541 lines
20 KiB
HTML
541 lines
20 KiB
HTML
<div class="modal fade" id="request_submission_modal" role="dialog">
|
|
<div class="modal-dialog modal-lg">
|
|
<div class="modal-content">
|
|
<div class="modal-header">
|
|
<button type="button" class="close" data-dismiss="modal">×</button>
|
|
<h4 class="modal-title">Request submission</h4>
|
|
</div>
|
|
<form action="/api/request/" method="post">
|
|
<div class="modal-body">
|
|
<h5>Certidude client</h5>
|
|
|
|
<p>Submit a certificate signing request from Mac OS X, Ubuntu or Fedora:</p>
|
|
<div class="highlight">
|
|
<pre><code>easy_install pip;
|
|
pip3 install certidude;
|
|
certidude bootstrap {{ window.location.hostname }}
|
|
</code></pre>
|
|
</div>
|
|
|
|
<h5>Windows 10</h5>
|
|
|
|
<p>On Windows execute following PowerShell script</p>
|
|
|
|
<div class="highlight">
|
|
<pre class="code"><code>$hostname = $env:computername.ToLower()
|
|
$templ = @"
|
|
[Version]
|
|
Signature="$Windows NT$
|
|
|
|
[NewRequest]
|
|
Subject = "CN=$hostname"
|
|
Exportable = FALSE
|
|
KeySpec = 1
|
|
KeyUsage = 0xA0
|
|
MachineKeySet = True
|
|
ProviderType = 12
|
|
RequestType = PKCS10
|
|
{% if session.authority.certificate.algorithm == "ec" %}ProviderName = "Microsoft Software Key Storage Provider"
|
|
KeyAlgorithm = ECDSA_P384
|
|
{% else %}ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
|
|
KeyLength = 2048
|
|
{% endif %}"@
|
|
|
|
$templ | Out-File req.inf
|
|
|
|
# Fetch CA certificate and install it
|
|
Invoke-WebRequest -Uri http://{{ window.location.hostname }}/api/certificate -OutFile ca_cert.pem
|
|
Import-Certificate -FilePath ca_cert.pem -CertStoreLocation Cert:\LocalMachine\Root
|
|
|
|
# Generate keypair and submit CSR
|
|
C:\Windows\system32\certreq.exe -new -f -q req.inf client_csr.pem
|
|
Invoke-WebRequest -TimeoutSec 900 -Uri http://{{ window.location.hostname }}/api/request/?wait=1 -InFile client_csr.pem -ContentType application/pkcs10 -Method POST -MaximumRedirection 3 -OutFile client_cert.pem
|
|
|
|
# Import certificate
|
|
Import-Certificate -FilePath client_cert.pem -CertStoreLocation Cert:\LocalMachine\My
|
|
|
|
# Set up IPSec VPN tunnel
|
|
Remove-VpnConnection -AllUserConnection -Force k-space
|
|
Add-VpnConnection `
|
|
-Name k-space `
|
|
-ServerAddress guests.k-space.ee `
|
|
-AuthenticationMethod MachineCertificate `
|
|
-SplitTunneling `
|
|
-TunnelType ikev2 `
|
|
-PassThru -AllUserConnection
|
|
|
|
# Security hardening
|
|
Set-VpnConnectionIPsecConfiguration `
|
|
-ConnectionName k-space `
|
|
-AuthenticationTransformConstants GCMAES128 `
|
|
-CipherTransformConstants GCMAES128 `
|
|
-EncryptionMethod AES128 `
|
|
-IntegrityCheckMethod none `
|
|
-PfsGroup {% if session.authority.certificate.algorithm == "ec" %}ECP384 -DHGroup ECP384{% else %}PFS2048 -DHGroup Group14{% endif %} `
|
|
-PassThru -AllUserConnection -Force</code></pre>
|
|
</div>
|
|
|
|
<h5>UNIX & UNIX-like</h5>
|
|
|
|
