Line 1: |
Line 1: |
− | {{Languages}} | + | {{Languages|PHPki}} |
| + | |
| + | {{Note box| For v10 we have created a new update version of PHPKi called PHPKi-ng with fixes and higher security defaults. If you used the previous version you will need to create a new CA and certificates. We have imported the original version to contribs if you really need to use it, but it is not recommended, and will not be generally released.}} |
| | | |
| ===Maintainer=== | | ===Maintainer=== |
− | [[User:VIP-ire|Daniel B.]]<br/> | + | Previous: |
− | [http://www.firewall-services.com Firewall Services]<br> | + | [mailto:daniel@firewall-services.com][[User:VIP-ire|Daniel B.]] from [http://www.firewall-services.com Firewall Services] |
− | mailto:daniel@firewall-services.com
| + | |
| + | Now maintained by Koozali SME |
| | | |
| === Version === | | === Version === |
| + | Old version prior SME10:smeserver-phpki and phpki |
| + | |
| + | New Version: |
| | | |
− | {{ #smeversion: smeserver-phpki }} | + | {{#smeversion: smeserver-phpki-ng }} |
− | {{ #smeversion: phpki }} | + | {{#smeversion: phpki-ng }} |
| | | |
| Please follow the installation instructions below. The installation instructions will satisfy all dependencies and the latest versions of the above 2 RPMs will be installed automatically. | | Please follow the installation instructions below. The installation instructions will satisfy all dependencies and the latest versions of the above 2 RPMs will be installed automatically. |
Line 15: |
Line 21: |
| === Description === | | === Description === |
| | | |
− | [http://sourceforge.net/projects/phpki/ PHPki] is an Open Source Web application for managing a multi-agency PKI for HIPAA compliance. With it, you may create and centrally manage X.509 certificates for use with S/MIME enabled e-mail clients, SSL servers, and VPN applications. | + | [http://sourceforge.net/projects/phpki/ PHPki] is an Open Source Web application for managing a multi-agency PKI for HIPAA compliance. With it, you may create and centrally manage X.509 certificates for use with S/MIME enabled e-mail clients, SSL servers, and VPN applications. PHPki is now used to manage certificates with the latest release of the [[OpenVPN_Bridge|SME Server OpenVPN Bridge contrib]]. |
| + | |
| + | You can see a demo installation [http://phpki.sourceforge.net/phpki/ here.] |
| + | |
| + | === Requirements === |
| + | {{Warning box|This version of PHPki is a slightly modified version, so it can be used with certificates generated with previous release of smeserver-openvpn-bridge, plus some others minor modifications. |
| + | Starting phpki-ng-0.84, default_md has been upgraded to sha512 (previous was sha1). You can keep your existing CA working, but we strongly advise you to upgrade to a new instance, as the weak sha1 hash is a security issue. |
| + | }} |
| + | |
| + | === Installation === |
| | | |
− | PHPki is now used to manage certificates with the new release of smeserver-openvpn-bridge.
| + | {{Warning box| If openvpn is not detected PHPKi cannot generate a TA Key and it should advise you during install. To generate a TA Key once you have openvpn installed do this (assuming this is the correct directory) |
| + | openvpn --genkey --secret /opt/phpki/phpki-store/CA/private/takey.pem |
| + | chown phpki:phpki /opt/phpki/phpki-store/CA/private/takey.pem}} |
| | | |
− | You can see a demo installation [http://phpki.sourceforge.net/phpki/ here]
| + | <tabs container><tab name="SME 10"> |
| + | *install the rpms |
| + | yum --enablerepo=smecontribs install smeserver-phpki-ng |
| | | |
− | === Requirements ===
| + | go to the server-manager to the manage certificate menu and start creating your CA certificate |
− | *SME Server 7.X
| |
| | | |
− | Verified on:
| + | Warning click only once and wait for the page to update it can be very long to create the 4096 certificate... |
− | SME Server 7.4 - [[User:RequestedDeletion|RequestedDeletion]]
| |
| | | |
| + | </tab> |
| + | <tab name="SME 9"> |
| + | you have to enable the [[epel]] repository |
| + | *install the rpms |
| + | yum --enablerepo=smecontribs,epel install smeserver-phpki |
| | | |
− | {{Warning box|This version of PHPki is a slightly modified version, so it can be used with certificates generated with previous release of smeserver-openvpn-bridge, plus some others minor modifications.
