<?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> <?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> <packagegui> <copyright> <![CDATA[ /* $Id$ */ /* ========================================================================== */ /* freeradiuscerts.xml part of pfSense (http://www.pfSense.com) Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> All rights reserved. Based on m0n0wall (http://m0n0.ch/wall) Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. All rights reserved. */ /* ========================================================================== */ /* Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* ========================================================================== */ ]]> </copyright> <description><![CDATA[Describe your package here]]></description> <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>freeradiuscerts</name> <version>none</version> <title>FreeRADIUS: Certificates</title> <aftersaveredirect>pkg_edit.php?xml=freeradiuscerts.xml&id=0</aftersaveredirect> <include_file>/usr/local/pkg/freeradius.inc</include_file> <tabs> <tab> <text>Users</text> <url>/pkg.php?xml=freeradius.xml</url> </tab> <tab> <text>MACs</text> <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url> </tab> <tab> <text>NAS / Clients</text> <url>/pkg.php?xml=freeradiusclients.xml</url> </tab> <tab> <text>Interfaces</text> <url>/pkg.php?xml=freeradiusinterfaces.xml</url> </tab> <tab> <text>Settings</text> <url>/pkg_edit.php?xml=freeradiussettings.xml&id=0</url> </tab> <tab> <text>EAP</text> <url>/pkg_edit.php?xml=freeradiuseapconf.xml&id=0</url> </tab> <tab> <text>SQL</text> <url>/pkg_edit.php?xml=freeradiussqlconf.xml&id=0</url> </tab> <tab> <text>Certificates</text> <url>/pkg_edit.php?xml=freeradiuscerts.xml&id=0</url> <active/> </tab> <tab> <text>LDAP</text> <url>/pkg_edit.php?xml=freeradiusmodulesldap.xml&id=0</url> </tab> <tab> <text>View config</text> <url>/freeradius_view_config.php</url> </tab> <tab> <text>XMLRPC Sync</text> <url>/pkg_edit.php?xml=freeradiussync.xml&id=0</url> </tab> </tabs> <fields> <field> <name>GENERAL CONFIGURATION</name> <type>listtopic</type> </field> <field> <fielddescr>Delete ALL existing Certificates ?</fielddescr> <fieldname>varcertsdeleteall</fieldname> <description><![CDATA[This will delete <b>ALL</b> existing CAs, Server-Certs and Client-Certs in freeradius certs folder!<br> You <b>must</b> delete all existing if you want to create new ones. (Default: No)<br> <b>Important:</b><br> If you like to use certs created on another PC just disable this and click save.]]></description> <type>select</type> <default_value>no</default_value> <options> <option><name>Yes</name><value>yes</value></option> <option><name>No</name><value>no</value></option> </options> </field> <field> <fielddescr>READ BEFORE DOING ANYTHING HERE!</fielddescr> <fieldname>varcertsREADBEFORE</fieldname> <description><![CDATA[<b>This field is just to make sure you know what you are doing here!</b><br> <b>If you enter anything the changes here will take effect after "save" - if it's empty - nothing will happen</b><br><br> This page uses the freeradius2 built-in script called "bootstrap" to create CA and certs. The disatvantage of this script is that nothing of your changes will be saved in the global config.xml file. So after a systemcrash or reinstallation of freeradius2 package all your CA and certs will be lost. If you have a backup of all these files on an USB stick or another server than you can copy them back in the freeradius certs folder.<br><br> <b>The better way is to use the firewall's built-in Cert Manager (SYSTEM-> Cert Manager).</b> The CA-Cert and Server-Cert you created there you just have to choose in EAP. The advantage of this is that all your CA and certs will be saved in global config.xml and can be restored.]]></description> <type>input</type> <required/> <default_value></default_value> </field> <field> <name>Distinguished Name for CA, Server and Client</name> <type>listtopic</type> </field> <field> <fielddescr>Country Code</fielddescr> <fieldname>varcertscountryname</fieldname> <description><![CDATA[Enter your country Code. (Default: US)]]></description> <type>input</type> <default_value>US</default_value> </field> <field> <fielddescr>State or Province</fielddescr> <fieldname>varcertsstateorprovincename</fieldname> <description><![CDATA[Enter your state or province. (Default: Texas)]]></description> <type>input</type> <default_value>Texas</default_value> </field> <field> <fielddescr>City</fielddescr> <fieldname>varcertslocalityname</fieldname> <description><![CDATA[Enter your city. (Default: Austin)]]></description> <type>input</type> <default_value>Austin</default_value> </field> <field> <fielddescr>Organization</fielddescr> <fieldname>varcertsorganizationname</fieldname> <description><![CDATA[Enter your organization. (Default: My Company Inc)]]></description> <type>input</type> <default_value>My Company Inc</default_value> </field> <field> <fielddescr>Lifetime</fielddescr> <fieldname>varcertsdefaultdays</fieldname> <description><![CDATA[Enter the time after which the CA, Server and