<p>On other UNIX-like machines generate key pair and submit the signing request using OpenSSL and cURL:</p>
|
|
<div class="highlight">
|
|
<pre class="code"><code>NAME=$(hostname);
|
|
{% if session.authority.certificate.algorithm == "ec" %}openssl ecparam -name secp384r1 -genkey -noout -out client_key.pem{% else %}openssl genrsa -out client_key.pem 2048;{% endif %}
|
|
openssl req -new -sha384 -key client_key.pem -out client_req.pem -subj "/CN=$NAME";
|
|
curl -f -L -H "Content-type: application/pkcs10" --data-binary @client_req.pem \
|
|
http://{{ window.location.hostname }}/api/request/?wait=yes > client_cert.pem</code></pre>
|
|
</div>
|
|
|
|
<h5>StrongSwan as client</h5>
|
|
|
|
<p>First enroll certificates:</p>
|
|
<div class="highlight">
|
|
<pre class="code"><code>
|
|
FQDN=$(cat /etc/hostname)
|
|
curl -f http://{{ window.location.hostname }}/api/certificate/ -o /etc/ipsec.d/cacerts/ca.pem; \
|
|
test -e /etc/ipsec.d/private/client.pem \
|
|
|| openssl ecparam -name secp384r1 -genkey -noout -out /etc/ipsec.d/private/client.pem; \
|
|
test -e /etc/ipsec.d/reqs/client.pem \
|
|
|| openssl req -new -sha384 \
|
|
-key /etc/ipsec.d/private/client.pem \
|
|
-out /etc/ipsec.d/reqs/client.pem -subj "/CN=$FQDN"; \
|
|
curl -f -L -H "Content-type: application/pkcs10" \
|
|
--data-binary @/etc/ipsec.d/reqs/client.pem \
|
|
-o /etc/ipsec.d/certs/client.pem \
|
|
http://{{ window.location.hostname }}/api/request/?wait=yes</code></pre>
|
|
</div>
|
|
|
|
<p>Then configure StrongSwan</p>
|
|
<div class="highlight">
|
|
<pre class="code"><code>
|
|
cat > /etc/ipsec.conf << EOF
|
|
conn c2s
|
|
auto=start
|
|
right=router.k-space.ee
|
|
dpdaction=restart
|
|
closeaction=restart
|
|
left=%defaultroute
|
|
rightsubnet=0.0.0.0/0
|
|
keyingtries=%forever
|
|
rightid=%any
|
|
leftsourceip=%config
|
|
leftcert=client.pem
|
|
ike=aes128-sha384-{% if session.authority.certificate.algorithm == "ec" %}ecp384{% else %}modp2048{% endif %}!
|
|
esp=aes128gcm16!
|
|
|
|
EOF
|
|
|
|
echo ": {% if session.authority.certificate.algorithm == "ec" %}ECDSA{% else %}RSA{% endif %} client.pem" > /etc/ipsec.secrets
|
|
|
|
ipsec restart</code></pre>
|
|
</div>
|
|
|
|
<h5>OpenWrt/LEDE as VPN gateway</h5>
|
|
|
|
<p>First enroll certificates:</p>
|
|
<div class="highlight">
|
|
<pre class="code"><code># Derive FQDN from WAN interface's reverse DNS record
|
|
FQDN=$(nslookup $(uci get network.wan.ipaddr) | grep "name =" | head -n1 | cut -d "=" -f 2 | xargs)
|
|
|
|
mkdir -p /etc/certidude/authority/{{ window.location.hostname }}
|
|
grep -c certidude /etc/sysupgrade.conf || echo /etc/certidude >> /etc/sysupgrade.conf
|
|
cat << EOF > /etc/certidude/authority/{{ window.location.hostname }}/ca_cert.pem
|
|
{{ session.authority.certificate.blob }}
|
|
EOF
|
|
test -e /etc/certidude/authority/{{ window.location.hostname }}/server_key.pem \
|
|