| + | *and start/restart needed services: |
− | }}
| + | expand-template /etc/httpd/conf/httpd.conf |
| + | expand-template /etc/httpd/pki-conf/httpd.conf |
| + | sv t /service/httpd-e-smith |
| + | sv u /service/httpd-pki |
| + | |
| + | * alternatively issue the following : |
| + | signal-event post-upgrade; signal-event reboot |
| | | |
− | === Installation ===
| + | on update you can issue |
| + | expand-template /etc/httpd/conf/httpd.conf |
| + | expand-template /etc/httpd/pki-conf/httpd.conf |
| + | sv t /service/httpd-e-smith |
| + | sv t /service/httpd-pki |
| | | |
− | *install the rpms and start/restart needed services:
| |
| | | |
| + | </tab> |
| + | <tab name="SME 8"> |
| + | For sme8 |
| + | *install the rpms |
| yum --enablerepo=smecontribs install smeserver-phpki | | yum --enablerepo=smecontribs install smeserver-phpki |
| + | |
| + | *and start/restart needed services: |
| expand-template /etc/httpd/conf/httpd.conf | | expand-template /etc/httpd/conf/httpd.conf |
| expand-template /etc/httpd/pki-conf/httpd.conf | | expand-template /etc/httpd/pki-conf/httpd.conf |
Line 41: |
Line 78: |
| sv u /service/httpd-pki | | sv u /service/httpd-pki |
| | | |
| + | * alternatively issue the following : |
| + | signal-event post-upgrade; signal-event reboot |
| + | </tab> |
| + | </tabs> |
| | | |
− | *Configure your new PKI
| + | === Configure your new PKI === |
| | | |
| Go in the server-manager, you'll find a new "Manage Certificates" menu (or you can use the URL https://server.domain.tld/phpki/ca) | | Go in the server-manager, you'll find a new "Manage Certificates" menu (or you can use the URL https://server.domain.tld/phpki/ca) |
Line 59: |
Line 100: |
| **URL of your PKI (https://my.domain.tld/phpki) | | **URL of your PKI (https://my.domain.tld/phpki) |
| | | |
− | Others settings should be OK for most installations.
| + | These two screenshots illustrate the first (and the most important) part of this configuration page: |
| | | |
− | Once you have submitted this form, you'll be able to start using PHPki. It's quite easy to use. | + | [[File:PHPki_CA_initial_setup_data_part_1.png|768px|thumb|center|First part of the initiale configuration page (above)]] |
| + | |
| + | [[File:PHPki_CA_initial_setup_data_part_2.png|768px|thumb|center|First part of the initiale configuration page (low)]] |
| + | |
| + | The second part is like this: |
| + | |
| + | [[File:PHPki_CA_initial_setup_options.png|768px|thumb|center|Second part of the initiale configuration page]] |
| + | |
| + | The default settings should be OK for most installations. You may just want to change the "Help Document Contact Info" part. |
| + | |
| + | Once you have submitted this form (which can take several minutes, '''be patient''', as generating dh parameters can take a long time), you should have something like this: |
| + | |
| + | |
| + | [[File:Phpki_init_finish.png|768px|thumb|center|Second part of the initiale configuration page]] |
| + | |
| + | Now you'll be able to start using PHPki. It's quite easy to use. |
| | | |
| The administrative interface is available on the server-manager or directly https://my.domain.tld/phpki/ca | | The administrative interface is available on the server-manager or directly https://my.domain.tld/phpki/ca |
Line 68: |
Line 124: |
| Here, users can download the Master CA certificate, the CRL, or search for certificates of other users (public part only of course). | | Here, users can download the Master CA certificate, the CRL, or search for certificates of other users (public part only of course). |
| | | |
− | {{Warning box|If you just installed the [[OpenVPN_Bridge]] contrib and are installing PHPki as suggested by the wiki page, then you are done here, and you don't have to migrate any certificates}} | + | {{Note box|If you just installed the [[OpenVPN_Bridge]] contrib and are installing PHPki as suggested by the wiki page, or you just want to use [[PHPki]] without [[OpenVPN_Bridge]] contrib, then you are done here, and you don't have to migrate any certificates}} |
| + | {{Note box|starting phpki-ng-0.84-14 new URL are available to access your CRL and request for certificate status |
| | | |
− | === Migrate Certificates from previous OpenVPN-Bridge contrib installations===
| + | http://www.somewhere.com/phpki/ns_revoke_query.php? |
| | | |
− | If you are installing this phpki contrib because you of [[OpenVPN_Bridge]] contrib, and have used [[OpenVPN_Bridge]] before and have already certificates, follow the instructions below. If you have a fresh and new install of [[OpenVPN_Bridge]], skip the below instructions for you do not have 'old' certificates!
