I've been trying to write a web based certificate authority to help make signing up for my OpenVPN installation easier for the users. Till now we used OpenVPN GUI for WIndows that provides a frontend to SSL for creating the CSR's. It's all a pain and way beyond what our users can manage in general so a nice web front-end is called for.
I read that PHP has bindings to the OpenSSL libraries so I thought I'd try and use that. I had endless hassles with Apache though, it would just die the moment I call the openssl_* functions in PHP or things would just return FALSE without any useful errors. I tried this on 4 FreeBSD machines all with Apache 1.x on, eventually I found it worked fine on Apache 2 machines! Upgraded one of the systems and it's all good now.
Writing the SSL stuff is very simple with PHP, I'll soon have a full implementation of a Certificate Authority done that is fully web driven so if there are any interest in this I may clean it up and release it under some Open Source licence, will also put up some code samples later but for now just wanted to point out that to get this stuff going you need Apache 2 it seems, well at least on FreeBSD machines.
The full entry has some screenshots of where I am today with the CA so you can get an idea of what I am getting at.
This being a frontend to OpenVPN I am hard coding some values in the certificates and just asking the user for the basics, so he gets a screen more or less like this:
This creates a private key and CSR, the key is password protected with the password specified. I also save to the filesystem a MD5 hash of the password.
A systems administrator will get an email whenever a CSR has been created, he can go and sign those CSR's with the CA certificate using this form:
Errors from OpenSSL gets shown nicely in the result, here I typed in the wrong CA password:
On success the .cert gets written to the filesystem and the CSR gets archived, the systems administrator will see a screen like this:
All actions and errors gets logged to a eventlog that's viewable by admins, this includes OpenSSL errors etc.
At the moment this is as far as I got, eventually though the system will generate OpenVPN config files that matches my setup and send zip files to the user, the user will need the same password he used to encrypt the private key to retrieve the zip file.
This is an excellent idea, surely people will use it, I know I will :)
Funny: i started exactly the same project yesterday with the same architecture...
No gui yet, just fiddling with the php openssl functions.
However, i've just created the first cert/privkey couple, put into my existing openvpn conf to give it a spin, and it hangs with this error:
Cannot load private key file client.key: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
I'm tring to sort this out...
I would be definitely interested to collaborate with you on this. I believe it would have a large user base among existing openvpn users. We could share the code on sourceforge or something...
What do you think?
Cheers,
sergio
Is it possible to download this project ? I'm very interrested ....
I would be very interested to see your code. I am attempting to implement a routine to encrypt plain text data given the data and a x.509v3 public key certificate.
I am having all sorts of trouble with this...
Did you ever progress this?
I would be interested in this kind of code as we have a requirement at work to manage several hundred certificates for an openVPN project. No sense re-inventing the wheel if it has already been half done.
I'm more than happy to help contribute, if there are bits still requiring effort.
yes,.. we have the same project... i try using easy-rsa but its hanging up when the script prompt something to be filed,.. itry to using php fungctin openssl* but when i try to sign my own ca root andi install it to my machine the certificate still not trusted eventhough i already self signing the ca root certificate,.. it's really diferent with openssl on the cli,..
I'm also about to implement a certificate signing web front end and would be interested in your code if it's available. Thanks.