Client should expire in days. (Default: 3650)]]></description> <type>input</type> <default_value>3650</default_value> </field> <field> <fielddescr>Key Length</fielddescr> <fieldname>varcertsdefaultbits</fieldname> <description><![CDATA[Enter the key length of CA, Server and Client. (Default: 2048)]]></description> <type>select</type> <default_value>2048</default_value> <options> <option><name>512</name><value>512</value></option> <option><name>1024</name><value>1024</value></option> <option><name>2048</name><value>2048</value></option> <option><name>4096</name><value>4096</value></option> </options> </field> <field> <fielddescr>Key Creation Algorithm</fielddescr> <fieldname>varcertsdefaultmd</fieldname> <description><![CDATA[Choose the algotithem which should be used to create the key.<br> There seems to be some OS which do not support all algorithms. (Default: md5)]]></description> <type>select</type> <default_value>md5</default_value> <options> <option><name>MD5</name><value>md5</value></option> <option><name>SHA1</name><value>sha1</value></option> </options> </field> <field> <fielddescr>Certificate Password (CA, Server and Client)</fielddescr> <fieldname>varcertspassword</fieldname> <description><![CDATA[Enter the password for the CA, Server and Client. This is the password you need to enter in eap.conf so that freeradius can read the cert. This field could be empty. (Default: whatever)]]></description> <type>password</type> <default_value>whatever</default_value> </field> <field> <name>CA specific Configuration</name> <type>listtopic</type> </field> <field> <fielddescr>E-Mail Address</fielddescr> <fieldname>varcertscaemailaddress</fieldname> <description><![CDATA[Enter the E-Mail address for the CA. (Default: admin@mycompany.com)]]></description> <type>input</type> <default_value>admin@mycompany.com</default_value> </field> <field> <fielddescr>Common Name</fielddescr> <fieldname>varcertscacommonname</fieldname> <description><![CDATA[Enter the common name for the CA. (Default: internal-ca)]]></description> <type>input</type> <default_value>internal-ca</default_value> </field> <field> <name>Server specific Configuration</name> <type>listtopic</type> </field> <field> <fielddescr>E-Mail Address</fielddescr> <fieldname>varcertsserveremailaddress</fieldname> <description><![CDATA[Enter the E-Mail address for the Server-Cert. (Default: webadmin@mycompany.com)]]></description> <type>input</type> <default_value>webadmin@mycompany.com</default_value> </field> <field> <fielddescr>Common Name</fielddescr> <fieldname>varcertsservercommonname</fieldname> <description><![CDATA[Enter the common name for the Server-Cert. (Default: server-cert)]]></description> <type>input</type> <default_value>server-cert</default_value> </field> <field> <name>Client specific Configuration</name> <type>listtopic</type> </field> <field> <fielddescr>Create a further Client-Certificate</fielddescr> <fieldname>varcertscreateclient</fieldname> <description><![CDATA[This will delete existing <b>Client-Certs</b> in freeradius certs folder!<br> Choose this option if you need multiple Client-Certs.<br> <b>Important:</b> You must backup your old Client-Cert before enabling this option. The new Client-Cert <b>must not</b> have any Common Name as other certificates your created before. (Default: No)<br><br> This is what you should do the very first time when creating certs here:<br> 1. Check "Delete ALL Certs...", fill out all fields and create a new CA, new Server and Client Cert<br> 2. If you need more than one Client-Cert than backup your first cert using DIAGNOSTICS->COMMAND PROMPT->Download<br> /usr/local/etc/raddb/certs/client.tar<br> 3. Disable "Delete ALL Certs..." and enable "Create a further Client-Certificate" and fill out the Client fields<br> 4. Repeat step 2. as long as you need.<br><br> <b>Limitations:</b><br> There is no CRL. Deleting of existing certs from the database (../certs/index.txt) isn't possible from GUI.<br> If you choose a Common Name which already exists in the database (check view config) the .crt will be zero bytes.<br> Choose other Common Name and create a new Client-Cert. ]]></description> <type>select</type> <default_value>no</default_value> <options> <option><name>Yes</name><value>yes</value></option> <option><name>No</name><value>no</value></option> </options> </field> <field> <fielddescr>E-Mail Address</fielddescr> <fieldname>varcertsclientemailaddress</fieldname> <description><![CDATA[Enter the E-Mail address for the Client-Cert. (Default: user@mycompany.com)]]></description> <type>input</type> <default_value>user@mycompany.com</default_value> </field> <field> <fielddescr>Common Name</fielddescr> <fieldname>varcertsclientcommonname</fieldname> <description><![CDATA[Enter the common name for the Client-Cert. (Default: client-cert)]]></description> <type>input</type> <default_value>client-cert</default_value> </field> </fields> <custom_delete_php_command> freeradius_allcertcnf_resync(); </custom_delete_php_command> <custom_php_resync_config_command> freeradius_allcertcnf_resync(); </custom_php_resync_config_command> </packagegui>