| + | http://www.somewhere.com/phpki/dl_crl.php}} |
| | | |
− | PHPki is now the certificate manager recommended to manage [[OpenVPN_Bridge]] certificates.
| + | === Add another admin === |
− | This part will explain how-to import your certificates created with openvpn-bridge into PHPki
| + | if you happen to need to delegate certificate generation, you can use user-panel to add access to the panel, but you will also need to add the user manually to phpki config |
| | | |
− | * First, you need to install the contribs as it's explain on this page (you can enter anything for the configuration of the CA, all your old parameters will be restored)
| + | edit /opt/phpki/phpki-store/config/config.php<syntaxhighlight lang="php"> |
| + | #$PHPki_admins = Array(md5('admin')); |
| + | $PHPki_admins = Array(md5('admin'),md5('user2')); |
| | | |
− | * Second, you need to copy this script on your server (for example as /root/migrate.sh) and execute it as root.
| + | </syntaxhighlight> |
| | | |
− | {{Warning box|Of course, take some time to read this script before runing it as root.}}
| + | === Uninstall === |
| + | To uninstall the contrib from your server, just run the following commands: |
| + | yum remove smeserver-phpki-ng phpki-ng |
| + | expand-template /etc/httpd/conf/httpd.conf |
| + | systemctl restart /service/httpd-e-smith |
| | | |
| + | {{Note box|As with many other rpms, removing phpki won't remove everything from your server. Especially certificates will be kept, and some php files. PHPKi-ng will attempt to backup any old certificates. |
| + | }} |
| | | |
− | #!/bin/bash
| + | Certificates and PKI configuration are stored in /opt/phpki/phpki-store, php files are in /opt/phpki/html |
− |
| + | {{Warning box|To start from scratch after uninstallation you need to get rid of the html and pkpki-store directories before reinstalling. |
− | # Read Openvpn-Bridge DB
| + | The files in phpki-store can be very important, so my recommendation is to let them remain here. If you really want to remove them, just backup them before: |
− | ORGNAME=$(/sbin/e-smith/db openvpn-bridge getprop default_config organizationName)
| + | cd /opt/phpki |
− | COUNTRY=$(/sbin/e-smith/db openvpn-bridge getprop default_config countryCode)
| + | tar cvzf ~/phpki-backup.tar.gz ./ |
− | STATE=$(/sbin/e-smith/db openvpn-bridge getprop default_config countryName)
| + | Now you can remove the entire /opt/phpki directory |
− | LOC=$(/sbin/e-smith/db openvpn-bridge getprop default_config localityName)
| + | rm /opt/phpki/{html,phpki-store} -rf |
− | DEP=$(/sbin/e-smith/db openvpn-bridge getprop default_config sectionName)
| + | }} |
− | KEYSIZE=$(/sbin/e-smith/db openvpn-bridge getprop default_config keySize)
| |
− | EMAIL=$(/sbin/e-smith/db openvpn-bridge getprop default_config mailAddress)
| |
− |
| |
− |
| |
− | OPENSSL=/usr/bin/openssl
| |
− | OLDDIR=/etc/openvpn/easy-rsa/keys/bridge/
| |
− | NEWDIR=/opt/phpki/phpki-store/CA/
| |
− |
| |
− |
| |
− | # Store the actual time in $TIME
