mirror of
https://github.com/laurivosandi/certidude
synced 2024-09-28 21:11:42 +00:00
Lauri Võsandi
06010ceaf3
* Remove PyOpenSSL based wrapper classes * Remove unused API calls * Add certificate renewal via X-Renewal-Signature header * Remove (extended) key usage handling * Clean up OpenVPN and nginx server setup code * Use UDP port 51900 for OpenVPN by default * Add basic auth fallback for iOS in addition to Android * Reduce complexity
217 lines
6.1 KiB
HTML
217 lines
6.1 KiB
HTML
|
|
<section id="about">
|
|
<h2>{{ session.user.gn }} {{ session.user.sn }} ({{session.user.name }}) settings</h2>
|
|
|
|
<p title="Bundles are mainly intended for Android and iOS users">
|
|
Click <a href="/api/bundle/">here</a> to generate Android or iOS bundle for current user account.</p>
|
|
|
|
<p>Mails will be sent to: {{ session.user.mail }}</p>
|
|
|
|
{% if session.authority %}
|
|
|
|
<h2>Authority certificate</h2>
|
|
|
|
<p>Several things are hardcoded into the <a href="/api/certificate">certificate</a> and
|
|
as such require complete reset of X509 infrastructure if some of them needs to be changed.</p>
|
|
|
|
<h2>Authority settings</h2>
|
|
|
|
<p>These can be reconfigured via /etc/certidude/server.conf on the server.</p>
|
|
|
|
{% if session.authority.outbox %}
|
|
<p>Outgoing mail server: {{ session.authority.outbox.server }}</p>
|
|
<p>Mails will appear from: {{ session.authority.outbox.name }} <{{ session.authority.outbox.mail }}></p>
|
|
{% else %}
|
|
<p>E-mail disabled</p>
|
|
{% endif %}
|
|
|
|
|
|
<p>User enrollment:
|
|
{% if session.authority.user_enrollment_allowed %}
|
|
{% if session.authority.user_multiple_certificates %}
|
|
multiple
|
|
{% else %}
|
|
single
|
|
{% endif %}
|
|
allowed
|
|
{% else %}
|
|
forbidden
|
|
{% endif %}
|
|
</p>
|
|
|
|
|
|
<p>Machine enrollment:
|
|
{% if session.authority.machine_enrollment_allowed %}
|
|
allowed
|
|
{% else %}
|
|
forbidden
|
|
{% endif %}
|
|
</p>
|
|
|
|
|
|
<p>Certificate attributes:</p>
|
|
|
|
<ul>
|
|
<li>Server certificate lifetime: {{ session.authority.signature.server_certificate_lifetime }} days</li>
|
|
<li>Client certificate lifetime: {{ session.authority.signature.client_certificate_lifetime }} days</li>
|
|
<li>Revocation list lifetime: {{ session.authority.signature.revocation_list_lifetime }} seconds</li>
|
|
</ul>
|
|
|
|
<p>Authenticated users allowed from:
|
|
|
|
{% if "0.0.0.0/0" in session.authority.user_subnets %}
|
|
anywhere
|
|
</p>
|
|
{% else %}
|
|
</p>
|
|
<ul>
|
|
{% for i in session.authority.user_subnets %}
|
|
<li>{{ i }}</li>
|
|
{% endfor %}
|
|
</ul>
|
|
{% endif %}
|
|
|
|
|
|
<p>Request submission is allowed from:
|
|
|
|
{% if "0.0.0.0/0" in session.authority.request_subnets %}
|
|
anywhere
|
|
</p>
|
|
{% else %}
|
|
</p>
|
|
<ul>
|
|
{% for subnet in session.authority.request_subnets %}
|
|
<li>{{ subnet }}</li>
|
|
{% endfor %}
|
|
</ul>
|
|
{% endif %}
|
|
|
|
<p>Autosign is allowed from:
|
|
{% if "0.0.0.0/0" in session.authority.autosign_subnets %}
|
|
anywhere
|
|
</p>
|
|
{% else %}
|
|
</p>
|
|
<ul>
|
|
{% for subnet in session.authority.autosign_subnets %}
|
|
<li>{{ subnet }}</li>
|
|
{% endfor %}
|
|
</ul>
|
|
{% endif %}
|
|
|
|
<p>Authority administration is allowed from:
|
|
{% if "0.0.0.0/0" in session.authority.admin_subnets %}
|
|
anywhere
|
|
</p>
|
|
{% else %}
|
|
<ul>
|
|
{% for subnet in session.authority.admin_subnets %}
|
|
<li>{{ subnet }}</li>
|
|
{% endfor %}
|
|
</ul>
|
|
{% endif %}
|
|