|| openssl {% if session.authority.certificate.algorithm == "ec" %}ecparam -name secp384r1 -genkey -noout -out /etc/certidude/authority/{{ window.location.hostname }}/server_key.pem{% else %}genrsa -out /etc/certidude/authority/{{ window.location.hostname }}/server_key.pem 2048{% endif %}
|
|
test -e /etc/certidude/authority/{{ window.location.hostname }}/server_req.pem \
|
|
|| openssl req -new -sha384 \
|
|
-key /etc/certidude/authority/{{ window.location.hostname }}/server_key.pem \
|
|
-out /etc/certidude/authority/{{ window.location.hostname }}/server_req.pem -subj "/CN=$FQDN"
|
|
cat /etc/certidude/authority/{{ window.location.hostname }}/server_req.pem
|
|
curl -f -L -H "Content-type: application/pkcs10" \
|
|
--data-binary @/etc/certidude/authority/{{ window.location.hostname }}/server_req.pem \
|
|
-o /etc/certidude/authority/{{ window.location.hostname }}/server_cert.pem \
|
|
http://{{ window.location.hostname }}/api/request/?wait=yes
|
|
|
|
# Create VPN gateway up/down script for reporting client IP addresses to CA
|
|
cat <<\EOF > /etc/certidude/authority/{{ window.location.hostname }}/updown
|
|
#!/bin/sh
|
|
|
|
CURL="curl -m 3 -f --key /etc/certidude/authority/{{ window.location.hostname }}/server_key.pem --cert /etc/certidude/authority/{{ window.location.hostname }}/server_cert.pem --cacert /etc/certidude/authority/{{ window.location.hostname }}/ca_cert.pem https://{{ window.location.hostname }}:8443/api/lease/"
|
|
|
|
case $PLUTO_VERB in
|
|
up-client) $CURL --data-urlencode "outer_address=$PLUTO_PEER" --data-urlencode "inner_address=$PLUTO_PEER_SOURCEIP" --data-urlencode "client=$PLUTO_PEER_ID" ;;
|
|
*) ;;
|
|
esac
|
|
|
|
case $script_type in
|
|
client-connect) $CURL --data-urlencode client=$X509_0_CN --data-urlencode serial=$tls_serial_0 --data-urlencode outer_address=$untrusted_ip --data-urlencode inner_address=$ifconfig_pool_remote_ip ;;
|
|
*) ;;
|
|
esac
|
|
EOF
|
|
|
|
chmod +x /etc/certidude/authority/{{ window.location.hostname }}/updown</code></pre>
|
|
</div>
|
|
|
|
<p>Then either set up OpenVPN service:</p>
|
|
<div class="highlight">
|
|
<pre class="code"><code># Generate Diffie-Hellman parameters file for OpenVPN
|
|
test -e /etc/certidude/dh.pem \
|
|
|| openssl dhparam 2048 -out /etc/certidude/dh.pem
|
|
|
|
# Create interface definition for tunnel
|
|
uci set network.vpn=interface
|
|
uci set network.vpn.name='vpn'
|
|
uci set network.vpn.ifname=tun_s2c_udp tun_s2c_tcp
|
|
uci set network.vpn.proto='none'
|
|
|
|
# Create zone definition for VPN interface
|
|
uci set firewall.vpn=zone
|
|
uci set firewall.vpn.name='vpn'
|
|
uci set firewall.vpn.input='ACCEPT'
|
|
uci set firewall.vpn.forward='ACCEPT'
|
|
uci set firewall.vpn.output='ACCEPT'
|
|
uci set firewall.vpn.network='vpn'
|
|
|
|
# Allow UDP 1194 on WAN interface
|
|
uci set firewall.openvpn=rule
|
|
uci set firewall.openvpn.name='Allow OpenVPN'
|
|
uci set firewall.openvpn.src='wan'
|
|
uci set firewall.openvpn.dest_port=1194
|
|
uci set firewall.openvpn.proto='udp'
|
|
uci set firewall.openvpn.target='ACCEPT'
|
|
|
|
# Allow TCP 443 on WAN interface
|
