How can add Cert to CRL by php-shell?
-
I want to add my certs to CRL by command line. Where I can find script like this?
Maybe somebody can show examples.Thank you
-
There is a good example, as there is a pfSense package that does just that : importing a certificate into the pfSense certificate manager.
Do you want me to look it up for you ? -
@Gertjan Thank you. I have import certificate script and it works, but it isn't same problem
-
My script for importing certificates:
<?php if (empty($argc)) { echo "Only accessible from the CLI.\r\n"; die(1); } if ($argc != 4) { echo "Usage: php " . $argv[0] . " /path/to/certificate.crt /path/to/private/key.pem\r\n"; die(1); } require_once "certs.inc"; require_once "pfsense-utils.inc"; require_once "functions.inc"; require_once "filter.inc"; require_once "shaper.inc"; $certificate = trim(file_get_contents($argv[1])); $key = trim(file_get_contents($argv[2])); if (empty($certificate)) { echo "The certificate is empty.\r\n"; die(1); } if (!strstr($certificate, "BEGIN CERTIFICATE") || !strstr($certificate, "END CERTIFICATE")) { echo "This certificate does not appear to be valid.\r\n"; die(1); } if (empty($key)) { echo "The key is empty.\r\n"; die(1); } if (cert_get_publickey($certificate, false) != cert_get_publickey($key, false, 'prv')) { echo "The private key does not match the certificate.\r\n"; die(1); } $cert = array(); $cert['refid'] = uniqid(); $cert['descr'] = $argv[3]; $cert['type'] = "user"; cert_import($cert, $certificate, $key); if (!is_array($config['ca'])) { $config['ca'] = array(); } $a_ca =& $config['ca']; if (!is_array($config['cert'])) { $config['cert'] = array(); } $a_cert =& $config['cert']; $internal_ca_count = 0; foreach ($a_ca as $ca) { if ($ca['prv']) { $internal_ca_count++; } } portion) foreach ($a_cert as $existing_cert) { if ($existing_cert['crt'] === $cert['crt']) { echo "The certificate is already imported.\r\n"; die(); // exit with a valid error code, as this is intended behaviour } } $a_cert[] = $cert; write_config('Add User Certificate'); log_error(gettext("webConfigurator configuration has changed. Restarting webConfigurator.")); send_event("service restart webgui"); echo "Completed! New certificate installed.\r\n"; -
Also I try to use this script for adding cert to CRL, but it doesn't work.
<?php require_once "certs.inc"; require_once "pfsense-utils.inc"; require_once "functions.inc"; require_once "filter.inc"; require_once "shaper.inc"; require_once "openvpn.inc" ; require_once "pfsense-utils.inc"; require_once "vpn.inc"; $cert = lookup_cert_by_name($argv[1]); echo "Cert name: " . $cert['descr'] . PHP_EOL; echo "Cert refid: " . $cert['refid'] . PHP_EOL; echo "--------------CRL----------" . PHP_EOL; $config = parse_config(); $crl = lookup_crl($config['crl']['0']['refid']); echo "------------" . $crl['descr'] . "------------" . PHP_EOL; if ($crl['caref'] == $cert['caref']) { $revoke_list[] = $cert; } else { $input_errors[] = gettext("CA mismatch between the Certificate and CRL. Unable to Revoke."); } if (cert_revoke($cert, $crl, "No Status")) { echo "Cert added to CRL" . PHP_EOL; } openvpn_refresh_crls(); write_config("Revoked certificate(s) in CRL {$crl['descr']}."); if (is_cert_revoked($cert, $crl['refid'])) { echo "revoked" . PHP_EOL; } else { echo "Status: Unrevoked" . PHP_EOL; } $config = parse_config(); unset($input_errors); $pconfig = $_REQUEST; $revoke_list = array(); if (!$pconfig['crlref'] || (!$pconfig['certref'] && (strlen($pconfig['revokeserial']) == 0))) { pfSenseHeader("system_crlmanager.php"); exit; } $crl =& lookup_crl($pconfig['crlref']); if (!is_array($pconfig['certref'])) { $pconfig['certref'] = array(); } if (!is_crl_internal($crl)) { $input_errors[] = gettext("Cannot revoke certificates for an imported/external CRL."); } if (!empty($pconfig['revokeserial'])) { foreach (explode(' ', $pconfig['revokeserial']) as $serial) { $vserial = cert_validate_serial($serial, true, true); if ($vserial != null) { $revoke_list[] = $vserial; } else { $input_errors[] = gettext("Invalid serial in list (Must be ASN.1 integer compatible decimal or hex string)."); } } } if (empty($pconfig['certref']) && empty($revoke_list)) { $input_errors[] = gettext("Select one or more certificates or enter a serial number to revoke."); } foreach ($pconfig['certref'] as $rcert) { $cert = lookup_cert($rcert); if ($crl['caref'] == $cert['caref']) { $revoke_list[] = $cert; } else { $input_errors[] = gettext("CA mismatch between the Certificate and CRL. Unable to Revoke."); } } if (!$input_errors) { $reason = (empty($pconfig['crlreason'])) ? 0 : $pconfig['crlreason']; foreach ($revoke_list as $cert) { cert_revoke($cert, $crl, $reason); } openvpn_refresh_crls(); ipsec_configure(); write_config("Revoked certificate(s) in CRL {$crl['descr']}."); pfSenseHeader("system_crlmanager.php"); exit; } ?> -
Try one that does work. Here : https://github.com/pfsense/FreeBSD-ports/tree/487258ae7cbd1039621b5dc5ac625f23d5519f39/security/pfSense-pkg-acme/files/usr/local/pkg/acme, take a look at the acme_command.sh - it's started as a shell command file, but execution will get relayed to php.
It also uses several command line arguments, so you'll feel at home right away. -
@gertjan said in How can add Cert to CRL by php-shell?:
Try one that does work. Here : https://github.com/pfsense/FreeBSD-ports/tree/487258ae7cbd1039621b5dc5ac625f23d5519f39/security/pfSense-pkg-acme/files/usr/local/pkg/acme, take a look at the acme_command.sh - it's started as a shell command file, but execution will get relayed to php.
It also uses several command line arguments, so you'll feel at home right away.Thank you @Gertjan
-
@Gertjan Do you know what token I should use here ?
https://github.com/pfsense/FreeBSD-ports/blob/487258ae7cbd1039621b5dc5ac625f23d5519f39/security/pfSense-pkg-acme/files/usr/local/pkg/acme/acme_command.sh#L96Where I can find it?
