I’ve been trying to write a web based certificate authority to help make signing up for my OpenVPN installation easier for the users. Till now we used OpenVPN GUI for WIndows that provides a frontend to SSL for creating the CSR’s. It’s all a pain and way beyond what our users can manage in general so a nice web front-end is called for.
I read that PHP has bindings to the OpenSSL libraries so I thought I’d try and use that. I had endless hassles with Apache though, it would just die the moment I call the openssl_* functions in PHP or things would just return FALSE without any useful errors. I tried this on 4 FreeBSD machines all with Apache 1.x on, eventually I found it worked fine on Apache 2 machines! Upgraded one of the systems and it’s all good now.
Writing the SSL stuff is very simple with PHP, I’ll soon have a full implementation of a Certificate Authority done that is fully web driven so if there are any interest in this I may clean it up and release it under some Open Source licence, will also put up some code samples later but for now just wanted to point out that to get this stuff going you need Apache 2 it seems, well at least on FreeBSD machines.
The full entry has some screenshots of where I am today with the CA so you can get an idea of what I am getting at.
This being a frontend to OpenVPN I am hard coding some values in the certificates and just asking the user for the basics, so he gets a screen more or less like this:
This creates a private key and CSR, the key is password protected with the password specified. I also save to the filesystem a MD5 hash of the password.
A systems administrator will get an email whenever a CSR has been created, he can go and sign those CSR’s with the CA certificate using this form:
Errors from OpenSSL gets shown nicely in the result, here I typed in the wrong CA password:
On success the .cert gets written to the filesystem and the CSR gets archived, the systems administrator will see a screen like this:
All actions and errors gets logged to a eventlog that’s viewable by admins, this includes OpenSSL errors etc.
At the moment this is as far as I got, eventually though the system will generate OpenVPN config files that matches my setup and send zip files to the user, the user will need the same password he used to encrypt the private key to retrieve the zip file.