|
uci set firewall.openvpn=rule
|
|
uci set firewall.openvpn.name='Allow OpenVPN over TCP'
|
|
uci set firewall.openvpn.src='wan'
|
|
uci set firewall.openvpn.dest_port=443
|
|
uci set firewall.openvpn.proto='tcp'
|
|
uci set firewall.openvpn.target='ACCEPT'
|
|
|
|
# Forward traffic from VPN to LAN
|
|
uci set firewall.c2s=forwarding
|
|
uci set firewall.c2s.src='vpn'
|
|
uci set firewall.c2s.dest='lan'
|
|
|
|
# Permit DNS queries from VPN
|
|
uci set dhcp.@dnsmasq[0].localservice='0'
|
|
|
|
touch /etc/config/openvpn
|
|
|
|
# Configure OpenVPN over TCP
|
|
uci set openvpn.s2c_tcp=openvpn
|
|
uci set openvpn.s2c_tcp.local=$(uci get network.wan.ipaddr)
|
|
uci set openvpn.s2c_tcp.server='10.179.43.0 255.255.255.128'
|
|
uci set openvpn.s2c_tcp.proto='tcp-server'
|
|
uci set openvpn.s2c_tcp.port='443'
|
|
uci set openvpn.s2c_tcp.dev=tun_s2c_tcp
|
|
|
|
# Configure OpenVPN over UDP
|
|
uci set openvpn.s2c_udp=openvpn
|
|
uci set openvpn.s2c_udp.local=$(uci get network.wan.ipaddr)
|
|
uci set openvpn.s2c_udp.server='10.179.43.128 255.255.255.128'
|
|
uci set openvpn.s2c_tcp.dev=tun_s2c_udp
|
|
|
|
for section in s2c_tcp s2c_udp; do
|
|
|
|
# Common paths
|
|
uci set openvpn.$section.script_security=2
|
|
uci set openvpn.$section.client_connect='/etc/certidude/updown'
|
|
uci set openvpn.$section.key='/etc/certidude/authority/{{ window.location.hostname }}/server_key.pem'
|
|
uci set openvpn.$section.cert='/etc/certidude/authority/{{ window.location.hostname }}/server_cert.pem'
|
|
uci set openvpn.$section.ca='/etc/certidude/authority/{{ window.location.hostname }}/ca_cert.pem'
|
|
uci set openvpn.$section.dh='/etc/certidude/dh.pem'
|
|
uci set openvpn.$section.enabled=1
|
|
|
|
# DNS and routes
|
|
uci add_list openvpn.$section.push="route-metric 1000"
|
|
uci add_list openvpn.$section.push="route $(uci get network.lan.ipaddr) $(uci get network.lan.netmask)"
|
|
uci add_list openvpn.$section.push="dhcp-option DNS $(uci get network.lan.ipaddr)"
|
|
uci add_list openvpn.$section.push="dhcp-option DOMAIN $(uci get dhcp.@dnsmasq[0].domain)"
|
|
|
|
# Security hardening
|
|
uci set openvpn.$section.tls_version_min='1.2'
|
|
uci set openvpn.$section.tls_cipher='TLS-{% if session.authority.certificate.algorithm == "ec" %}ECDHE-ECDSA{% else %}DHE-RSA{% endif %}-WITH-AES-128-GCM-SHA384'
|
|
uci set openvpn.$section.cipher='AES-128-GCM'
|
|
uci set openvpn.$section.auth='SHA384'
|
|
|
|
done
|
|
|
|
/etc/init.d/openvpn restart
|
|
/etc/init.d/firewall restart</code></pre>
|
|
</div>
|
|
|
|
<p>Alternatively or additionally set up StrongSwan:</p>
|
|
<div class="highlight">
|
|
<pre class="code"><code># Generate StrongSwan config
|
|
cat > /etc/ipsec.conf << EOF
|
|
config setup
|
|
strictcrlpolicy=yes
|
|
uniqueids = yes
|
|
|
|
ca {{ window.location.hostname }}
|
|
auto=add
|
|
cacert = /etc/certidude/authority/{{ window.location.hostname }}/ca_cert.pem
|
|
crluri = http://{{ window.location.hostname }}/api/revoked
