Difference between revisions of "PHPki"

From SME Server
Jump to navigationJump to search
(Created page with '{{Languages}} ===Maintainer=== Daniel B.<br/> [http://www.firewall-services.com Firewall Services]<br> mailto:daniel@firewall-services.com === Description === ...')
(No difference)

Revision as of 23:09, 8 March 2009


Maintainer

Daniel B.
Firewall Services
mailto:daniel@firewall-services.com

Description

PHPki is an Open Source Web application for managing a multi-agency PKI for HIPAA compliance. With it, you may create and centrally manage X.509 certificates for use with S/MIME enabled e-mail clients, SSL servers, and VPN applications.

PHPki is now used to manage certificates with the new release of smeserver-openvpn-bridge.

You can see a demo installation here

Requirements

  • SME Server 7.X


Warning.png Warning:
This version of PHPki is a slightly modified version, so i can be used with certificates generated with previous release of smeserver-openvpn-bridge, plus some others minor modifications.


Installation

  • install the rpms and start/restart needed services:
yum --enablerepo=smecontribs install smeserver-phpki
expand-template /etc/httpd/conf/httpd.conf
expand-template /etc/httpd/pki-conf/httpd.conf
sv t /service/httpd-e-smith
sv u /service/httpd-pki


  • Configure your new PKI

Go in the server-manager, you'll find a new "Manage Certificates" menu. Here you have to enter the following informations:

    • Organisation
    • Departement
    • Common Name of the Master CA
    • E-mail (technical contact)
    • City
    • State
    • Country Code
    • Password (to protect the private key of the Master CA)
    • Validity of the CA
    • Keys size
    • URL of your PKI pki (https://my.domain.tld/phpki)

Others settings should be OK for most installations.

Once you have submitted this form, you'll be able to start using PHPki. It's quite easy to use.

The administrative interface is available on the server-manager or directly https://my.domain.tld/phpki/ca

There's also a public interface, available only from the local networks, but without password at https://my.domain.tld.phpki. Here, users can download the Master CA certificate, the CRL, or search for certificates of other users (public part only of course).

Migrate Certificates from OpenVPN-Bridge contrib

PHPki is now the certificate manager recommanded to manage OpenVPN-Bridge certificates. This part will explain how-to import your certificates created with openvpn-bridge into PHPki

  • First, you need to install the contribs as it's explain on this page (you can enter anything for the configuration of the CA, all your old parameters will be restored)
  • Second, you need to copy this script on your server (for example as /root/migrate.sh) and execute it as root.


Warning.png Warning:
Of course, take some time to read this script before runing it as root.


#!/bin/bash

# Read Openvpn-Bridge DB
ORGNAME=$(/sbin/e-smith/db openvpn-bridge getprop default_config organizationName)
COUNTRY=$(/sbin/e-smith/db openvpn-bridge getprop default_config countryCode)
STATE=$(/sbin/e-smith/db openvpn-bridge getprop default_config countryName)
LOC=$(/sbin/e-smith/db openvpn-bridge getprop default_config localityName)
DEP=$(/sbin/e-smith/db openvpn-bridge getprop default_config sectionName)
KEYSIZE=$(/sbin/e-smith/db openvpn-bridge getprop default_config keySize)
EMAIL=$(/sbin/e-smith/db openvpn-bridge getprop default_config mailAddress)


OPENSSL=/usr/bin/openssl
OLDDIR=/etc/openvpn/easy-rsa/keys/bridge/
NEWDIR=/opt/phpki/phpki-store/CA/


# Store the actual time in $TIME
TIME=$(date +%d%m%Y%H%M%S)


# Create needed directories
prepare_dir(){
        mkdir -p $NEWDIR/{certs,newcerts,requests,pfx,private}
}


# Migrate the certificates to phpki store
migrate_certs(){
        cd $OLDDIR

        # Copy the old index.txt and serial
        cat $OLDDIR/index.txt > $NEWDIR/index.txt
        cat serial > $NEWDIR/serial

        # Copy the cacert related files
        cat ca.crt > $NEWDIR/certs/cacert.pem
        cat ca.key > $NEWDIR/private/cakey.pem

