| Line 130: |
Line 130: |
| | | | |
| | {{Note box|If you just installed the [[OpenVPN_Bridge]] contrib and are installing PHPki as suggested by the wiki page, or you just want to use [[PHPki]] without [[OpenVPN_Bridge]] contrib, then you are done here, and you don't have to migrate any certificates}} | | {{Note box|If you just installed the [[OpenVPN_Bridge]] contrib and are installing PHPki as suggested by the wiki page, or you just want to use [[PHPki]] without [[OpenVPN_Bridge]] contrib, then you are done here, and you don't have to migrate any certificates}} |
| − |
| |
| − | === Migrate Certificates from previous OpenVPN-Bridge contrib installations===
| |
| − |
| |
| − | If you are installing this phpki contrib because you have used [[OpenVPN_Bridge]] before and have already certificates, follow the instructions below. If you have a fresh and new install of [[OpenVPN_Bridge]], skip the below instructions for you do not have 'old' certificates!
| |
| − |
| |
| − | PHPki is now the certificate manager recommended to manage [[OpenVPN_Bridge]] certificates.
| |
| − | This part will explain how-to import your certificates created with openvpn-bridge into PHPki
| |
| − |
| |
| − | * First, you need to install the contribs as it's explain on this page (you can enter anything for the configuration of the CA, all your old parameters will be restored)
| |
| − |
| |
| − | * Second, you need to copy this script on your server (for example as /root/migrate.sh) and execute it as root.
| |
| − |
| |
| − | {{Warning box|Of course, take some time to read this script before runing it as root.}}
| |
| − |
| |
| − |
| |
| − | #!/bin/bash
| |
| − |
| |
| − | # Read Openvpn-Bridge DB
| |
| − | ORGNAME=$(/sbin/e-smith/db openvpn-bridge getprop default_config organizationName)
| |
| − | COUNTRY=$(/sbin/e-smith/db openvpn-bridge getprop default_config countryCode)
| |
| − | STATE=$(/sbin/e-smith/db openvpn-bridge getprop default_config countryName)
| |
| − | LOC=$(/sbin/e-smith/db openvpn-bridge getprop default_config localityName)
| |
| − | DEP=$(/sbin/e-smith/db openvpn-bridge getprop default_config sectionName)
| |
| − | KEYSIZE=$(/sbin/e-smith/db openvpn-bridge getprop default_config keySize)
| |
| − | EMAIL=$(/sbin/e-smith/db openvpn-bridge getprop default_config mailAddress)
| |
| − |
| |
| − |
| |
| − | OPENSSL=/usr/bin/openssl
| |
| − | OLDDIR=/etc/openvpn/easy-rsa/keys/bridge/
| |
| − | NEWDIR=/opt/phpki/phpki-store/CA/
| |
| − |
| |
| − |
| |
| − | # Store the actual time in $TIME
| |
| − | TIME=$(date +%d%m%Y%H%M%S)
| |
| − |
| |
| − |
| |
| − | # Create needed directories
| |
| − | prepare_dir(){
| |
| − | mkdir -p $NEWDIR/{certs,newcerts,requests,pfx,private}
| |
| − | }
| |
| − |
| |
| − |
| |
| − | # Migrate the certificates to phpki store
| |
| − | migrate_certs(){
| |
| − | cd $OLDDIR
| |
| − |
| |
| − | # Copy the old index.txt and serial
| |
| − | cat $OLDDIR/index.txt > $NEWDIR/index.txt
| |
| − | cat serial > $NEWDIR/serial
| |
| − |
| |
| − | # Copy the cacert related files
| |
| − | cat ca.crt > $NEWDIR/certs/cacert.pem
| |
| − | cat ca.key > $NEWDIR/private/cakey.pem
| |
| − |
| |
| − | # Now, for each file ending with .crt
| |
| − | for CERT in $(ls ./*.crt); do
| |
| − | CERT=$(basename $CERT .crt)
| |
| − |
| |
| − | ISININDEX=$(grep -c "/CN=$CERT/" $NEWDIR/index.txt)
| |
