PHPki

Languages:

English  • français

phpki

phpki logo
Maintainer	VIP-ire
Url	http://sourceforge.net/projects/phpki/
Source:	smeserver-phpki
Source:	phpki
Licence	open source
Category	security
Tags	certificates, vpn, web, OpenVPN_Bridge, OpenVPN_SiteToSite, OpenVPN_Routed

Note:

For v10 we have created a new update version of PHPKi called PHPKi-ng with fixes and higher security defaults. If you used the previous version you will need to create a new CA and certificates. We have imported the original version to contribs if you really need to use it, but it is not recommended, and will not be generally released. For v11 we reverted back to original name as we are the only maintaining it.

Maintainer

Previous: [1]Daniel B. from Firewall Services

Now maintained by Koozali SME.

Version

please note that for SME 10 it was temporaly renamed -ng.

Description

PHPki is an Open Source Web application for managing a multi-agency PKI for HIPAA compliance. With it, you may create and centrally manage X.509 certificates for use with S/MIME enabled e-mail clients, SSL servers, and VPN applications. PHPki is now used to manage certificates with the latest release of the SME Server OpenVPN Bridge contrib.

You can see a demo installation here.

Requirements

Warning:

This version of PHPki is a slightly modified version, so it can be used with certificates generated with previous release of smeserver-openvpn-bridge, plus some others minor modifications. Starting phpki-ng-0.84, default_md has been upgraded to sha512 (previous was sha1). You can keep your existing CA working, but we strongly advise you to upgrade to a new instance, as the weak sha1 hash is a security issue.

Installation

	Warning:
	If openvpn is not detected PHPKi cannot generate a TA Key and it should advise you during install. To generate a TA Key once you have openvpn installed do this (assuming this is the correct directory) openvpn --genkey --secret /opt/phpki/phpki-store/CA/private/takey.pem chown phpki:phpki /opt/phpki/phpki-store/CA/private/takey.pem

yum --enablerepo=smecontribs install smeserver-phpki

yum --enablerepo=smecontribs install smeserver-phpki-ng

yum --enablerepo=smecontribs,epel install smeserver-phpki

expand-template /etc/httpd/conf/httpd.conf
expand-template /etc/httpd/pki-conf/httpd.conf
sv t /service/httpd-e-smith
sv u /service/httpd-pki

signal-event post-upgrade; signal-event reboot

expand-template /etc/httpd/conf/httpd.conf
expand-template /etc/httpd/pki-conf/httpd.conf
sv t /service/httpd-e-smith
sv t /service/httpd-pki

yum --enablerepo=smecontribs install smeserver-phpki

expand-template /etc/httpd/conf/httpd.conf
expand-template /etc/httpd/pki-conf/httpd.conf
sv t /service/httpd-e-smith
sv u /service/httpd-pki

signal-event post-upgrade; signal-event reboot

Configure your new PKI

Go in the server-manager, you'll find a new "Manage Certificates" menu (or you can use the URL https://server.domain.tld/phpki/ca) Here you have to enter the following informations:

• • Organisation
  • Department
  • Common Name of the Master CA
  • E-mail (technical contact)
  • City
  • State
  • Country Code
  • Password (to protect the private key of the Master CA)
  • Validity of the CA
  • Keys size
  • URL of your PKI (https://my.domain.tld/phpki)

These two screenshots illustrate the first (and the most important) part of this configuration page:

First part of the initiale configuration page (above)

First part of the initiale configuration page (low)

The second part is like this:

Second part of the initiale configuration page

The default settings should be OK for most installations. You may just want to change the "Help Document Contact Info" part.

Once you have submitted this form (which can take several minutes, be patient, as generating dh parameters can take a long time), you should have something like this:

Second part of the initiale configuration page

Now you'll be able to start using PHPki. It's quite easy to use.

The administrative interface is available on the server-manager or directly https://my.domain.tld/phpki/ca

There's also a public interface, available only from the local networks, but without password at https://my.domain.tld/phpki. Here, users can download the Master CA certificate, the CRL, or search for certificates of other users (public part only of course).

	Note:
	If you just installed the OpenVPN_Bridge contrib and are installing PHPki as suggested by the wiki page, or you just want to use PHPki without OpenVPN_Bridge contrib, then you are done here, and you don't have to migrate any certificates

	Note:
	starting phpki-ng-0.84-14 new URL are available to access your CRL and request for certificate status http://www.somewhere.com/phpki/ns_revoke_query.php? http://www.somewhere.com/phpki/dl_crl.php

Add another admin

if you happen to need to delegate certificate generation, you can use user-panel to add access to the panel, but you will also need to add the user manually to phpki config

edit /opt/phpki/phpki-store/config/config.php

#$PHPki_admins = Array(md5('admin'));
$PHPki_admins = Array(md5('admin'),md5('user2'));

Uninstall

To uninstall the contrib from your server, just run the following commands:

yum remove smeserver-phpki-ng phpki-ng
expand-template /etc/httpd/conf/httpd.conf
systemctl restart /service/httpd-e-smith

	Note:
	As with many other rpms, removing phpki won't remove everything from your server. Especially certificates will be kept, and some php files. PHPKi-ng will attempt to backup any old certificates.

Certificates and PKI configuration are stored in /opt/phpki/phpki-store, php files are in /opt/phpki/html

Warning:

To start from scratch after uninstallation you need to get rid of the html and pkpki-store directories before reinstalling. The files in phpki-store can be very important, so my recommendation is to let them remain here. If you really want to remove them, just backup them before: cd /opt/phpki tar cvzf ~/phpki-backup.tar.gz ./ Now you can remove the entire /opt/phpki directory rm /opt/phpki/{html,phpki-store} -rf

Re-install

before phpki-ng 0.84-14

If you have removed the contrib, and want to re-install it keeping your previous CA (assuming you restored /opt/phpki), you'll need to follow these steps after you have installed the rpms:

cd /opt/phpki/html/
rm -f index.php 
rm -f setup.php
ln -s main.php index.php
cat config.php.rpmsave > config.php
cd ca
rm -f index.php
ln -s main.php index.php
cd /opt/phpki/
chown phpki:phpki -R phpki-store 
chown root:phpki -R html/config.php

Bugs

smeserver-phpki

Please raise bugs under the SME-Contribs section in bugzilla and select the smeserver-phpki component or use this link

phpki

Please raise bugs under the SME-Contribs section in bugzilla and select the phpki component or use this link

Changelog

Only versions released in smecontrib are listed here.