function create_ca($my_certstore_path, $my_device_type, $my_cert_dn, $my_passphrase)
{
//if (!is_dir($my_certstore_path.$my_cert_dn['commonName']))
create_cert_store($my_certstore_path, $my_cert_dn['commonName']);
//else
// die('Fatal: CA Store already exists for '. $my_cert_dn['commonName']);
$my_days = $my_cert_dn['days'];
$my_keysize = $my_cert_dn['keySize'];
unset($my_cert_dn['days']);
unset($my_cert_dn['keySize']);
$my_csrfile = create_csr($my_cert_dn, $my_keysize, $my_passphrase, $my_device_type);
sign_csr($my_passphrase, $my_csrfile, $my_days, $my_device_type);
//to do, check sign_csr code for device type
}
/**
* Create a new client certificate for a username or client hostname.
* @param $commonName - The username or hostname
* @param $emailAddress - The user's email address
* @param $serial - The serial number
* @param $cacert - Path to Certificate Authority cert file.
* @param $cakey - Path to Certificate Authority key file.
* @param $valid_days - validity in number of days for the user certificate
* @return string - The client certificate signed by the Certificate Authority, or false on error.
*/
function create_user_certificate($commonName, $emailAddress, $serial, $cacert, $cakey, $valid_days)
{
$opensslConf = $GLOBALS['webserver_root'] . "/library/openssl.cnf";
$config = array('config' => $opensslConf);
/* Generate a certificate signing request */
$arr = create_csr($commonName, $emailAddress, "", "", "", "", "");
if ($arr === false) {
return false;
}
$csr = $arr[0];
$privkey = $arr[1];
/* user id is used as serial number to sign a certificate */
$serial = 0;
$res = sqlStatement("select id from users where username='******'");
if ($row = sqlFetchArray($res)) {
$serial = $row['id'];
}
$cert = openssl_csr_sign($csr, file_get_contents($cacert), file_get_contents($cakey), $valid_days, $config, $serial);
if ($cert === false) {
return false;
}
/* Convert the user certificate to .p12 (PKCS 12) format, which is the
* standard format used by browsers.
*/
if (openssl_pkcs12_export($cert, $p12Out, $privkey, "") === false) {
return false;
}
return $p12Out;
}
convert_cert_pkcs12_form();
printFooter();
break;
case "convert_cert_pkcs12":
printHeader('Convert Certificate to PKCS#12');
convert_cert_pkcs12($_POST['cert_name'], $_POST['pkey_pass'], $_POST['pkcs12_pass']);
printFooter();
break;
case "createCSR_form":
printHeader('Creating the CSR');
createCSR_form();
printFooter();
break;
case "createCSR":
printHeader('Creating the CSR');
create_csr($_POST['cert_dn'], $_POST['cert_dn']['keySize'], $_POST['passphrase'], $_POST['device_type']);
printFooter();
break;
case "import_CSR_form":
printHeader('Import a CSR');
import_csr_form();
printFooter();
break;
case "import_CSR":
printHeader('Import a CSR');
import_csr($_POST['request']);
printFooter();
break;
case "upload_CSR_form":
printHeader('Upload a CSR');
upload_csr_form();
/**
* Create and download the following certificates:
* - CertificateAuthority.key
* - CertificateAuthority.crt
* - Server.key
* - Server.crt
* - admin.p12
* The following form inputs are used:
*/
function create_and_download_certificates()
{
global $error_msg;
$tempDir = $GLOBALS['temporary_files_dir'];
$zipName = $tempDir . "/ssl.zip";
if (file_exists($zipName)) {
unlink($zipName);
}
/* Retrieve the certificate name settings from the form input */
if ($_POST["commonName"]) {
$commonName = formData('commonName', 'P', true);
}
if ($_POST["emailAddress"]) {
$emailAddress = formData('emailAddress', 'P', true);
}
if ($_POST["countryName"]) {
