2018-05-02 08:11:01 +00:00
< div class = "modal fade" id = "request_submission_modal" role = "dialog" >
< div class = "modal-dialog modal-lg" >
< div class = "modal-content" >
< div class = "modal-header" >
< button type = "button" class = "close" data-dismiss = "modal" > × < / button >
< h4 class = "modal-title" > Request submission< / h4 >
< / div >
< form action = "/api/request/" method = "post" >
< div class = "modal-body" >
2018-05-04 08:54:55 +00:00
< h5 > Certidude client< / h5 >
< p > On Ubuntu or Fedora:< / p >
< div class = "highlight" >
< pre class = "code" > < code > {% include "snippets/certidude-client.sh" %}< / code > < / pre >
< / div >
2018-05-02 08:11:01 +00:00
{% if "ikev2" in session.service.protocols %}
2018-04-27 07:48:15 +00:00
< h5 > Windows {% if session.authority.certificate.algorithm == "ec" %}10{% else %}7 and up{% endif %}< / h5 >
2018-03-03 11:37:43 +00:00
< p > On Windows execute following PowerShell script< / p >
2018-05-02 08:11:01 +00:00
< div class = "highlight" > < pre class = "code" > < code > {% include "snippets/windows.ps1" %}< / code > < / pre > < / div >
{% endif %}
2018-03-03 11:37:43 +00:00
2018-05-02 08:11:01 +00:00
< h5 > UNIX & UNIX-like< / h5 >
< p > For client certificates generate key pair and submit the signing request with common name set to short hostname:< / p >
< div class = "highlight" >
2018-04-13 09:53:51 +00:00
2018-05-02 08:11:01 +00:00
< pre class = "code" > < code > {% include "snippets/request-client.sh" %}< / code > < / pre >
< / div >
2018-04-27 07:48:15 +00:00
2018-05-02 08:11:01 +00:00
< p > For server certificates use fully qualified hostname as common name and sign request accordingly:< / p >
< div class = "highlight" >
< pre class = "code" > < code > {% include "snippets/request-server.sh" %}< / code > < / pre >
< / div >
2018-04-27 07:48:15 +00:00
2018-05-02 08:11:01 +00:00
< p > To renew:< / p >
2017-12-30 13:57:48 +00:00
2018-05-02 08:11:01 +00:00
< div class = "highlight" >
< pre class = "code" > < code > {% include "snippets/renew.sh" %}< / code > < / pre >
< / div >
2018-04-27 07:48:15 +00:00
2018-05-02 08:11:01 +00:00
{% if "openvpn" in session.service.protocols %}
2018-04-27 07:48:15 +00:00
< h5 > OpenVPN as client< / h5 >
< p > First acquire certificates using the snippet above.< / p >
< p > Then install software:< / p >
2018-05-02 08:11:01 +00:00
< div class = "highlight" > < pre class = "code" > < code > {% include "snippets/openvpn-client.sh" %}< / code > < / pre > < / div >
{% endif %}
2018-04-27 07:48:15 +00:00
2018-05-02 08:11:01 +00:00
{% if "ikev2" in session.service.protocols %}
2018-04-09 13:08:12 +00:00
< h5 > StrongSwan as client< / h5 >
2018-04-27 07:48:15 +00:00
< p > First acquire certificates using the snippet above.< / p >
< p > Then install software:< / p >
2018-04-09 13:08:12 +00:00
< div class = "highlight" >
2018-05-02 08:11:01 +00:00
< pre class = "code" > < code > {% include "snippets/strongswan-patching.sh" %}< / code > < / pre >
2018-04-27 07:48:15 +00:00
< / div >
2018-04-13 09:53:51 +00:00
< p > To configure StrongSwan as roadwarrior:< / p >
2018-05-02 08:11:01 +00:00
< div class = "highlight" > < pre class = "code" > < code > {% include "snippets/strongswan-client.sh" %}< / code > < / pre > < / div >
{% endif %}
2017-12-30 13:57:48 +00:00
2018-04-27 07:48:15 +00:00
2018-05-02 08:11:01 +00:00
