function create_ca($my_certstore_path, $my_device_type, $my_cert_dn, $my_passphrase) { //if (!is_dir($my_certstore_path.$my_cert_dn['commonName'])) create_cert_store($my_certstore_path, $my_cert_dn['commonName']); //else // die('Fatal: CA Store already exists for '. $my_cert_dn['commonName']); $my_days = $my_cert_dn['days']; $my_keysize = $my_cert_dn['keySize']; unset($my_cert_dn['days']); unset($my_cert_dn['keySize']); $my_csrfile = create_csr($my_cert_dn, $my_keysize, $my_passphrase, $my_device_type); sign_csr($my_passphrase, $my_csrfile, $my_days, $my_device_type); //to do, check sign_csr code for device type }
/** * Create a new client certificate for a username or client hostname. * @param $commonName - The username or hostname * @param $emailAddress - The user's email address * @param $serial - The serial number * @param $cacert - Path to Certificate Authority cert file. * @param $cakey - Path to Certificate Authority key file. * @param $valid_days - validity in number of days for the user certificate * @return string - The client certificate signed by the Certificate Authority, or false on error. */ function create_user_certificate($commonName, $emailAddress, $serial, $cacert, $cakey, $valid_days) { $opensslConf = $GLOBALS['webserver_root'] . "/library/openssl.cnf"; $config = array('config' => $opensslConf); /* Generate a certificate signing request */ $arr = create_csr($commonName, $emailAddress, "", "", "", "", ""); if ($arr === false) { return false; } $csr = $arr[0]; $privkey = $arr[1]; /* user id is used as serial number to sign a certificate */ $serial = 0; $res = sqlStatement("select id from users where username='******'"); if ($row = sqlFetchArray($res)) { $serial = $row['id']; } $cert = openssl_csr_sign($csr, file_get_contents($cacert), file_get_contents($cakey), $valid_days, $config, $serial); if ($cert === false) { return false; } /* Convert the user certificate to .p12 (PKCS 12) format, which is the * standard format used by browsers. */ if (openssl_pkcs12_export($cert, $p12Out, $privkey, "") === false) { return false; } return $p12Out; }
convert_cert_pkcs12_form(); printFooter(); break; case "convert_cert_pkcs12": printHeader('Convert Certificate to PKCS#12'); convert_cert_pkcs12($_POST['cert_name'], $_POST['pkey_pass'], $_POST['pkcs12_pass']); printFooter(); break; case "createCSR_form": printHeader('Creating the CSR'); createCSR_form(); printFooter(); break; case "createCSR": printHeader('Creating the CSR'); create_csr($_POST['cert_dn'], $_POST['cert_dn']['keySize'], $_POST['passphrase'], $_POST['device_type']); printFooter(); break; case "import_CSR_form": printHeader('Import a CSR'); import_csr_form(); printFooter(); break; case "import_CSR": printHeader('Import a CSR'); import_csr($_POST['request']); printFooter(); break; case "upload_CSR_form": printHeader('Upload a CSR'); upload_csr_form();
/** * Create and download the following certificates: * - CertificateAuthority.key * - CertificateAuthority.crt * - Server.key * - Server.crt * - admin.p12 * The following form inputs are used: */ function create_and_download_certificates() { global $error_msg; $tempDir = $GLOBALS['temporary_files_dir']; $zipName = $tempDir . "/ssl.zip"; if (file_exists($zipName)) { unlink($zipName); } /* Retrieve the certificate name settings from the form input */ if ($_POST["commonName"]) { $commonName = formData('commonName', 'P', true); } if ($_POST["emailAddress"]) { $emailAddress = formData('emailAddress', 'P', true); } if ($_POST["countryName"]) { $countryName = formData('countryName', 'P', true); } if ($_POST["stateOrProvinceName"]) { $stateOrProvinceName = formData('stateOrProvinceName', 'P', true); } if ($_POST["localityName"]) { $localityName = formData('localityName', 'P', true); } if ($_POST["organizationName"]) { $organizationName = formData('organizationName', 'P', true); } if ($_POST["organizationalUnitName"]) { $organizationName = formData('organizationalUnitName', 'P', true); } if ($_POST["clientCertValidity"]) { $clientCertValidity = formData('clientCertValidity', 'P', true); } /* Create the Certficate Authority (CA) */ $arr = create_csr("OpenEMR CA for " . $commonName, $emailAddress, $countryName, $stateOrProvinceName, $localityName, $organizationName, $organizationalUnitName); if ($arr === false) { $error_msg .= xl('Error, unable to create the Certificate Authority certificate.', 'e'); delete_certificates(); return; } $ca_csr = $arr[0]; $ca_key = $arr[1]; $ca_crt = create_crt($ca_key, $ca_csr, NULL, $ca_key); if ($ca_crt === false) { $error_msg .= xl('Error, unable to create the Certificate Authority certificate.', 'e'); delete_certificates(); return; } openssl_pkey_export_to_file($ca_key, $tempDir . "/CertificateAuthority.key"); openssl_x509_export_to_file($ca_crt, $tempDir . "/CertificateAuthority.crt"); /* Create the Server certificate */ $arr = create_csr($commonName, $emailAddress, $countryName, $stateOrProvinceName, $localityName, $organizationName, $organizationalUnitName); if ($arr === false) { $error_msg .= xl('Error, unable to create the Server certificate.', 'e'); delete_certificates(); return; } $server_csr = $arr[0]; $server_key = $arr[1]; $server_crt = create_crt($server_key, $server_csr, $ca_crt, $ca_key); if (server_crt === false) { $error_msg .= xl('Error, unable to create the Server certificate.', 'e'); delete_certificates(); return; } openssl_pkey_export_to_file($server_key, $tempDir . "/Server.key"); openssl_x509_export_to_file($server_crt, $tempDir . "/Server.crt"); /* Create the client certificate for the 'admin' user */ $serial = 0; $res = sqlStatement("select id from users where username='******'"); if ($row = sqlFetchArray($res)) { $serial = $row['id']; } $user_cert = create_user_certificate("admin", $emailAddress, $serial, $tempDir . "/CertificateAuthority.crt", $tempDir . "/CertificateAuthority.key", $clientCertValidity); if ($user_cert === false) { $error_msg .= xl('Error, unable to create the admin.p12 certificate.', 'e'); delete_certificates(); return; } $adminFile = $tempDir . "/admin.p12"; $handle = fopen($adminFile, 'w'); fwrite($handle, $user_cert); fclose($handle); /* Create a zip file containing the CertificateAuthority, Server, and admin files */ try { if (!class_exists('ZipArchive')) { $_SESSION["zip_error"] = "Error, Class ZipArchive does not exist"; return; } $zip = new ZipArchive(); if (!$zip) { $_SESSION["zip_error"] = "Error, Could not create file archive"; return; } if ($zip->open($zipName, ZIPARCHIVE::CREATE)) { $files = array("CertificateAuthority.key", "CertificateAuthority.crt", "Server.key", "Server.crt", "admin.p12"); foreach ($files as $file) { $zip->addFile($tempDir . "/" . $file, $file); } } else { $_SESSION["zip_error"] = "Error, unable to create zip file with all the certificates"; return; } $zip->close(); if (ini_get('zlib.output_compression')) { ini_set('zlib.output_compression', 'Off'); } } catch (Exception $e) { $_SESSION["zip_error"] = "Error, Could not create file archive"; return; } download_file($zipName, "zip"); }