|
|
<p>Authority administration allowed for:</p>
|
|
|
|
<ul>
|
|
{% for user in session.authority.admin_users %}
|
|
<li><a href="mailto:{{ user.mail}}">{{ user.given_name }} {{user.surname }}</a></li>
|
|
{% endfor %}
|
|
</ul>
|
|
</section>
|
|
|
|
{% else %}
|
|
<p>Here you can renew your certificates</p>
|
|
|
|
{% endif %}
|
|
|
|
{% set s = session.certificate.identity %}
|
|
|
|
|
|
{% if session.authority %}
|
|
<section id="requests">
|
|
<h1>Pending requests</h1>
|
|
|
|
{% if session.request_submission_allowed %}
|
|
<p>Generate private key and certificate signing request:</p>
|
|
|
|
<pre>
|
|
openssl genrsa -out example.key 2048
|
|
openssl req -new -sha256 -key example.key -out example.csr
|
|
cat example.csr
|
|
</pre>
|
|
|
|
<p>Paste the contents here and click submit:</p>
|
|
<textarea id="request_body" style="width:100%; min-height: 4em;" placeholder="-----BEGIN CERTIFICATE REQUEST-----"></textarea>
|
|
<button class="icon upload" id="request_submit" style="float:none;">Submit</button>
|
|
{% else %}
|
|
<p>Submit a certificate signing request from Mac OS X, Ubuntu or Fedora:</p>
|
|
<pre>easy_install pip
|
|
pip install certidude
|
|
certidude bootstrap {{session.authority.common_name}}</pre>
|
|
{% endif %}
|
|
|
|
<ul id="pending_requests">
|
|
{% for request in session.authority.requests %}
|
|
{% include "views/request.html" %}
|
|
{% endfor %}
|
|
<li class="notify">
|
|
<p>No certificate signing requests to sign!</p>
|
|
</li>
|
|
</ul>
|
|
</section>
|
|
|
|
<section id="signed">
|
|
<h1>Signed certificates</h1>
|
|
<input id="search" type="search" class="icon search">
|
|
<ul id="signed_certificates">
|
|
{% for certificate in session.authority.signed | sort | reverse %}
|
|
{% include "views/signed.html" %}
|
|
{% endfor %}
|
|
</ul>
|
|
</section>
|
|
|
|
<section id="log">
|
|
<h1>Log</h1>
|
|
<p>
|
|
<input id="log_level_critical" type="checkbox" checked/> <label for="log_level_critical">Critical</label>
|
|
<input id="log_level_error" type="checkbox" checked/> <label for="log_level_error">Errors</label>
|
|
<input id="log_level_warning" type="checkbox" checked/> <label for="log_level_warning">Warnings</label>
|
|
<input id="log_level_info" type="checkbox" checked/> <label for="log_level_info">Info</label>
|
|
<input id="log_level_debug" type="checkbox"/> <label for="log_level_debug">Debug</label>
|
|
</p>
|
|
<ul id="log_entries">
|
|
</ul>
|
|
</section>
|
|
|
|
<section id="revoked">
|
|
<h1>Revoked certificates</h1>
|
|
<p>To fetch <a href="{{window.location.href}}api/revoked/">certificate revocation list</a>:</p>
|
|
<pre>curl {{window.location.href}}api/revoked/ > crl.der
|
|
curl http://ca2.koodur.lan/api/revoked/ -L -H "Accept: application/x-pem-file"
|
|
curl http://ca2.koodur.lan/api/revoked/?wait=yes -L -H "Accept: application/x-pem-file" > crl.pem</pre>
|
|
<!--
|
|
<p>To perform online certificate status request</p>
|
|
|
|
<pre>
|
|
curl {{request.url}}/certificate/ > session.pem
|
|
openssl ocsp -issuer session.pem -CAfile session.pem -url {{request.url}}/ocsp/ -serial 0x
|
|
</pre>
|
|
-->
|
|
<ul>
|
|
{% for j in session.authority.revoked %}
|
|
<li id="certificate_{{ j.sha256sum }}">
|
|
{{j.changed}}
|
|
{{j.serial_number}} <span class="monospace">{{j.identity}}</span>
|
|
</li>
|
|
{% else %}
|
|
<li>Great job! No certificate signing requests to sign.</li>
|
|
{% endfor %}
|
|
</ul>
|
|
</section>
|
|
|
|
<section id="config">
|
|
</section>
|
|
|
|
{% endif %}
|