2017-12-30 13:57:48 +00:00
|
|
|
<div class="modal fade" id="request_submission_modal" role="dialog">
|
|
|
|
<div class="modal-dialog modal-lg">
|
|
|
|
<div class="modal-content">
|
|
|
|
<div class="modal-header">
|
|
|
|
<button type="button" class="close" data-dismiss="modal">×</button>
|
|
|
|
<h4 class="modal-title">Request submission</h4>
|
|
|
|
</div>
|
2018-01-02 14:49:06 +00:00
|
|
|
<form action="/api/request/" method="post">
|
|
|
|
<div class="modal-body">
|
|
|
|
<h5>Certidude client</h5>
|
2017-12-30 13:57:48 +00:00
|
|
|
|
2018-01-02 14:49:06 +00:00
|
|
|
<p>Submit a certificate signing request from Mac OS X, Ubuntu or Fedora:</p>
|
|
|
|
<div class="highlight">
|
|
|
|
<pre><code>easy_install pip;
|
2017-12-30 13:57:48 +00:00
|
|
|
pip3 install certidude;
|
2018-04-09 13:08:12 +00:00
|
|
|
certidude bootstrap {{ window.location.hostname }}
|
2018-01-02 14:49:06 +00:00
|
|
|
</code></pre>
|
|
|
|
</div>
|
2017-12-30 13:57:48 +00:00
|
|
|
|
2018-03-03 11:37:43 +00:00
|
|
|
<h5>Windows 10</h5>
|
|
|
|
|
|
|
|
<p>On Windows execute following PowerShell script</p>
|
|
|
|
|
|
|
|
<div class="highlight">
|
|
|
|
<pre class="code"><code>$hostname = $env:computername.ToLower()
|
|
|
|
$templ = @"
|
|
|
|
[Version]
|
|
|
|
Signature="$Windows NT$
|
|
|
|
|
|
|
|
[NewRequest]
|
|
|
|
Subject = "CN=$hostname"
|
|
|
|
Exportable = FALSE
|
|
|
|
KeySpec = 1
|
|
|
|
KeyUsage = 0xA0
|
|
|
|
MachineKeySet = True
|
|
|
|
ProviderType = 12
|
|
|
|
RequestType = PKCS10
|
2018-04-09 13:08:12 +00:00
|
|
|
{% if session.authority.certificate.algorithm == "ec" %}ProviderName = "Microsoft Software Key Storage Provider"
|
|
|
|
KeyAlgorithm = ECDSA_P384
|
|
|
|
{% else %}ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
|
|
|
|
KeyLength = 2048
|
|
|
|
{% endif %}"@
|
2018-03-03 11:37:43 +00:00
|
|
|
|
|
|
|
$templ | Out-File req.inf
|
|
|
|
|
|
|
|
# Fetch CA certificate and install it
|
|
|
|
Invoke-WebRequest -Uri http://{{ window.location.hostname }}/api/certificate -OutFile ca_cert.pem
|
|
|
|
Import-Certificate -FilePath ca_cert.pem -CertStoreLocation Cert:\LocalMachine\Root
|
|
|
|
|
|
|
|
# Generate keypair and submit CSR
|
|
|
|
C:\Windows\system32\certreq.exe -new -f -q req.inf client_csr.pem
|
|
|
|
Invoke-WebRequest -TimeoutSec 900 -Uri http://{{ window.location.hostname }}/api/request/?wait=1 -InFile client_csr.pem -ContentType application/pkcs10 -Method POST -MaximumRedirection 3 -OutFile client_cert.pem
|
|
|
|
|
|
|
|
# Import certificate
|
|
|
|
Import-Certificate -FilePath client_cert.pem -CertStoreLocation Cert:\LocalMachine\My
|
|
|
|
|
|
|
|
# Set up IPSec VPN tunnel
|
|
|
|
Remove-VpnConnection -AllUserConnection -Force k-space
|
2018-04-09 13:08:12 +00:00
|
|
|
Add-VpnConnection `
|
|
|
|
-Name k-space `
|
|
|
|
-ServerAddress guests.k-space.ee `
|
|
|
|
-AuthenticationMethod MachineCertificate `
|
|
|
|
-SplitTunneling `
|
|
|
|
-TunnelType ikev2 `
|
|
|
|
-PassThru -AllUserConnection
|
|
|
|
|
|
|
|
# Security hardening
|
|
|
|
Set-VpnConnectionIPsecConfiguration `
|
|
|
|
-ConnectionName k-space `
|
|
|
|
-AuthenticationTransformConstants GCMAES128 `
|
|
|
|
-CipherTransformConstants GCMAES128 `
|
2018-04-13 09:53:51 +00:00
|
|
|
-EncryptionMethod AES256 `
|
|
|
|
-IntegrityCheckMethod SHA384 `
|
|
|
|
-DHGroup {% if session.authority.certificate.algorithm == "ec" %}ECP384{% else %}Group14{% endif %} `
|
|
|
|
-PfsGroup {% if session.authority.certificate.algorithm == "ec" %}ECP384{% else %}PFS2048{% endif %} `
|
2018-04-09 13:08:12 +00:00
|
|
|
-PassThru -AllUserConnection -Force</code></pre>
|
2018-03-03 11:37:43 +00:00
|
|
|
</div>
|
|
|
|
|
2018-04-13 09:53:51 +00:00
|
|
|
<!--
|
|
|
|
AuthenticationTransformConstants - ESP integrity algorithm, one of: None MD596 SHA196 SHA256128 GCMAES128 GCMAES192 GCMAES256
|
|
|
|
CipherTransformConstants - ESP symmetric cipher, one of: DES DES3 AES128 AES192 AES256 GCMAES128 GCMAES192 GCMAES256