$countryName = formData('countryName', 'P', true);
}
if ($_POST["stateOrProvinceName"]) {
$stateOrProvinceName = formData('stateOrProvinceName', 'P', true);
}
if ($_POST["localityName"]) {
$localityName = formData('localityName', 'P', true);
}
if ($_POST["organizationName"]) {
$organizationName = formData('organizationName', 'P', true);
}
if ($_POST["organizationalUnitName"]) {
$organizationName = formData('organizationalUnitName', 'P', true);
}
if ($_POST["clientCertValidity"]) {
$clientCertValidity = formData('clientCertValidity', 'P', true);
}
/* Create the Certficate Authority (CA) */
$arr = create_csr("OpenEMR CA for " . $commonName, $emailAddress, $countryName, $stateOrProvinceName, $localityName, $organizationName, $organizationalUnitName);
if ($arr === false) {
$error_msg .= xl('Error, unable to create the Certificate Authority certificate.', 'e');
delete_certificates();
return;
}
$ca_csr = $arr[0];
$ca_key = $arr[1];
$ca_crt = create_crt($ca_key, $ca_csr, NULL, $ca_key);
if ($ca_crt === false) {
$error_msg .= xl('Error, unable to create the Certificate Authority certificate.', 'e');
delete_certificates();
return;
}
openssl_pkey_export_to_file($ca_key, $tempDir . "/CertificateAuthority.key");
openssl_x509_export_to_file($ca_crt, $tempDir . "/CertificateAuthority.crt");
/* Create the Server certificate */
$arr = create_csr($commonName, $emailAddress, $countryName, $stateOrProvinceName, $localityName, $organizationName, $organizationalUnitName);
if ($arr === false) {
$error_msg .= xl('Error, unable to create the Server certificate.', 'e');
delete_certificates();
return;
}
$server_csr = $arr[0];
$server_key = $arr[1];
$server_crt = create_crt($server_key, $server_csr, $ca_crt, $ca_key);
if (server_crt === false) {
$error_msg .= xl('Error, unable to create the Server certificate.', 'e');
delete_certificates();
return;
}
openssl_pkey_export_to_file($server_key, $tempDir . "/Server.key");
openssl_x509_export_to_file($server_crt, $tempDir . "/Server.crt");
/* Create the client certificate for the 'admin' user */
$serial = 0;
$res = sqlStatement("select id from users where username='******'");
if ($row = sqlFetchArray($res)) {
$serial = $row['id'];
}
$user_cert = create_user_certificate("admin", $emailAddress, $serial, $tempDir . "/CertificateAuthority.crt", $tempDir . "/CertificateAuthority.key", $clientCertValidity);
if ($user_cert === false) {
$error_msg .= xl('Error, unable to create the admin.p12 certificate.', 'e');
delete_certificates();
return;
}
$adminFile = $tempDir . "/admin.p12";
$handle = fopen($adminFile, 'w');
fwrite($handle, $user_cert);
fclose($handle);
/* Create a zip file containing the CertificateAuthority, Server, and admin files */
try {
if (!class_exists('ZipArchive')) {
$_SESSION["zip_error"] = "Error, Class ZipArchive does not exist";
return;
}
$zip = new ZipArchive();
if (!$zip) {
$_SESSION["zip_error"] = "Error, Could not create file archive";
return;
}
if ($zip->open($zipName, ZIPARCHIVE::CREATE)) {
$files = array("CertificateAuthority.key", "CertificateAuthority.crt", "Server.key", "Server.crt", "admin.p12");
foreach ($files as $file) {
$zip->addFile($tempDir . "/" . $file, $file);
}
} else {
$_SESSION["zip_error"] = "Error, unable to create zip file with all the certificates";
return;
}
$zip->close();
if (ini_get('zlib.output_compression')) {
ini_set('zlib.output_compression', 'Off');
}
} catch (Exception $e) {
$_SESSION["zip_error"] = "Error, Could not create file archive";
return;
}
download_file($zipName, "zip");
}