|
|
ocspuri = http://{{ window.location.hostname }}/api/ocsp/
|
|
|
|
conn s2c
|
|
auto=add
|
|
dpdaction=clear
|
|
closeaction=clear
|
|
leftdns=$(uci get network.lan.ipaddr)
|
|
rightsourceip=172.21.0.0/24
|
|
left=$(uci get network.wan.ipaddr)
|
|
leftsubnet=$(uci get network.lan.ipaddr | cut -d . -f 1-3).0/24
|
|
leftcert=/etc/certidude/authority/{{ window.location.hostname }}/server_cert.pem
|
|
ike=aes128-sha384-{% if session.authority.certificate.algorithm == "ec" %}ecp384{% else %}modp2048{% endif %}!
|
|
esp=aes128gcm16!
|
|
leftupdown=/etc/certidude/{{ window.location.hostname }}/updown
|
|
|
|
EOF
|
|
|
|
echo ": {% if session.authority.certificate.algorithm == "ec" %}ECDSA{% else %}RSA{% endif %} /etc/certidude/authority/{{ window.location.hostname }}/server_key.pem" > /etc/ipsec.secrets
|
|
|
|
ipsec restart</code></pre>
|
|
</div>
|
|
|
|
{% if session.authority.builder %}
|
|
<h5>OpenWrt/LEDE image builder</h5>
|
|
<p>Hit a link to generate machine specific image. Note that this might take couple minutes to finish.</p>
|
|
<ul>
|
|
{% for name, title, filename in session.authority.builder.profiles %}
|
|
<li><a href="/api/build/{{ name }}/{{ filename }}">{{ title }}</a></li>
|
|
{% endfor %}
|
|
</ul>
|
|
{% endif %}
|
|
|
|
<h5>SCEP</h5>
|
|
<p>Use following as the enrollment URL: http://{{ window.location.hostname }}/cgi-bin/pkiclient.exe</p>
|
|
|
|
<h5>Copy & paste</h5>
|
|
|
|
<p>Use whatever tools you have available on your platform to generate
|
|
keypair and just paste ASCII armored PEM file contents here and hit submit:</p>
|
|
|
|
<textarea id="request_body" style="width:100%; min-height: 10em;" placeholder="-----BEGIN CERTIFICATE REQUEST-----"></textarea>
|
|
</div>
|
|
<div class="modal-footer">
|
|
<div class="btn-group">
|
|
<button type="button" onclick="onSubmitRequest();" class="btn btn-primary"><i class="fa fa-upload"></i> Submit</button>
|
|
<button type="button" class="btn btn-secondary" data-dismiss="modal"><i class="fa fa-ban"></i> Close</button>
|
|
</div>
|
|
</div>
|
|
</form>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
|
|
<div class="modal fade" id="revocation_list_modal" role="dialog">
|
|
<div class="modal-dialog modal-lg">
|
|
<div class="modal-content">
|
|
<div class="modal-header">
|
|
<button type="button" class="close" data-dismiss="modal">×</button>
|
|
<h4 class="modal-title">Revocation lists</h4>
|
|
</div>
|
|
<div class="modal-body">
|
|
<p>To fetch <a href="http://{{window.location.hostname}}/api/revoked/">certificate revocation list</a>:</p>
|
|
<pre><code>curl http://{{window.location.hostname}}/api/revoked/ > crl.der
|
|
curl http://{{window.location.hostname}}/api/revoked/ -L -H "Accept: application/x-pem-file"
|
|
curl http://{{window.location.hostname}}/api/revoked/?wait=yes -L -H "Accept: application/x-pem-file" > crl.pem</code></pre>
|
|
</div>
|
|
<div class="modal-footer">
|
|