|
|
|
|
EncryptionMethod - IKE symmetric cipher, one of: DES DES3 AES128 AES192 AES256
|
|
|
|
IntegrityCheckMethod - IKE hash algorithm, one of: MD5 SHA196 SHA256 SHA384
|
|
|
|
DHGroup = IKE key exchange, one of: None Group1 Group2 Group14 ECP256 ECP384 Group24
|
|
|
|
PfsGroup = one of: None PFS1 PFS2 PFS2048 ECP256 ECP384 PFSMM PFS24
|
|
|
|
-->
|
|
|
|
|
2018-01-02 14:49:06 +00:00
|
|
|
<h5>UNIX & UNIX-like</h5>
|
2017-12-30 13:57:48 +00:00
|
|
|
|
2018-01-02 14:49:06 +00:00
|
|
|
<p>On other UNIX-like machines generate key pair and submit the signing request using OpenSSL and cURL:</p>
|
|
|
|
<div class="highlight">
|
|
|
|
<pre class="code"><code>NAME=$(hostname);
|
2018-04-09 13:08:12 +00:00
|
|
|
{% if session.authority.certificate.algorithm == "ec" %}openssl ecparam -name secp384r1 -genkey -noout -out client_key.pem{% else %}openssl genrsa -out client_key.pem 2048;{% endif %}
|
|
|
|
openssl req -new -sha384 -key client_key.pem -out client_req.pem -subj "/CN=$NAME";
|
2017-12-30 13:57:48 +00:00
|
|
|
curl -f -L -H "Content-type: application/pkcs10" --data-binary @client_req.pem \
|
|
|
|
http://{{ window.location.hostname }}/api/request/?wait=yes > client_cert.pem</code></pre>
|
2018-01-02 14:49:06 +00:00
|
|
|
</div>
|
2017-12-30 13:57:48 +00:00
|
|
|
|
2018-04-09 13:08:12 +00:00
|
|
|
<h5>StrongSwan as client</h5>
|
|
|
|
|
|
|
|
<p>First enroll certificates:</p>
|
|
|
|
<div class="highlight">
|
2018-04-13 09:53:51 +00:00
|
|
|
<pre class="code"><code># Install packages on Ubuntu & Fedora, patch Fedora paths
|
|
|
|
which apt && apt install strongswan
|
|
|
|
which dnf && dnf install strongswan
|
|
|
|
test -e /etc/strongswan && test -e /etc/ipsec.conf || ln -s strongswan/ipsec.conf /etc/ipsec.conf
|
|
|
|
test -e /etc/strongswan && test -e /etc/ipsec.d || ln -s strongswan/ipsec.d /etc/ipsec.d
|
|
|
|
test -e /etc/strongswan && test -e /etc/ipsec.secrets || ln -s strongswan/ipsec.secrets /etc/ipsec.secrets
|
|
|
|
|
|
|
|
FQDN=$(cat /etc/hostname)
|
|
|
|
|
|
|
|
# Install CA certificate
|
|
|
|
cat << EOF > /etc/ipsec.d/cacerts/ca_cert.pem
|
|
|
|
{{ session.authority.certificate.blob }}EOF
|
|
|
|
|
|
|
|
# Generate keypair
|
2018-04-09 13:08:12 +00:00
|
|
|
test -e /etc/ipsec.d/private/client.pem \
|
2018-04-13 09:53:51 +00:00
|
|
|
|| openssl {% if session.authority.certificate.algorithm == "ec" %}ecparam -name secp384r1 -genkey -noout -out /etc/ipsec.d/private/client.pem{% else %}genrsa -out /etc/ipsec.d/private/client.pem 2048{% endif %}
|
|
|
|
|
|
|
|
# Attempt to submit CSR
|
2018-04-09 13:08:12 +00:00
|
|
|
test -e /etc/ipsec.d/reqs/client.pem \
|
|
|
|
|| openssl req -new -sha384 \
|
|
|
|
-key /etc/ipsec.d/private/client.pem \
|
2018-04-13 09:53:51 +00:00
|
|
|
-out /etc/ipsec.d/reqs/client.pem -subj "/CN=$FQDN"
|
|
|
|
cat /etc/ipsec.d/reqs/client.pem
|
2018-04-09 13:08:12 +00:00
|
|
|
curl -f -L -H "Content-type: application/pkcs10" \
|
|
|
|
--data-binary @/etc/ipsec.d/reqs/client.pem \
|
|
|
|
-o /etc/ipsec.d/certs/client.pem \
|
|
|
|
http://{{ window.location.hostname }}/api/request/?wait=yes</code></pre>
|
|
|
|
</div>
|
|
|
|
|
2018-04-13 09:53:51 +00:00
|
|
|
<p>To configure StrongSwan as roadwarrior:</p>
|
2018-04-09 13:08:12 +00:00
|
|
|
<div class="highlight">
|
2018-04-10 09:29:05 +00:00
|
|
|
<pre class="code"><code>cat > /etc/ipsec.conf << EOF
|
2018-04-09 13:08:12 +00:00
|
|
|
conn c2s
|
|
|
|
auto=start
|
2018-04-13 09:53:51 +00:00
|
|
|
right=router2.k-space.ee
|
2018-04-09 13:08:12 +00:00
|
|
|
dpdaction=restart
|
|
|
|
closeaction=restart
|
|
|
|
left=%defaultroute
|
|
|
|
rightsubnet=0.0.0.0/0
|
|
|
|
keyingtries=%forever
|
|
|
|
rightid=%any
|
|
|
|
leftsourceip=%config
|
|
|
|
leftcert=client.pem
|
2018-04-13 09:53:51 +00:00
|
|
|
ike=aes256-sha384-{% if session.authority.certificate.algorithm == "ec" %}ecp384{% else %}modp2048{% endif %}!