< h5 > OpenWrt/LEDE as VPN gateway< / h5 >
2018-01-23 13:13:49 +00:00
2018-05-02 08:11:01 +00:00
< p > First enroll certificates using the snippet from UNIX section above< / p >
2018-04-27 07:48:15 +00:00
2018-05-02 08:11:01 +00:00
< p > Then:< / p >
< div class = "highlight" >
< pre class = "code" > < code > opkg install curl libmbedtls
# Derive FQDN from WAN interface's reverse DNS record
FQDN=$(nslookup $(uci get network.wan.ipaddr) | grep "name =" | head -n1 | cut -d "=" -f 2 | xargs)
grep -c certidude /etc/sysupgrade.conf || echo /etc/certidude >> /etc/sysupgrade.conf
{% include "snippets/gateway-updown.sh" %}
< / code > < / pre >
< / div >
2018-04-27 07:48:15 +00:00
2018-05-02 08:11:01 +00:00
{% if "openvpn" in session.service.protocols %}
2018-04-09 13:08:12 +00:00
< p > Then either set up OpenVPN service:< / p >
< div class = "highlight" >
2018-05-02 08:11:01 +00:00
< pre class = "code" > < code > {% include "snippets/openwrt-openvpn.sh" %}< / code > < / pre >
2018-01-23 13:13:49 +00:00
< / div >
2018-05-02 08:11:01 +00:00
{% endif %}
2018-01-23 13:13:49 +00:00
2018-05-02 08:11:01 +00:00
{% if "ikev2" in session.service.protocols %}
2018-04-09 13:08:12 +00:00
< p > Alternatively or additionally set up StrongSwan:< / p >
< div class = "highlight" >
2018-05-02 08:11:01 +00:00
< pre class = "code" > < code > opkg update
opkg install curl openssl-util strongswan-full strongswan-mod-openssl kmod-crypto-echainiv kmod-crypto-gcm
{% include "snippets/strongswan-server.sh" %}
ipsec restart< / code > < / pre >
2018-04-09 13:08:12 +00:00
< / div >
2018-05-02 08:11:01 +00:00
{% endif %}
2018-01-23 13:13:49 +00:00
2018-05-02 08:11:01 +00:00
{% if session.authority.builder %}
2018-01-03 22:12:02 +00:00
< h5 > OpenWrt/LEDE image builder< / h5 >
< p > Hit a link to generate machine specific image. Note that this might take couple minutes to finish.< / p >
< ul >
2018-05-02 08:11:01 +00:00
{% for name, title, filename in session.authority.builder.profiles %}
2018-01-03 22:12:02 +00:00
< li > < a href = "/api/build/{{ name }}/{{ filename }}" > {{ title }}< / a > < / li >
2018-05-02 08:11:01 +00:00
{% endfor %}
2018-01-03 22:12:02 +00:00
< / ul >
2018-05-02 08:11:01 +00:00
{% endif %}
2018-01-03 22:12:02 +00:00
2018-05-02 08:11:01 +00:00
< h5 > SCEP< / h5 >
< p > Use following as the enrollment URL: http://{{ authority_name }}/cgi-bin/pkiclient.exe< / p >
2017-12-30 13:57:48 +00:00
2018-05-02 08:11:01 +00:00
< h5 > Copy & paste< / h5 >
2017-12-30 13:57:48 +00:00
2018-05-02 08:11:01 +00:00
< p > Use whatever tools you have available on your platform to generate
keypair and just paste ASCII armored PEM file contents here and hit submit:< / p >
2017-12-30 13:57:48 +00:00
2018-05-02 08:11:01 +00:00
< textarea id = "request_body" style = "width:100%; min-height: 10em;"
placeholder="-----BEGIN CERTIFICATE REQUEST-----">< / textarea >
< / div >
< div class = "modal-footer" >
< div class = "btn-group" >
< button type = "button" onclick = "onSubmitRequest();" class = "btn btn-primary" > < i class = "fa fa-upload" > < / i > Submit< / button >
< button type = "button" class = "btn btn-secondary" data-dismiss = "modal" > < i class = "fa fa-ban" > < / i > Close< / button >
2018-01-02 14:49:06 +00:00
< / div >
2018-05-02 08:11:01 +00:00
< / div >
< / form >
2017-12-30 13:57:48 +00:00
< / div >
< / div >
