Talk:PHPki/fr
Jump to navigation
Jump to search
Migration des certificats pour l'installation des versions précédentes de la contribs OpenVPN-Bridge
Si vous avez installé cette contrib PHPki parce que vous avez utilisé OpenVPN_Bridge avant et que vous aviez déjà des certificats, suivez les instructions suivantes. Cependant, si vous avez une installation neuve de OpenVPN_Bridge, ne suivez pas ces instructions, car vous n'avez aucuns « anciens » certificats.
PHPki est maintenant le gestionnaire de certificat recommandé pour OpenVPN_Bridge. Cette partie va vous expliquer comment importer vos certificats créés avec openvpn-bridge dans PHPki.
- Premièrement, vous avez besoin d'installer la contribution expliquée sur cette page (vous pouvez saisir n'importe quoi pour la configuration du CA, tous vos anciens paramètres seront restaurés).
- Deuxièmement, vous avez besoin de copier ce script sur votre serveur (par exemple /root/migrate.sh) et de l'exécuter en root.
#!/bin/bash # Read Openvpn-Bridge DB ORGNAME=$(/sbin/e-smith/db openvpn-bridge getprop default_config organizationName) COUNTRY=$(/sbin/e-smith/db openvpn-bridge getprop default_config countryCode) STATE=$(/sbin/e-smith/db openvpn-bridge getprop default_config countryName) LOC=$(/sbin/e-smith/db openvpn-bridge getprop default_config localityName) DEP=$(/sbin/e-smith/db openvpn-bridge getprop default_config sectionName) KEYSIZE=$(/sbin/e-smith/db openvpn-bridge getprop default_config keySize) EMAIL=$(/sbin/e-smith/db openvpn-bridge getprop default_config mailAddress) OPENSSL=/usr/bin/openssl OLDDIR=/etc/openvpn/easy-rsa/keys/bridge/ NEWDIR=/opt/phpki/phpki-store/CA/ # Store the actual time in $TIME TIME=$(date +%d%m%Y%H%M%S) # Create needed directories prepare_dir(){ mkdir -p $NEWDIR/{certs,newcerts,requests,pfx,private} } # Migrate the certificates to phpki store migrate_certs(){ cd $OLDDIR # Copy the old index.txt and serial cat $OLDDIR/index.txt > $NEWDIR/index.txt cat serial > $NEWDIR/serial # Copy the cacert related files cat ca.crt > $NEWDIR/certs/cacert.pem cat ca.key > $NEWDIR/private/cakey.pem # Now, for each file ending with .crt for CERT in $(ls ./*.crt); do CERT=$(basename $CERT .crt) ISININDEX=$(grep -c "/CN=$CERT/" $NEWDIR/index.txt) # If the current cert isn't referenced in the index, # or the corresponding key or csr file dosn't exists, then skip it # This can happen in some situation where the serial has been corrupted if [ $ISININDEX -gt 0 ]&&[ -s $CERT.key ]&&[ -s $CERT.csr ]; then # Retrieve the serial number as reported by openssl SERIAL=$(openssl x509 -noout -serial -in $CERT.crt | cut -d"=" -f 2) # Create the pem only cert in the new dir $OPENSSL x509 -in $CERT.crt -inform PEM -outform PEM -out $NEWDIR/newcerts/$SERIAL.pem # Create the der formated cert $OPENSSL x509 -in $CERT.crt -inform PEM -outform DER -out $NEWDIR/certs/$SERIAL.der # And the pkcs12 bundle (cert+key+ca) $OPENSSL pkcs12 -export -in $CERT.crt -inkey $CERT.key -certfile ca.crt -caname $ORGNAME -passout pass: -out $NEWDIR/pfx/$SERIAL.pfx # Copy the private key cat $CERT.key > $NEWDIR/private/$SERIAL-key.pem # And the cert request cat $CERT.csr > $NEWDIR/requests/$SERIAL-req.pem fi done } perms(){ # Restrict access chown -R phpki:phpki $NEWDIR chmod -R o-rwx $NEWDIR } phpki_conf(){ # Retrieve the common name of our CA with openssl command CACN=$($OPENSSL x509 -subject -noout -in $OLDDIR/ca.crt | cut -d'=' -f 8 | cut -d'/' -f 1) if [ -e /opt/phpki/phpki-store/config/config.php ]; then # Move the actual phpki configuration file mv /opt/phpki/phpki-store/config/config.php /opt/phpki/phpki-store/config/config.php.$TIME # And use sed to configure it properly sed -e "s/config\['organization'\].*/config\['organization'\] = '$ORGNAME';/" \ -e "s/config\['unit'\].*/config\['unit'\] = '$DEP';/" \ -e "s/config\['contact'\].*/config\['contact'\] = '$EMAIL';/" \ -e "s/config\['locality'\].*/config\['locality'\] = '$LOC';/" \ -e "s/config\['province'\].*/config\['province'\] = '$STATE';/" \ -e "s/config\['country'\].*/config\['country'\] = '$COUNTRY';/" \ -e "s/config\['common_name'\].*/config\['common_name'\] = '$CACN';/" \ -e "s/config\['ca_pwd'\].*/config\['ca_pwd'\] = '';/" \ -e "s/config\['keysize'\].*/config\['keysize'\] = '$KEYSIZE';/" \ /opt/phpki/phpki-store/config/config.php.$TIME \ > /opt/phpki/phpki-store/config/config.php fi } migrate_var(){ # Here, we just migrate dhparam and ta to phpki store if [ -e $OLDDIR/dh.pem ]; then cat $OLDDIR/dh.pem > $NEWDIR/private/dhparam1024.pem fi if [ -e $OLDDIR/ta.key ]; then cat $OLDDIR/ta.key > $NEWDIR/private/takey.pem fi } prepare_dir migrate_certs phpki_conf migrate_var perms
Maintenant, retournez dans le Gestionnaire du serveur, dans la gestion des certificats, et vérifiez que tous vos anciens certificats sont bien présents.