|
|
|
|
esp=aes128gcm16-aes128gmac!
|
2018-04-09 13:08:12 +00:00
|
|
|
|
|
|
|
EOF
|
|
|
|
|
|
|
|
echo ": {% if session.authority.certificate.algorithm == "ec" %}ECDSA{% else %}RSA{% endif %} client.pem" > /etc/ipsec.secrets
|
|
|
|
|
|
|
|
ipsec restart</code></pre>
|
|
|
|
</div>
|
|
|
|
|
|
|
|
<h5>OpenWrt/LEDE as VPN gateway</h5>
|
2017-12-30 13:57:48 +00:00
|
|
|
|
2018-01-23 13:13:49 +00:00
|
|
|
<p>First enroll certificates:</p>
|
2018-01-02 14:49:06 +00:00
|
|
|
<div class="highlight">
|
2018-04-13 09:53:51 +00:00
|
|
|
<pre class="code"><code>opkg install curl libmbedtls
|
|
|
|
# Derive FQDN from WAN interface's reverse DNS record
|
2018-01-23 13:13:49 +00:00
|
|
|
FQDN=$(nslookup $(uci get network.wan.ipaddr) | grep "name =" | head -n1 | cut -d "=" -f 2 | xargs)
|
|
|
|
|
2018-04-09 13:08:12 +00:00
|
|
|
mkdir -p /etc/certidude/authority/{{ window.location.hostname }}
|
|
|
|
grep -c certidude /etc/sysupgrade.conf || echo /etc/certidude >> /etc/sysupgrade.conf
|
|
|
|
cat << EOF > /etc/certidude/authority/{{ window.location.hostname }}/ca_cert.pem
|
2018-04-13 09:53:51 +00:00
|
|
|
{{ session.authority.certificate.blob }}EOF
|
|
|
|
|
2018-01-23 13:13:49 +00:00
|
|
|
test -e /etc/certidude/authority/{{ window.location.hostname }}/server_key.pem \
|
2018-04-09 13:08:12 +00:00
|
|
|
|| openssl {% if session.authority.certificate.algorithm == "ec" %}ecparam -name secp384r1 -genkey -noout -out /etc/certidude/authority/{{ window.location.hostname }}/server_key.pem{% else %}genrsa -out /etc/certidude/authority/{{ window.location.hostname }}/server_key.pem 2048{% endif %}
|
2018-01-23 13:13:49 +00:00
|
|
|
test -e /etc/certidude/authority/{{ window.location.hostname }}/server_req.pem \
|
2018-04-09 13:08:12 +00:00
|
|
|
|| openssl req -new -sha384 \
|
2018-01-23 13:13:49 +00:00
|
|
|
-key /etc/certidude/authority/{{ window.location.hostname }}/server_key.pem \
|
2018-04-09 13:08:12 +00:00
|
|
|
-out /etc/certidude/authority/{{ window.location.hostname }}/server_req.pem -subj "/CN=$FQDN"
|
|
|
|
cat /etc/certidude/authority/{{ window.location.hostname }}/server_req.pem
|
2017-12-30 13:57:48 +00:00
|
|
|
curl -f -L -H "Content-type: application/pkcs10" \
|
2018-01-23 13:13:49 +00:00
|
|
|
--data-binary @/etc/certidude/authority/{{ window.location.hostname }}/server_req.pem \
|
|
|
|
-o /etc/certidude/authority/{{ window.location.hostname }}/server_cert.pem \
|
2018-04-09 13:08:12 +00:00
|
|
|
http://{{ window.location.hostname }}/api/request/?wait=yes
|
2017-12-30 13:57:48 +00:00
|
|
|
|
2018-04-09 13:08:12 +00:00
|
|
|
# Create VPN gateway up/down script for reporting client IP addresses to CA
|
|
|
|
cat <<\EOF > /etc/certidude/authority/{{ window.location.hostname }}/updown
|
2018-01-23 13:13:49 +00:00
|
|
|
#!/bin/sh
|
2018-04-09 13:08:12 +00:00
|
|
|
|
|
|
|
CURL="curl -m 3 -f --key /etc/certidude/authority/{{ window.location.hostname }}/server_key.pem --cert /etc/certidude/authority/{{ window.location.hostname }}/server_cert.pem --cacert /etc/certidude/authority/{{ window.location.hostname }}/ca_cert.pem https://{{ window.location.hostname }}:8443/api/lease/"
|
2018-01-23 13:13:49 +00:00
|
|
|
|
|
|
|
case $PLUTO_VERB in
|
2018-04-09 13:08:12 +00:00
|
|
|
up-client) $CURL --data-urlencode "outer_address=$PLUTO_PEER" --data-urlencode "inner_address=$PLUTO_PEER_SOURCEIP" --data-urlencode "client=$PLUTO_PEER_ID" ;;
