Topic: [ANNOUNCE] smeserver-phpki

[Daniel B.]

I've packaged a new contrib for PHPki (you can see a demo here: here
With this contrib, you can manage your own, private PKI. It's main goal is to be used with smeserver-openvpn-bridge, but it's completly independant, and you can use it for any other application which requires X.509 certificates.
You can, for example, generate a custom certificate for apache on your SME server (even with a wildcard *.domain.tld)

More informations on this contrib are available on the wiki: http://wiki.contribs.org/PHPki

[lancelott2]

hello,

yeah its quite good, but maybe u can help me cos atm i try to find out how i can do a cert for zarafa with it.

greetings

lance

[Daniel B.]

Sorry, I don't use zafara, but I think you can create a certificate with usage 'SSL Server'.

Cheers, Daniel

[lancelott2]

Hello,

yes, to bad that the PHPki is so badly documented *gigles* - some examples for the SME would be usefull too .
If i find something out i will post it here.

Greetings,

Lance

[Daniel B.]

Please, feel free to update the wiki with more informations.

Regards, Daniel

[kryptos]

Hi all,

We install smeserver-PhPki for our Openvpn connection. Now my problem is how can I delete the certificate I have created ( vpn only clients) instead of just revoking them. And also when I try to renew the certs but it give me an error  that say's   "This was likely caused by entering the wrong certificate password." what password did it requires? I want to renew the certificate because I forgot the password of the connection of this certificate.

Regards,
Rocel

[Daniel B.]

Now my problem is how can I delete the certificate I have created ( vpn only clients) instead of just revoking them.

It's not possible to completely delete a certificate (well, it can be done manually after being revoked if you edit the file /opt/phpki/phpki-store/CA/index.txt, but it's dangerous as you can corrupt your certificate database). The question is why would you want to delete a certificate instead of just revoking it ?

And also when I try to renew the certs but it give me an error  that say's   "This was likely caused by entering the wrong certificate password." what password did it requires? I want to renew the certificate because I forgot the password of the connection of this certificate.

Renewing a certificate will use the same CSR, and the same private key as the old one (so the same password). This is an issue with PHPki, as if a private key is compromised, a new private key should be generated if the certificate is renewed. For now, I suggest you just let the old one revoked, and just issue a new certificate with a different common name.

Regards, Daniel

[kryptos]

Hi Daniel,
Good Day!

It's not possible to completely delete a certificate (well, it can be done manually after being revoked if you edit the file /opt/phpki/phpki-store/CA/index.txt, but it's dangerous as you can corrupt your certificate database). The question is why would you want to delete a certificate instead of just revoking it ?

For housekeeping only because there are a lot users in our office that come and go. So I need the list clean without a lot revoke clients listed on PHPpki.I can imagine what would be like without removing them on them list it could be a lot of mess.

Renewing a certificate will use the same CSR, and the same private key as the old one (so the same password). This is an issue with PHPki, as if a private key is compromised, a new private key should be generated if the certificate is renewed. For now, I suggest you just let the old one revoked, and just issue a new certificate with a different common name.

That's what I have done so far but I would like the list clean.


Regards,
Rocel

[Daniel B.]

For housekeeping only because there are a lot users in our office that come and go. So I need the list clean without a lot revoke clients listed on PHPpki.I can imagine what would be like without removing them on them list it could be a lot of mess.

In the manage certificates page, you can just uncheck Revoked and Expired, then apply filter, and only valid certificates will be displayed...


Regards, Daniel

[kryptos]

In the manage certificates page, you can just uncheck Revoked and Expired, then apply filter, and only valid certificates will be displayed...

Thanks Daniel, I never thought of that.