| − |
| |
| − | # If the current cert isn't referenced in the index,
| |
| − | # or the corresponding key or csr file dosn't exists, then skip it
| |
| − | # This can happen in some situation where the serial has been corrupted
| |
| − |
| |
| − | if [ $ISININDEX -gt 0 ]&&[ -s $CERT.key ]&&[ -s $CERT.csr ]; then
| |
| − | # Retrieve the serial number as reported by openssl
| |
| − | SERIAL=$(openssl x509 -noout -serial -in $CERT.crt | cut -d"=" -f 2)
| |
| − |
| |
| − | # Create the pem only cert in the new dir
| |
| − | $OPENSSL x509 -in $CERT.crt -inform PEM -outform PEM -out $NEWDIR/newcerts/$SERIAL.pem
| |
| − |
| |
| − | # Create the der formated cert
| |
| − | $OPENSSL x509 -in $CERT.crt -inform PEM -outform DER -out $NEWDIR/certs/$SERIAL.der
| |
| − |
| |
| − | # And the pkcs12 bundle (cert+key+ca)
| |
| − | $OPENSSL pkcs12 -export -in $CERT.crt -inkey $CERT.key -certfile ca.crt -caname $ORGNAME -passout pass: -out $NEWDIR/pfx/$SERIAL.pfx
| |
| − |
| |
| − | # Copy the private key
| |
| − | cat $CERT.key > $NEWDIR/private/$SERIAL-key.pem
| |
| − |
| |
| − | # And the cert request
| |
| − | cat $CERT.csr > $NEWDIR/requests/$SERIAL-req.pem
| |
| − | fi
| |
| − | done
| |
| − | }
| |
| − |
| |
| − | perms(){
| |
| − | # Restrict access
| |
| − | chown -R phpki:phpki $NEWDIR
| |
| − | chmod -R o-rwx $NEWDIR
| |
| − | }
| |
| − |
| |
| − | phpki_conf(){
| |
| − | # Retrieve the common name of our CA with openssl command
| |
| − | CACN=$($OPENSSL x509 -subject -noout -in $OLDDIR/ca.crt | cut -d'=' -f 8 | cut -d'/' -f 1)
| |
| − |
| |
| − |
| |
| − | if [ -e /opt/phpki/phpki-store/config/config.php ]; then
| |
| − | # Move the actual phpki configuration file
| |
| − | mv /opt/phpki/phpki-store/config/config.php /opt/phpki/phpki-store/config/config.php.$TIME
| |
| − |
| |
| − | # And use sed to configure it properly
| |
| − | sed -e "s/config\['organization'\].*/config\['organization'\] = '$ORGNAME';/" \
| |
| − | -e "s/config\['unit'\].*/config\['unit'\] = '$DEP';/" \
| |
| − | -e "s/config\['contact'\].*/config\['contact'\] = '$EMAIL';/" \
| |
| − | -e "s/config\['locality'\].*/config\['locality'\] = '$LOC';/" \
| |
| − | -e "s/config\['province'\].*/config\['province'\] = '$STATE';/" \
| |
| − | -e "s/config\['country'\].*/config\['country'\] = '$COUNTRY';/" \
| |
| − | -e "s/config\['common_name'\].*/config\['common_name'\] = '$CACN';/" \
| |
| − | -e "s/config\['ca_pwd'\].*/config\['ca_pwd'\] = <nowiki>''</nowiki>;/" \
| |
| − | -e "s/config\['keysize'\].*/config\['keysize'\] = '$KEYSIZE';/" \
| |
| − | /opt/phpki/phpki-store/config/config.php.$TIME \
| |
| − | > /opt/phpki/phpki-store/config/config.php
| |
| − | fi
| |
| − | }
| |
| − |
| |
| − | migrate_var(){
| |
| − | # Here, we just migrate dhparam and ta to phpki store
| |
| − | if [ -e $OLDDIR/dh.pem ]; then
| |
| − | cat $OLDDIR/dh.pem > $NEWDIR/private/dhparam1024.pem
| |
| − | fi
| |
| − | if [ -e $OLDDIR/ta.key ]; then
| |
| − | cat $OLDDIR/ta.key > $NEWDIR/private/takey.pem
| |
| − | fi
| |
| − | }
| |
| − |
| |
| − |
| |
| − |
| |
| − | prepare_dir
| |
| − | migrate_certs
| |
| − | phpki_conf
| |
| − | migrate_var
| |
| − | perms
| |
| − |
| |
| − |
| |
| − | Now, go in the server-manager, in "Manage Certificates" and check your old certificates are here.
| |
| | | | |
| | === Uninstall === | | === Uninstall === |