|
|
|
|
*) ;;
|
2018-01-23 13:13:49 +00:00
|
|
|
esac
|
|
|
|
|
2018-04-09 13:08:12 +00:00
|
|
|
case $script_type in
|
|
|
|
client-connect) $CURL --data-urlencode client=$X509_0_CN --data-urlencode serial=$tls_serial_0 --data-urlencode outer_address=$untrusted_ip --data-urlencode inner_address=$ifconfig_pool_remote_ip ;;
|
|
|
|
*) ;;
|
|
|
|
esac
|
|
|
|
EOF
|
2018-01-23 13:13:49 +00:00
|
|
|
|
2018-04-13 09:53:51 +00:00
|
|
|
chmod +x /etc/certidude/authority/{{ window.location.hostname }}/updown
|
|
|
|
</code></pre>
|
2018-04-09 13:08:12 +00:00
|
|
|
</div>
|
2018-01-23 13:13:49 +00:00
|
|
|
|
2018-04-09 13:08:12 +00:00
|
|
|
<p>Then either set up OpenVPN service:</p>
|
|
|
|
<div class="highlight">
|
2018-04-10 09:29:05 +00:00
|
|
|
<pre class="code"><code>opkg update
|
|
|
|
opkg install curl openssl-util openvpn-openssl
|
|
|
|
|
|
|
|
# Generate Diffie-Hellman parameters file for OpenVPN
|
2018-01-23 13:13:49 +00:00
|
|
|
test -e /etc/certidude/dh.pem \
|
|
|
|
|| openssl dhparam 2048 -out /etc/certidude/dh.pem
|
|
|
|
|
|
|
|
# Create interface definition for tunnel
|
|
|
|
uci set network.vpn=interface
|
|
|
|
uci set network.vpn.name='vpn'
|
2018-04-09 13:08:12 +00:00
|
|
|
uci set network.vpn.ifname=tun_s2c_udp tun_s2c_tcp
|
2018-01-23 13:13:49 +00:00
|
|
|
uci set network.vpn.proto='none'
|
|
|
|
|
|
|
|
# Create zone definition for VPN interface
|
|
|
|
uci set firewall.vpn=zone
|
|
|
|
uci set firewall.vpn.name='vpn'
|
|
|
|
uci set firewall.vpn.input='ACCEPT'
|
|
|
|
uci set firewall.vpn.forward='ACCEPT'
|
|
|
|
uci set firewall.vpn.output='ACCEPT'
|
|
|
|
uci set firewall.vpn.network='vpn'
|
|
|
|
|
|
|
|
# Allow UDP 1194 on WAN interface
|
|
|
|
uci set firewall.openvpn=rule
|
|
|
|
uci set firewall.openvpn.name='Allow OpenVPN'
|
|
|
|
uci set firewall.openvpn.src='wan'
|
|
|
|
uci set firewall.openvpn.dest_port=1194
|
|
|
|
uci set firewall.openvpn.proto='udp'
|
|
|
|
uci set firewall.openvpn.target='ACCEPT'
|
|
|
|
|
2018-04-09 13:08:12 +00:00
|
|
|
# Allow TCP 443 on WAN interface
|
|
|
|
uci set firewall.openvpn=rule
|
|
|
|
uci set firewall.openvpn.name='Allow OpenVPN over TCP'
|
|
|
|
uci set firewall.openvpn.src='wan'
|
|
|
|
uci set firewall.openvpn.dest_port=443
|
|
|
|
uci set firewall.openvpn.proto='tcp'
|
|
|
|
uci set firewall.openvpn.target='ACCEPT'
|
|
|
|
|
2018-01-23 13:13:49 +00:00
|
|
|
# Forward traffic from VPN to LAN
|
|
|
|
uci set firewall.c2s=forwarding
|
|
|
|
uci set firewall.c2s.src='vpn'
|
|
|
|
uci set firewall.c2s.dest='lan'
|
|
|
|
|
|
|
|
# Permit DNS queries from VPN
|
|
|
|
uci set dhcp.@dnsmasq[0].localservice='0'
|
|
|
|
|
|
|
|
touch /etc/config/openvpn
|
2018-04-09 13:08:12 +00:00
|
|
|
|
|
|
|
# Configure OpenVPN over TCP
|
|
|
|
uci set openvpn.s2c_tcp=openvpn
|
|
|
|
uci set openvpn.s2c_tcp.local=$(uci get network.wan.ipaddr)
|
|
|
|
uci set openvpn.s2c_tcp.server='10.179.43.0 255.255.255.128'
|
|
|
|
uci set openvpn.s2c_tcp.proto='tcp-server'
|
|
|
|
uci set openvpn.s2c_tcp.port='443'
|
|
|
|
uci set openvpn.s2c_tcp.dev=tun_s2c_tcp
|
|
|
|
|
|
|
|
# Configure OpenVPN over UDP
|
|
|
|
uci set openvpn.s2c_udp=openvpn
|
|
|
|
uci set openvpn.s2c_udp.local=$(uci get network.wan.ipaddr)
|
|
|
|
uci set openvpn.s2c_udp.server='10.179.43.128 255.255.255.128'