2018-05-02 08:11:01 +00:00
< / div >
2017-12-30 13:57:48 +00:00
2018-05-02 08:11:01 +00:00
< div class = "modal fade" id = "revocation_list_modal" role = "dialog" >
< div class = "modal-dialog modal-lg" >
< div class = "modal-content" >
< div class = "modal-header" >
< button type = "button" class = "close" data-dismiss = "modal" > × < / button >
< h4 class = "modal-title" > Revocation lists< / h4 >
< / div >
< div class = "modal-body" >
< p > To fetch < a href = "http://{{authority_name}}/api/revoked/" > certificate revocation list< / a > :< / p >
2018-04-27 07:48:15 +00:00
< pre > < code > curl http://{{authority_name}}/api/revoked/ > crl.der
curl http://{{authority_name}}/api/revoked/ -L -H "Accept: application/x-pem-file"
curl http://{{authority_name}}/api/revoked/?wait=yes -L -H "Accept: application/x-pem-file" > crl.pem< / code > < / pre >
2018-05-02 08:11:01 +00:00
< / div >
< div class = "modal-footer" >
< button type = "button" class = "btn" data-dismiss = "modal" > Close< / button >
2017-12-30 13:57:48 +00:00
< / div >
< / div >
< / div >
2018-05-02 08:11:01 +00:00
< / div >
2017-12-30 13:57:48 +00:00
< div class = "row" >
2018-05-02 08:11:01 +00:00
< div class = "col-sm-{{ column_width }}" >
2017-12-30 13:57:48 +00:00
< h1 > Signed certificates< / h1 >
2018-05-02 08:11:01 +00:00
< p > Authority administration allowed for
{% for user in session.authority.admin_users %}< a href = "mailto:{{ user.mail}}" > {{ user.given_name }} {{user.surname }}< / a > {% if not loop.last %}, {% endif %}{% endfor %} from {% if "0.0.0.0/0" in session.authority.admin_subnets %}anywhere{% else %}
{% for subnet in session.authority.admin_subnets %}{{ subnet }}{% if not loop.last %}, {% endif %}{% endfor %}{% endif %}.
Authority certificate can be downloaded from < a href = "/api/certificate/" > here< / a > .
Following certificates have been signed:< / p >
2017-12-30 13:57:48 +00:00
< div id = "signed_certificates" >
{% for certificate in session.authority.signed | sort(attribute="signed", reverse=true) %}
{% include "views/signed.html" %}
{% endfor %}
< / div >
< / div >
2018-05-02 08:11:01 +00:00
< div class = "col-sm-{{ column_width }}" >
{% if session.authority %}
2018-04-09 13:08:12 +00:00
{% if session.features.token %}
< h1 > Tokens< / h1 >
< p > Tokens allow enrolling smartphones and third party devices.< / p >
< ul >
< li > You can issue yourself a token to be used on a mobile device< / li >
< li > Enter username to issue a token to issue a token for another user< / li >
< li > Enter e-mail address to issue a token to guest users outside domain< / li >
< / ul >
< p >
< div class = "input-group" >
< input id = "token_username" name = "username" type = "text" class = "form-control" placeholder = "Username" aria-describedby = "sizing-addon2" >
< input id = "token_mail" name = "mail" type = "mail" class = "form-control" placeholder = "Optional e-mail" aria-describedby = "sizing-addon2" >
< span class = "input-group-btn" >
< button class = "btn btn-secondary" type = "button" onClick = "onSendToken();" > < i class = "fa fa-send" > < / i > Send token< / button >
< / span >
< / div >
< / p >
< div id = "token_qrcode" > < / div >
{% endif %}
2017-12-30 13:57:48 +00:00
2015-12-12 22:34:08 +00:00
< h1 > Pending requests< / h1 >
2017-12-30 13:57:48 +00:00
< p > Use Certidude client to apply for a certificate.