| |
− | TIME=$(date +%d%m%Y%H%M%S)
| |
− |
| |
− |
| |
− | # Create needed directories
| |
− | prepare_dir(){
| |
− | mkdir -p $NEWDIR/{certs,newcerts,requests,pfx,private}
| |
− | }
| |
− |
| |
− |
| |
− | # Migrate the certificates to phpki store
| |
− | migrate_certs(){
| |
− | cd $OLDDIR
| |
− |
| |
− | # Copy the old index.txt and serial
| |
− | cat $OLDDIR/index.txt > $NEWDIR/index.txt
| |
− | cat serial > $NEWDIR/serial
| |
− |
| |
− | # Copy the cacert related files
| |
− | cat ca.crt > $NEWDIR/certs/cacert.pem
| |
− | cat ca.key > $NEWDIR/private/cakey.pem
| |
− |
| |
− | # Now, for each file ending with .crt
| |
− | for CERT in $(ls ./*.crt); do
| |
− | CERT=$(basename $CERT .crt)
| |
− |
| |
− | ISININDEX=$(grep -c "/CN=$CERT/" $NEWDIR/index.txt)
| |
− |
| |
− | # If the current cert isn't referenced in the index,
| |
− | # or the corresponding key or csr file dosn't exists, then skip it
| |
− | # This can happen in some situation where the serial has been corrupted
| |
− |
| |
− | if [ $ISININDEX == 1 ]&&[ -s $CERT.key ]&&[ -s $CERT.csr ]; then
| |
− | # Retrieve the serial number as reported by openssl
| |
− | SERIAL=$(openssl x509 -noout -serial -in $CERT.crt | cut -d"=" -f 2)
| |
− |
| |
− | # Create the pem only cert in the new dir
| |
− | $OPENSSL x509 -in $CERT.crt -inform PEM -outform PEM -out $NEWDIR/newcerts/$SERIAL.pem
| |
− |
| |
− | # Create the der formated cert
| |
− | $OPENSSL x509 -in $CERT.crt -inform PEM -outform DER -out $NEWDIR/certs/$SERIAL.der
| |
− |
| |
− | # And the pkcs12 bundle (cert+key+ca)
| |
− | $OPENSSL pkcs12 -export -in $CERT.crt -inkey $CERT.key -certfile ca.crt -caname $ORGNAME -passout pass: -out $NEWDIR/pfx/$SERIAL.pfx
| |
− | | |
− | # Copy the private key
| |
− | cat $CERT.key > $NEWDIR/private/$SERIAL-key.pem
| |
− |
| |
− | # And the cert request
| |
− | cat $CERT.csr > $NEWDIR/requests/$SERIAL-req.pem
| |
− | fi
| |
− | done
| |
− | }
| |
− |
| |
− | perms(){
| |
− | # Restrict access
| |
− | chown -R phpki:phpki $NEWDIR
| |
− | chmod -R o-rwx $NEWDIR
| |
− | }
| |
− |
| |
− | phpki_conf(){
| |
− | # Retrieve the common name of our CA with openssl command
| |
− | CACN=$($OPENSSL x509 -subject -noout -in $OLDDIR/ca.crt | cut -d'=' -f 8 | cut -d'/' -f 1)
| |
− | | |
− |
| |
− | if [ -e /opt/phpki/phpki-store/config/config.php ]; then
| |
− | # Move the actual phpki configuration file
| |
− | mv /opt/phpki/phpki-store/config/config.php /opt/phpki/phpki-store/config/config.php.$TIME
| |
− |
| |
− | # And use sed to configure it properly
| |
− | sed -e "s/config\['organization'\].*/config\['organization'\] = '$ORGNAME';/" \
| |
− | -e "s/config\['unit'\].*/config\['unit'\] = '$DEP';/" \
| |
− | -e "s/config\['contact'\].*/config\['contact'\] = '$EMAIL';/" \
| |
− | -e "s/config\['locality'\].*/config\['locality'\] = '$LOC';/" \
| |
− | -e "s/config\['province'\].*/config\['province'\] = '$STATE';/" \
| |
− | -e "s/config\['country'\].*/config\['country'\] = '$COUNTRY';/" \