<button type="button" class="btn" data-dismiss="modal">Close</button>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
|
|
<section id="about">
|
|
<h2>{{ session.user.gn }} {{ session.user.sn }} ({{session.user.name }}) settings</h2>
|
|
|
|
<p title="Bundles are mainly intended for Android and iOS users">
|
|
Click <button id="enroll">here</button> to generate Android or iOS bundle for current user account.</p>
|
|
|
|
<p>Mails will be sent to: {{ session.user.mail }}</p>
|
|
|
|
{% if session.authority %}
|
|
|
|
<h2>Authority certificate</h2>
|
|
|
|
<p>Several things are hardcoded into the <a href="/api/certificate">certificate</a> and
|
|
as such require complete reset of X509 infrastructure if some of them needs to be changed.</p>
|
|
|
|
<h2>Authority settings</h2>
|
|
|
|
<p>These can be reconfigured via /etc/certidude/server.conf on the server.</p>
|
|
|
|
{% if session.authority.mailer %}
|
|
<p>Mails will appear from: {{ session.authority.mailer.name }} <{{ session.authority.mailer.address }}></p>
|
|
{% else %}
|
|
<p>E-mail disabled</p>
|
|
{% endif %}
|
|
|
|
|
|
<p>User enrollment:
|
|
{% if session.authority.user_enrollment_allowed %}
|
|
{% if session.authority.user_multiple_certificates %}
|
|
multiple
|
|
{% else %}
|
|
single
|
|
{% endif %}
|
|
allowed
|
|
{% else %}
|
|
forbidden
|
|
{% endif %}
|
|
</p>
|
|
|
|
|
|
<p>Machine enrollment:
|
|
{% if session.authority.machine_enrollment_allowed %}
|
|
allowed
|
|
{% else %}
|
|
forbidden
|
|
{% endif %}
|
|
</p>
|
|
|
|
|
|
<p>Certificate attributes:</p>
|
|
|
|
<ul>
|
|
<li>Server certificate lifetime: {{ session.authority.signature.server_certificate_lifetime }} days</li>
|
|
<li>Client certificate lifetime: {{ session.authority.signature.client_certificate_lifetime }} days</li>
|
|
<li>Revocation list lifetime: {{ session.authority.signature.revocation_list_lifetime }} seconds</li>
|
|
</ul>
|
|
|
|
<p>Authenticated users allowed from:
|
|
{% if not session.authority.user_subnets %}
|
|
nowhere</p>
|
|
{% elif "0.0.0.0/0" in session.authority.user_subnets %}
|
|
anywhere</p>
|
|
{% else %}
|
|
</p>
|
|
<ul>
|
|
{% for i in session.authority.user_subnets %}
|
|
<li>{{ i }}</li>
|
|
{% endfor %}
|
|
</ul>
|
|
{% endif %}
|
|
|
|
|
|
|
|
<p>Authority administration is allowed from:
|
|
{% if not session.authority.admin_subnets %}
|
|
nowhere</p>
|
|
{% elif "0.0.0.0/0" in session.authority.admin_subnets %}
|
|
anywhere</p>
|
|
{% else %}
|
|
<ul>
|
|
{% for subnet in session.authority.admin_subnets %}
|
|
<li>{{ subnet }}</li>
|
|
{% endfor %}
|
|
</ul>
|
|
{% endif %}
|
|
|
|
<p>Authority administration allowed for:</p>
|
|
|
|
<ul>
|
|
{% for user in session.authority.admin_users %}
|
|
<li><a href="mailto:{{ user.mail}}">{{ user.given_name }} {{user.surname }}</a></li>
|
|
{% endfor %}
|
|
</ul>
|
|
</section>
|
|
|
|
{% else %}
|
|
<p>Here you can renew your certificates</p>
|
|
|
|
{% endif %}
|
|
|
|
{% set s = session.certificate.identity %}
|
|
|
|
|
|
|
|