        # Now, for each file ending with .crt
        for CERT in $(ls ./*.crt); do
                CERT=$(basename $CERT .crt)

                ISININDEX=$(grep -c "/CN=$CERT/" $NEWDIR/index.txt)

                # If the current cert isn't referenced in the index,
                # or the corresponding key or csr file dosn't exists, then skip it
                # This can happen in some situation where the serial has been corrupted

                if [ $ISININDEX == 1 ]&&[ -s $CERT.key ]&&[ -s $CERT.csr ]; then
                        # Retrieve the serial number as reported by  openssl
                        SERIAL=$(openssl x509 -noout -serial -in $CERT.crt | cut -d"=" -f 2)

                        # Create the pem only cert in the new dir
                        $OPENSSL x509 -in $CERT.crt -inform PEM -outform PEM -out $NEWDIR/newcerts/$SERIAL.pem

                        # Create the der formated cert
                        $OPENSSL x509 -in $CERT.crt -inform PEM -outform DER -out $NEWDIR/certs/$SERIAL.der

                        # And the pkcs12 bundle (cert+key+ca)
                        $OPENSSL pkcs12 -export -in $CERT.crt -inkey $CERT.key -certfile ca.crt -caname $ORGNAME -passout pass: -out $NEWDIR/pfx/$SERIAL.pfx

                        # Copy the private key
                        cat $CERT.key > $NEWDIR/private/$SERIAL-key.pem 

                        # And the cert request
                        cat $CERT.csr > $NEWDIR/requests/$SERIAL-req.pem
                fi
        done
}

perms(){
        # Restrict access
        chown -R phpki:phpki $NEWDIR
        chmod -R o-rwx $NEWDIR
}

phpki_conf(){
        # Retrieve the common name of our CA with openssl command
        CACN=$($OPENSSL x509 -subject -noout -in $OLDDIR/ca.crt | cut -d'=' -f 8 | cut -d'/' -f 1)


        if [ -e /opt/phpki/phpki-store/config/config.php ]; then
                # Move the actual phpki configuration file               
                mv /opt/phpki/phpki-store/config/config.php /opt/phpki/phpki-store/config/config.php.$TIME

                # And use sed to configure it properly
                sed -e "s/config\['organization'\].*/config\['organization'\] = '$ORGNAME';/" \
                        -e "s/config\['unit'\].*/config\['unit'\] = '$DEP';/" \
                        -e "s/config\['contact'\].*/config\['contact'\] = '$EMAIL';/" \
                        -e "s/config\['locality'\].*/config\['locality'\] = '$LOC';/" \
                        -e "s/config\['province'\].*/config\['province'\] = '$STATE';/" \
                        -e "s/config\['country'\].*/config\['country'\] = '$COUNTRY';/" \
                        -e "s/config\['common_name'\].*/config\['common_name'\] = '$CACN';/" \
                        -e "s/config\['ca_pwd'\].*/config\['ca_pwd'\] = ;/" \
                        -e "s/config\['keysize'\].*/config\['keysize'\] = '$KEYSIZE';/" \
                        /opt/phpki/phpki-store/config/config.php.$TIME \
                        > /opt/phpki/phpki-store/config/config.php
        fi
}

migrate_var(){
        # Here, we just migrate dhparam and ta to phpki store
        if [ -e $OLDDIR/dh.pem ]; then
                cat $OLDDIR/dh.pem > $NEWDIR/private/dhparam1024.pem
        fi
        if [ -e $OLDDIR/ta.key ]; then
                cat $OLDDIR/ta.key > $NEWDIR/private/takey.pem
        fi
}



prepare_dir
migrate_certs
phpki_conf
migrate_var
perms


Now, go in the server-manager, in "Manage Certificates" and check your old certificates are here.

Uninstall

yum remove smeserver-phpki phpki

Source

The source for this contrib can be found in the smeserver CVS on sourceforge.

Bugs

Please raise bugs under the SME-Contribs section in bugzilla and select the smeserver-phpki component or use this link