|
|
|
|
uci set openvpn.s2c_tcp.dev=tun_s2c_udp
|
|
|
|
|
|
|
|
for section in s2c_tcp s2c_udp; do
|
|
|
|
|
|
|
|
# Common paths
|
|
|
|
uci set openvpn.$section.script_security=2
|
|
|
|
uci set openvpn.$section.client_connect='/etc/certidude/updown'
|
|
|
|
uci set openvpn.$section.key='/etc/certidude/authority/{{ window.location.hostname }}/server_key.pem'
|
|
|
|
uci set openvpn.$section.cert='/etc/certidude/authority/{{ window.location.hostname }}/server_cert.pem'
|
|
|
|
uci set openvpn.$section.ca='/etc/certidude/authority/{{ window.location.hostname }}/ca_cert.pem'
|
|
|
|
uci set openvpn.$section.dh='/etc/certidude/dh.pem'
|
|
|
|
uci set openvpn.$section.enabled=1
|
|
|
|
|
|
|
|
# DNS and routes
|
|
|
|
uci add_list openvpn.$section.push="route-metric 1000"
|
|
|
|
uci add_list openvpn.$section.push="route $(uci get network.lan.ipaddr) $(uci get network.lan.netmask)"
|
|
|
|
uci add_list openvpn.$section.push="dhcp-option DNS $(uci get network.lan.ipaddr)"
|
|
|
|
uci add_list openvpn.$section.push="dhcp-option DOMAIN $(uci get dhcp.@dnsmasq[0].domain)"
|
|
|
|
|
|
|
|
# Security hardening
|
|
|
|
uci set openvpn.$section.tls_version_min='1.2'
|
|
|
|
uci set openvpn.$section.tls_cipher='TLS-{% if session.authority.certificate.algorithm == "ec" %}ECDHE-ECDSA{% else %}DHE-RSA{% endif %}-WITH-AES-128-GCM-SHA384'
|
|
|
|
uci set openvpn.$section.cipher='AES-128-GCM'
|
|
|
|
uci set openvpn.$section.auth='SHA384'
|
|
|
|
|
|
|
|
done
|
2018-01-23 13:13:49 +00:00
|
|
|
|
|
|
|
/etc/init.d/openvpn restart
|
|
|
|
/etc/init.d/firewall restart</code></pre>
|
|
|
|
</div>
|
|
|
|
|
2018-04-09 13:08:12 +00:00
|
|
|
<p>Alternatively or additionally set up StrongSwan:</p>
|
|
|
|
<div class="highlight">
|
2018-04-10 09:29:05 +00:00
|
|
|
<pre class="code"><code>opkg update
|
2018-04-13 09:53:51 +00:00
|
|
|
opkg install curl openssl-util strongswan-full strongswan-mod-openssl kmod-crypto-echainiv kmod-crypto-gcm
|
2018-04-10 09:29:05 +00:00
|
|
|
|
|
|
|
# Generate StrongSwan config
|
2018-04-09 13:08:12 +00:00
|
|
|
cat > /etc/ipsec.conf << EOF
|
|
|
|
config setup
|
|
|
|
strictcrlpolicy=yes
|
|
|
|
uniqueids = yes
|
|
|
|
|
|
|
|
ca {{ window.location.hostname }}
|
|
|
|
auto=add
|
|
|
|
cacert = /etc/certidude/authority/{{ window.location.hostname }}/ca_cert.pem
|
2018-04-13 09:53:51 +00:00
|
|
|
{% if session.features.crl %} crluri = http://{{ window.location.hostname }}/api/revoked/{% endif %}
|
|
|
|
{% if session.features.ocsp %} ocspuri = http://{{ window.location.hostname }}/api/ocsp/{% endif %}
|
2018-04-09 13:08:12 +00:00
|
|
|
|
|
|
|
conn s2c
|
|
|
|
auto=add
|
|
|
|
dpdaction=clear
|
|
|
|
closeaction=clear
|
2018-04-13 09:53:51 +00:00
|
|
|
leftdns=$(uci get network.lan.ipaddr) # IP of DNS server advertised to roadwarriors
|
|
|
|
rightsourceip=172.21.0.0/24 # Roadwarrior virtual IP pool
|
|
|
|
left=$(uci get network.wan.ipaddr) # Bind to this IP address
|
|
|
|
leftsubnet=$(uci get network.lan.ipaddr | cut -d . -f 1-3).0/24 # Subnets pushed to roadwarriors
|
2018-04-09 13:08:12 +00:00
|
|
|
leftcert=/etc/certidude/authority/{{ window.location.hostname }}/server_cert.pem
|
2018-04-13 09:53:51 +00:00
|
|
|
ike=aes256-sha384-{% if session.authority.certificate.algorithm == "ec" %}ecp384{% else %}modp2048{% endif %}!
|
|
|
|
esp=aes128gcm16-aes128gmac!