<div class="row">
|
|
|
|
|
|
<div class="col-sm-6">
|
|
<h1>Signed certificates</h1>
|
|
<p>Following certificates have been signed:</p>
|
|
<div id="signed_certificates">
|
|
{% for certificate in session.authority.signed | sort(attribute="signed", reverse=true) %}
|
|
{% include "views/signed.html" %}
|
|
{% endfor %}
|
|
</div>
|
|
</div>
|
|
<div class="col-sm-6">
|
|
|
|
|
|
{% if session.authority %}
|
|
{% if session.features.token %}
|
|
<h1>Tokens</h1>
|
|
|
|
<p>Tokens allow enrolling smartphones and third party devices.</p>
|
|
<ul>
|
|
<li>You can issue yourself a token to be used on a mobile device</li>
|
|
<li>Enter username to issue a token to issue a token for another user</li>
|
|
<li>Enter e-mail address to issue a token to guest users outside domain</li>
|
|
</ul>
|
|
<p>
|
|
<div class="input-group">
|
|
<input id="token_username" name="username" type="text" class="form-control" placeholder="Username" aria-describedby="sizing-addon2">
|
|
<input id="token_mail" name="mail" type="mail" class="form-control" placeholder="Optional e-mail" aria-describedby="sizing-addon2">
|
|
<span class="input-group-btn">
|
|
<button class="btn btn-secondary" type="button" onClick="onSendToken();"><i class="fa fa-send"></i> Send token</button>
|
|
</span>
|
|
</div>
|
|
</p>
|
|
|
|
<div id="token_qrcode"></div>
|
|
{% endif %}
|
|
|
|
<h1>Pending requests</h1>
|
|
|
|
<p>Use Certidude client to apply for a certificate.
|
|
|
|
{% if not session.authority.request_subnets %}
|
|
Request submission disabled.
|
|
{% elif "0.0.0.0/0" in session.authority.request_subnets %}
|
|
Request submission is enabled.
|
|
{% else %}
|
|
Request submission allowed from
|
|
{% for subnet in session.authority.request_subnets %}{{ subnet }},{% endfor %}.
|
|
{% endif %}
|
|
|
|
{# if session.request_submission_allowed #}
|
|
See <a href="#request_submission_modal" data-toggle="modal">here</a> for more information on manual signing request upload.
|
|
{# endif #}
|
|
|
|
{% if session.authority.autosign_subnets %}
|
|
{% if "0.0.0.0/0" in session.authority.autosign_subnets %}
|
|
All requests are automatically signed.
|
|
{% else %}
|
|
Requests from
|
|
{% for subnet in session.authority.autosign_subnets %}
|
|
{{ subnet }},
|
|
{% endfor %}
|
|
are automatically signed.
|
|
{% endif %}
|
|
{% endif %}
|
|
</p>
|
|
|
|
<div id="pending_requests">
|
|
{% for request in session.authority.requests | sort(attribute="submitted", reverse=true) %}
|
|
{% include "views/request.html" %}
|
|
{% endfor %}
|
|
</div>
|
|
<p><h1>Revoked certificates</h1></p>
|
|
<p>Following certificates have been revoked,for more information click
|
|
<a href="#revocation_list_modal" data-toggle="modal">here</a>.</p>
|
|
|
|
{% for certificate in session.authority.revoked | sort(attribute="revoked", reverse=true) %}
|
|
{% include "views/revoked.html" %}
|
|
{% endfor %}
|
|
</div>
|
|
</div>
|
|
<section id="config">
|
|
</section>
|
|
|
|
{% endif %}
|