
 			<text>View config</text>
 			<url>/freeradius_view_config.php</url>
-- 
cgit v1.2.3