|
|
|
|
leftupdown=/etc/certidude/authority/{{ window.location.hostname }}/updown
|
2018-04-09 13:08:12 +00:00
|
|
|
|
|
|
|
EOF
|
|
|
|
|
|
|
|
echo ": {% if session.authority.certificate.algorithm == "ec" %}ECDSA{% else %}RSA{% endif %} /etc/certidude/authority/{{ window.location.hostname }}/server_key.pem" > /etc/ipsec.secrets
|
|
|
|
|
|
|
|
ipsec restart</code></pre>
|
|
|
|
</div>
|
2018-01-23 13:13:49 +00:00
|
|
|
|
2018-01-03 22:12:02 +00:00
|
|
|
{% if session.authority.builder %}
|
|
|
|
<h5>OpenWrt/LEDE image builder</h5>
|
|
|
|
<p>Hit a link to generate machine specific image. Note that this might take couple minutes to finish.</p>
|
|
|
|
<ul>
|
|
|
|
{% for name, title, filename in session.authority.builder.profiles %}
|
|
|
|
<li><a href="/api/build/{{ name }}/{{ filename }}">{{ title }}</a></li>
|
|
|
|
{% endfor %}
|
|
|
|
</ul>
|
|
|
|
{% endif %}
|
|
|
|
|
2018-01-02 14:49:06 +00:00
|
|
|
<h5>SCEP</h5>
|
|
|
|
<p>Use following as the enrollment URL: http://{{ window.location.hostname }}/cgi-bin/pkiclient.exe</p>
|
2017-12-30 13:57:48 +00:00
|
|
|
|
2018-01-02 14:49:06 +00:00
|
|
|
<h5>Copy & paste</h5>
|
2017-12-30 13:57:48 +00:00
|
|
|
|
2018-01-02 14:49:06 +00:00
|
|
|
<p>Use whatever tools you have available on your platform to generate
|
|
|
|
keypair and just paste ASCII armored PEM file contents here and hit submit:</p>
|
2017-12-30 13:57:48 +00:00
|
|
|
|
2018-01-02 14:49:06 +00:00
|
|
|
<textarea id="request_body" style="width:100%; min-height: 10em;" placeholder="-----BEGIN CERTIFICATE REQUEST-----"></textarea>
|
2017-12-30 13:57:48 +00:00
|
|
|
</div>
|
2018-01-02 14:49:06 +00:00
|
|
|
<div class="modal-footer">
|
|
|
|
<div class="btn-group">
|
|
|
|
<button type="button" onclick="onSubmitRequest();" class="btn btn-primary"><i class="fa fa-upload"></i> Submit</button>
|
|
|
|
<button type="button" class="btn btn-secondary" data-dismiss="modal"><i class="fa fa-ban"></i> Close</button>
|
|
|
|
</div>
|
|
|
|
</div>
|
|
|
|
</form>
|
2017-12-30 13:57:48 +00:00
|
|
|
</div>
|
|
|
|
</div>
|
|
|
|
</div>
|
|
|
|
|
|
|
|
<div class="modal fade" id="revocation_list_modal" role="dialog">
|
|
|
|
<div class="modal-dialog modal-lg">
|
|
|
|
<div class="modal-content">
|
|
|
|
<div class="modal-header">
|
|
|
|
<button type="button" class="close" data-dismiss="modal">×</button>
|
|
|
|
<h4 class="modal-title">Revocation lists</h4>
|
|
|
|
</div>
|
|
|
|
<div class="modal-body">
|
|
|
|
<p>To fetch <a href="http://{{window.location.hostname}}/api/revoked/">certificate revocation list</a>:</p>
|
|
|
|
<pre><code>curl http://{{window.location.hostname}}/api/revoked/ > crl.der
|
|
|
|
curl http://{{window.location.hostname}}/api/revoked/ -L -H "Accept: application/x-pem-file"
|
|
|
|
curl http://{{window.location.hostname}}/api/revoked/?wait=yes -L -H "Accept: application/x-pem-file" > crl.pem</code></pre>
|
|
|
|
</div>
|
|
|
|
<div class="modal-footer">
|
|
|
|
<button type="button" class="btn" data-dismiss="modal">Close</button>
|
|
|
|
</div>
|
|
|
|
</div>
|
|
|
|
</div>
|
|
|
|
</div>
|
2015-11-11 19:12:04 +00:00
|
|
|
|
2015-12-16 17:41:49 +00:00
|
|
|
<section id="about">
|
2016-03-21 21:42:39 +00:00
|
|
|
<h2>{{ session.user.gn }} {{ session.user.sn }} ({{session.user.name }}) settings</h2>
|
2015-11-11 19:12:04 +00:00
|
|
|
|
2017-03-13 11:42:58 +00:00
|
|
|
<p title="Bundles are mainly intended for Android and iOS users">
|
2017-12-30 13:57:48 +00:00
|
|
|
Click <button id="enroll">here</button> to generate Android or iOS bundle for current user account.</p>
|
2016-03-21 21:42:39 +00:00
|
|
|
|
2017-03-13 11:42:58 +00:00
|
|
|
<p>Mails will be sent to: {{ session.user.mail }}</p>
|
2016-03-21 21:42:39 +00:00
|
|
|
|
|
|
|
{% if session.authority %}
|
|
|
|
|
|
|
|
<h2>Authority certificate</h2>
|
|
|
|
|
2017-02-08 20:22:26 +00:00