2016-09-18 13:25:52 +00:00
2017-12-30 13:57:48 +00:00
{% if not session.authority.request_subnets %}
Request submission disabled.
{% elif "0.0.0.0/0" in session.authority.request_subnets %}
Request submission is enabled.
2016-09-18 13:25:52 +00:00
{% else %}
2017-12-30 13:57:48 +00:00
Request submission allowed from
2018-05-02 08:11:01 +00:00
{% for subnet in session.authority.request_subnets %}
{{ subnet }}{% if not loop.last %}, {% endif %}
{% endfor %}.
2016-09-18 13:25:52 +00:00
{% endif %}
2015-12-16 17:41:49 +00:00
2018-05-04 08:54:55 +00:00
See < a href = "#request_submission_modal" data-toggle = "modal" > here< / a > for more information on manual signing request upload.
2017-12-30 13:57:48 +00:00
{% if session.authority.autosign_subnets %}
{% if "0.0.0.0/0" in session.authority.autosign_subnets %}
All requests are automatically signed.
2015-12-12 22:34:08 +00:00
{% else %}
2017-12-30 13:57:48 +00:00
Requests from
{% for subnet in session.authority.autosign_subnets %}
2018-05-02 08:11:01 +00:00
{{ subnet }}{% if not loop.last %}, {% endif %}
2017-12-30 13:57:48 +00:00
{% endfor %}
are automatically signed.
{% endif %}
{% endif %}
< / p >
< div id = "pending_requests" >
2018-05-02 08:11:01 +00:00
{% for request in session.authority.requests | sort(attribute="submitted", reverse=true) %}
{% include "views/request.html" %}
{% endfor %}
2017-12-30 13:57:48 +00:00
< / div >
2018-05-04 08:54:55 +00:00
{% if columns >= 3 %}
< / div >
< div class = "col-sm-{{ column_width }}" >
{% endif %}
< h1 > Revoked certificates< / h1 >
2018-04-13 09:53:51 +00:00
< p > Following certificates have been revoked{% if session.features.crl %}, for more information click
< a href = "#revocation_list_modal" data-toggle = "modal" > here< / a > {% endif %}.< / p >
2017-12-30 13:57:48 +00:00
{% for certificate in session.authority.revoked | sort(attribute="revoked", reverse=true) %}
{% include "views/revoked.html" %}
{% endfor %}
< / div >
2018-05-02 08:11:01 +00:00
< div id = "column-log" class = "col-sm-{% if columns == 4 %}{{ column_width }}{% else %}12{% endif %}" { % if columns < 4 % } style = "display:none;" { % endif % } >
< div class = "loader-container" >
< div class = "loader" > < / div >
< p > Loading logs, this might take a while...< / p >
< / div >
< div class = "content" style = "display:none;" >
< h1 > Log< / h1 >
< div class = "btn-group" data-toggle = "buttons" >
< label class = "btn btn-primary active" > < input id = "log-level-critical" type = "checkbox" autocomplete = "off" checked > Critical< / label >
< label class = "btn btn-primary active" > < input id = "log-level-errors" type = "checkbox" autocomplete = "off" checked > Errors< / label >
< label class = "btn btn-primary active" > < input id = "log-level-warnings" type = "checkbox" autocomplete = "off" checked > Warnings< / label >
< label class = "btn btn-primary active" > < input id = "log-level-info" type = "checkbox" autocomplete = "off" checked > Info< / label >
< label class = "btn btn-primary" > < input id = "log-level-debug" type = "checkbox" autocomplete = "off" > Debug< / label >
< / div >
< ul id = "log-entries" class = "list-group" >
< / ul >
< / div >
< / div >
2017-12-30 13:57:48 +00:00
< / div >
2016-03-21 21:42:39 +00:00
{% endif %}