| |
− | -e "s/config\['common_name'\].*/config\['common_name'\] = '$CACN';/" \
| |
− | -e "s/config\['ca_pwd'\].*/config\['ca_pwd'\] = <nowiki>''</nowiki>;/" \
| |
− | -e "s/config\['keysize'\].*/config\['keysize'\] = '$KEYSIZE';/" \
| |
− | /opt/phpki/phpki-store/config/config.php.$TIME \
| |
− | > /opt/phpki/phpki-store/config/config.php
| |
− | fi
| |
− | }
| |
− |
| |
− | migrate_var(){
| |
− | # Here, we just migrate dhparam and ta to phpki store
| |
− | if [ -e $OLDDIR/dh.pem ]; then
| |
− | cat $OLDDIR/dh.pem > $NEWDIR/private/dhparam1024.pem
| |
− | fi
| |
− | if [ -e $OLDDIR/ta.key ]; then
| |
− | cat $OLDDIR/ta.key > $NEWDIR/private/takey.pem
| |
− | fi
| |
− | }
| |
− |
| |
− |
| |
− |
| |
− | prepare_dir
| |
− | migrate_certs
| |
− | phpki_conf
| |
− | migrate_var
| |
− | perms
| |
| | | |
| + | === Re-install === |
| | | |
− | Now, go in the server-manager, in "Manage Certificates" and check your old certificates are here.
| + | ==== before phpki-ng 0.84-14 ==== |
| + | If you have removed the contrib, and want to re-install it keeping your previous CA (assuming you restored /opt/phpki), you'll need to follow these steps after you have installed the rpms: |
| | | |
− | === Uninstall ===
| + | cd /opt/phpki/html/ |
− | yum remove smeserver-phpki phpki | + | rm -f index.php |
− | remove /opt/phpki manually | + | rm -f setup.php |
− | expand-template /etc/httpd/conf/httpd.conf | + | ln -s main.php index.php |
| + | cat config.php.rpmsave > config.php |
| + | cd ca |
| + | rm -f index.php |
| + | ln -s main.php index.php |
| + | cd /opt/phpki/ |
| + | chown phpki:phpki -R phpki-store |
| + | chown root:phpki -R html/config.php |
| | | |
| === Bugs === | | === Bugs === |
− | Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla] | + | Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla]. |
− | and select the smeserver-phpki component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-phpki|title=this link}}
| + | |
| + | ====smeserver-phpki-ng==== |
| + | |
| + | For the new smeserver-phpki-ng, select the smeserver-phpki-ng component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-phpki-ng|title=this link}} |
| + | |
| + | {{#bugzilla:columns=id,product,version,status,summary |sort=id |order=desc |component=smeserver-phpki-ng|noresultsmessage="No open bugs found."}} |
| + | |
| + | |
| + | ====phpki-ng==== |
| + | |
| + | For the new phpki-ng itself select the phpki-ng component or use {{BugzillaFileBug|product=SME%20Contribs|component=phpki-ng|title=this link}} |
| + | |
| + | {{#bugzilla:columns=id,product,version,status,summary |sort=id |order=desc |component=phpki-ng|noresultsmessage="No open bugs found."}} |
| + | |
| + | === Changelog === |
| + | Only released version in smecontrib are listed here. |
| | | |
| + | {{#smechangelog:smeserver-phpki-ng}} |
| + | {{#smechangelog:phpki-ng}} |
| ---- | | ---- |
| [[Category:Contrib]] | | [[Category:Contrib]] |
| + | [[Category:Administration:Certificates]] |