lauri/certidude
1
0
Fork 0
mirror of https://github.com/laurivosandi/certidude synced 2025-09-07 22:20:56 +00:00
Code Issues Activity

Several improvements

Browse Source 
* Add EC support
* Make token form toggleable
* Make client certificates compatible with iOS native IKEv2
* Fix OU for self-enroll
* Improved sample scripts in web UI
This commit is contained in:
Lauri Võsandi
2018-04-09 13:08:12 +00:00
parent 9c6872a949
commit 577962e09b
11 changed files with 253 additions and 184 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
doc/overlay/etc/hotplug.d/iface/50-certidude Normal file → Executable file
View File

@@ -5,12 +5,13 @@
# TODO: renewal
AUTHORITY=certidude.@authority[0]
[ $ACTION == "ifup" ] || exit 0
[ $INTERFACE == "wan" ] || exit 0
[ $INTERFACE == "$(uci get $AUTHORITY.trigger)" ] || exit 0
# TODO: iterate over all authorities
AUTHORITY=certidude.@authority[0]
URL=$(uci get $AUTHORITY.url)
GATEWAY=$(uci get $AUTHORITY.gateway)
@@ -40,8 +41,9 @@ logger -t certidude -s "Time is now: $(date)"
# If certificate file is there assume everything's set up
if [ -f $CERTIFICATE_PATH ]; then
SERIAL=$(openssl x509 -in $CERTIFICATE_PATH -noout -serial | cut -d "=" -f 2 | tr [A-F] [a-f])
logger -t certidude -s "Certificate with serial $SERIAL already exists, attempting to bring up IPsec tunnel..."
ipsec up client-to-site
logger -t certidude -s "Certificate with serial $SERIAL already exists in $CERTIFICATE_PATH, attempting to bring up VPN tunnel..."
/etc/init.d/openvpn start
/etc/init.d/ipsec start
exit 0
fi
@@ -60,7 +62,7 @@ fi
if [ ! -f $KEY_PATH ]; then
KEY_TEMP=$(mktemp -u)
logger -t certidude -s "Generating RSA key for IPsec..."
logger -t certidude -s "Generating RSA key for VPN..."
if [ -d $GREEN_LED ]; then
echo 250 | tee $GREEN_LED/delay_*
fi
@@ -167,31 +169,10 @@ fi
logger -t certidude -s "Certificate md5sum: $(md5sum -b $CERTIFICATE_TEMP)"
###################################
### Generate /etc/ipsec.secrets ###
###################################
SECRETS_TEMP=$(mktemp -u)
for filename in /etc/ipsec.d/private/*.pem; do
echo ": RSA $filename" >> $SECRETS_TEMP
done
uci commit
mv $SECRETS_TEMP /etc/ipsec.secrets
mv $IPSEC_TEMP /etc/ipsec.conf
mv $CERTIFICATE_TEMP $CERTIFICATE_PATH
# Enable services
/etc/init.d/ipsec enable
# Restart services
/etc/init.d/ipsec restart
sleep 2
ipsec up client-to-site
/etc/init.d/ipsec start
/etc/init.d/openvpn start