|
|
|
<p>Several things are hardcoded into the <a href="/api/certificate">certificate</a> and
|
|
|
|
as such require complete reset of X509 infrastructure if some of them needs to be changed.</p>
|
2016-03-21 21:42:39 +00:00
|
|
|
|
|
|
|
<h2>Authority settings</h2>
|
|
|
|
|
|
|
|
<p>These can be reconfigured via /etc/certidude/server.conf on the server.</p>
|
|
|
|
|
2017-04-21 16:58:01 +00:00
|
|
|
{% if session.authority.mailer %}
|
|
|
|
<p>Mails will appear from: {{ session.authority.mailer.name }} <{{ session.authority.mailer.address }}></p>
|
2017-02-08 20:22:26 +00:00
|
|
|
{% else %}
|
|
|
|
<p>E-mail disabled</p>
|
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
|
2017-03-13 11:42:58 +00:00
|
|
|
<p>User enrollment:
|
|
|
|
{% if session.authority.user_enrollment_allowed %}
|
|
|
|
{% if session.authority.user_multiple_certificates %}
|
2016-03-31 22:55:51 +00:00
|
|
|
multiple
|
|
|
|
{% else %}
|
|
|
|
single
|
|
|
|
{% endif %}
|
|
|
|
allowed
|
|
|
|
{% else %}
|
|
|
|
forbidden
|
|
|
|
{% endif %}
|
|
|
|
</p>
|
|
|
|
|
2016-03-21 21:42:39 +00:00
|
|
|
|
2017-03-13 11:42:58 +00:00
|
|
|
<p>Machine enrollment:
|
|
|
|
{% if session.authority.machine_enrollment_allowed %}
|
|
|
|
allowed
|
|
|
|
{% else %}
|
|
|
|
forbidden
|
|
|
|
{% endif %}
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
|
|
<p>Certificate attributes:</p>
|
2016-03-29 12:43:34 +00:00
|
|
|
|
|
|
|
<ul>
|
2017-03-13 11:42:58 +00:00
|
|
|
<li>Server certificate lifetime: {{ session.authority.signature.server_certificate_lifetime }} days</li>
|
|
|
|
<li>Client certificate lifetime: {{ session.authority.signature.client_certificate_lifetime }} days</li>
|
2018-04-13 09:53:51 +00:00
|
|
|
{% if session.features.crl %}
|
2016-03-29 12:43:34 +00:00
|
|
|
<li>Revocation list lifetime: {{ session.authority.signature.revocation_list_lifetime }} seconds</li>
|
2018-04-13 09:53:51 +00:00
|
|
|
{% endif %}
|
2016-03-29 12:43:34 +00:00
|
|
|
</ul>
|
|
|
|
|
2016-03-21 21:42:39 +00:00
|
|
|
<p>Authenticated users allowed from:
|
2017-12-30 13:57:48 +00:00
|
|
|
{% if not session.authority.user_subnets %}
|
|
|
|
nowhere</p>
|
|
|
|
{% elif "0.0.0.0/0" in session.authority.user_subnets %}
|
|
|
|
anywhere</p>
|
2016-03-21 21:42:39 +00:00
|
|
|
{% else %}
|
|
|
|
</p>
|
|
|
|
<ul>
|
2016-03-27 20:38:14 +00:00
|
|
|
{% for i in session.authority.user_subnets %}
|
2016-03-21 21:42:39 +00:00
|
|
|
<li>{{ i }}</li>
|
|
|
|
{% endfor %}
|
|
|
|
</ul>
|
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<p>Authority administration is allowed from:
|
2017-12-30 13:57:48 +00:00
|
|
|
{% if not session.authority.admin_subnets %}
|
|
|
|
nowhere</p>
|
|
|
|
{% elif "0.0.0.0/0" in session.authority.admin_subnets %}
|
|
|
|
anywhere</p>
|
2016-03-21 21:42:39 +00:00
|
|
|
{% else %}
|
|
|
|
<ul>
|
2016-03-27 20:38:14 +00:00
|
|
|
{% for subnet in session.authority.admin_subnets %}
|
2016-03-21 21:42:39 +00:00
|
|
|
<li>{{ subnet }}</li>
|
|
|
|
{% endfor %}
|
|
|
|
</ul>
|
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
<p>Authority administration allowed for:</p>
|
|
|
|
|
|
|
|
<ul>
|
2016-03-27 20:38:14 +00:00
|
|
|
{% for user in session.authority.admin_users %}
|
|
|
|
<li><a href="mailto:{{ user.mail}}">{{ user.given_name }} {{user.surname }}</a></li>
|
2016-03-21 21:42:39 +00:00
|
|
|
{% endfor %}
|
|
|
|
</ul>
|
2015-12-16 17:41:49 +00:00
|
|
|
</section>
|
2016-03-21 21:42:39 +00:00
|
|
|
|
|
|
|
{% else %}
|
|
|
|
<p>Here you can renew your certificates</p>
|
|
|
|
|
|
|
|
{% endif %}
|
|
|
|
|
2015-12-12 22:34:08 +00:00
|
|
|
{% set s = session.certificate.identity %}
|
|
|
|
|
|
|
|
|
2017-12-30 13:57:48 +00:00
|
|
|
|
|
|
|
<div class="row">
|
|
|
|
|
|
|
|
|
|
|
|
<div class="col-sm-6">
|
|
|
|
<h1>Signed certificates</h1>
|
|
|
|
<p>Following certificates have been signed:</p>
|
|
|
|
<div id="signed_certificates">
|
|
|
|
{% for certificate in session.authority.signed | sort(attribute="signed", reverse=true) %}
|
|
|
|
{% include "views/signed.html" %}
|
|
|
|
{% endfor %}
|
|
|
|
</div>
|
|
|
|
</div>
|
|
|
|
<div class="col-sm-6">
|
|
|
|
|
|
|
|
|
2018-04-09 13:08:12 +00:00
|
|
|
{% if session.authority %}
|
|
|
|
{% if session.features.token %}
|
|
|
|
<h1>Tokens</h1>
|
|
|
|
|
|
|
|
<p>Tokens allow enrolling smartphones and third party devices.</p>
|
|
|
|
<ul>
|
|
|
|
<li>You can issue yourself a token to be used on a mobile device</li>
|
|
|
|
<li>Enter username to issue a token to issue a token for another user</li>
|
|
|
|
<li>Enter e-mail address to issue a token to guest users outside domain</li>
|
|
|
|
</ul>
|
|
|
|
<p>
|
|
|
|
<div class="input-group">
|
|
|
|
<input id="token_username" name="username" type="text" class="form-control" placeholder="Username" aria-describedby="sizing-addon2">
|
|
|
|
<input id="token_mail" name="mail" type="mail" class="form-control" placeholder="Optional e-mail" aria-describedby="sizing-addon2">
|
|
|
|
<span class="input-group-btn">
|
|
|
|
<button class="btn btn-secondary" type="button" onClick="onSendToken();"><i class="fa fa-send"></i> Send token</button>
|
|
|
|
</span>
|
|
|
|
</div>
|
|
|
|
</p>
|
2017-12-30 13:57:48 +00:00
|
|
|
|
2018-04-09 13:08:12 +00:00
|
|
|
<div id="token_qrcode"></div>
|
|
|
|
{% endif %}
|
2017-12-30 13:57:48 +00:00
|
|
|
|
2015-12-12 22:34:08 +00:00
|
|
|
<h1>Pending requests</h1>
|
|
|
|
|
2017-12-30 13:57:48 +00:00
|
|
|
<p>Use Certidude client to apply for a certificate.
|
2016-09-18 13:25:52 +00:00
|
|
|
|
2017-12-30 13:57:48 +00:00
|
|
|
{% if not session.authority.request_subnets %}
|
|
|
|
Request submission disabled.
|
|
|
|
{% elif "0.0.0.0/0" in session.authority.request_subnets %}
|
|
|
|
Request submission is enabled.
|
2016-09-18 13:25:52 +00:00
|
|
|
{% else %}
|
2017-12-30 13:57:48 +00:00
|
|
|
Request submission allowed from
|
|
|
|
{% for subnet in session.authority.request_subnets %}{{ subnet }},{% endfor %}.
|
2016-09-18 13:25:52 +00:00
|
|
|
{% endif %}
|
2015-12-16 17:41:49 +00:00
|
|
|
|
2017-12-30 13:57:48 +00:00
|
|
|
{# if session.request_submission_allowed #}
|
|
|
|
See <a href="#request_submission_modal" data-toggle="modal">here</a> for more information on manual signing request upload.
|
|
|
|
{# endif #}
|
2015-12-12 22:34:08 +00:00
|
|
|
|
2017-12-30 13:57:48 +00:00
|
|
|
{% if session.authority.autosign_subnets %}
|
|
|
|
{% if "0.0.0.0/0" in session.authority.autosign_subnets %}
|
|
|
|
All requests are automatically signed.
|
2015-12-12 22:34:08 +00:00
|
|
|
{% else %}
|
2017-12-30 13:57:48 +00:00
|
|
|
Requests from
|
|
|
|
{% for subnet in session.authority.autosign_subnets %}
|
|
|
|
{{ subnet }},
|
|
|
|
{% endfor %}
|
|
|
|
are automatically signed.
|
|
|
|
{% endif %}
|
|
|
|
{% endif %}
|
|
|
|
</p>
|
2016-01-10 17:51:54 +00:00
|
|
|
|
2017-12-30 13:57:48 +00:00
|
|
|
<div id="pending_requests">
|
|
|
|
{% for request in session.authority.requests | sort(attribute="submitted", reverse=true) %}
|
|
|
|
{% include "views/request.html" %}
|
|
|
|
{% endfor %}
|
|
|
|
</div>
|
|
|
|
<p><h1>Revoked certificates</h1></p>
|
2018-04-13 09:53:51 +00:00
|
|
|
<p>Following certificates have been revoked{% if session.features.crl %}, for more information click
|
|
|
|
<a href="#revocation_list_modal" data-toggle="modal">here</a>{% endif %}.</p>
|
2017-12-30 13:57:48 +00:00
|
|
|
|
|
|
|
{% for certificate in session.authority.revoked | sort(attribute="revoked", reverse=true) %}
|
|
|
|
{% include "views/revoked.html" %}
|
|
|
|
{% endfor %}
|
|
|
|
</div>
|
|
|
|
</div>
|
2016-01-10 17:51:54 +00:00
|
|
|
<section id="config">
|
|
|
|
</section>
|
2016-03-21 21:42:39 +00:00
|
|
|
|
|
|
|
{% endif %}
|