From b366ce9321e5ed9326cb7c644243bb4d1636fd6a Mon Sep 17 00:00:00 2001
From: Marc Mettke <marc@itmettke.de>
Date: Thu, 9 May 2019 07:51:41 +0200
Subject: [PATCH 1/4] Adding ipv6 to Dockerfile

* php-fpm was listening to ipv4 only
---
 docker/Dockerfile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/docker/Dockerfile b/docker/Dockerfile
index 5cf58d5..c9d49db 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -21,9 +21,8 @@ RUN mkdir -p /var/log/cert/ /run/php/ /sca/ && \
             rsync \
             ssmtp \
             sudo && \
-    sed -i -e '/listen =/ s/= .*/= 0.0.0.0:9000/' /etc/php7/php-fpm.d/www.conf && \
+    sed -i -e '/listen =/ s/= .*/= 9000/' /etc/php7/php-fpm.d/www.conf && \
     sed -i -e '/;pid =/ s/.*/pid = \/var\/run\/php-fpm.pid/' /etc/php7/php-fpm.conf && \
-    echo "" >> /etc/php7/php-fpm.conf && \
     chmod +x /entrypoint.sh /healthcheck.sh && \
     ln -sf /dev/stderr /var/log/php7/error.log
 RUN apk add git && \

From 0d24c33697d1567780ad74a63d2e1f6b301331ec Mon Sep 17 00:00:00 2001
From: Marc Mettke <marc@itmettke.de>
Date: Fri, 10 May 2019 17:42:00 +0200
Subject: [PATCH 2/4] Certificate signing requests

---
 migrations/004.php             |  8 +++++
 model/certificate.php          | 66 +++++++++++++++++++++++++++++++++-
 model/certificatedirectory.php | 15 +++++---
 model/migrationdirectory.php   |  2 +-
 templates/certificate.php      | 24 +++++++++++++
 templates/certificates.php     | 35 ++++++++++++++++--
 templates/invalid_key_type.php |  4 +++
 templates/invalid_subject.php  |  4 +++
 views/certificate.php          | 31 ++++++++++++++--
 views/certificates.php         | 37 ++++++++++++++++++-
 views/profile.php              |  2 +-
 views/profiles.php             |  2 +-
 12 files changed, 216 insertions(+), 14 deletions(-)
 create mode 100644 migrations/004.php
 create mode 100644 templates/invalid_key_type.php
 create mode 100644 templates/invalid_subject.php

diff --git a/migrations/004.php b/migrations/004.php
new file mode 100644
index 0000000..6ccb089
--- /dev/null
+++ b/migrations/004.php
@@ -0,0 +1,8 @@
+<?php
+$migration_name = 'Certificate Signing Request';
+
+$this->database->query("
+ALTER TABLE `certificate`
+    ADD `signing_request` tinyint(1) unsigned NOT NULL DEFAULT '0',
+    ADD `csr` text NOT NULL DEFAULT ''
+");
diff --git a/model/certificate.php b/model/certificate.php
index 6fc1588..dc66f93 100644
--- a/model/certificate.php
+++ b/model/certificate.php
@@ -103,7 +103,18 @@ public function get_openssl_info() {
 		exec('openssl pkey -pubout -in '.escapeshellarg($private_filename).' 2>/dev/null | openssl sha1', $private_modulus);		
 		unlink($private_filename);
 
-		if(empty($cert_modulus) || $cert_modulus != $fullchain_modulus || $fullchain_modulus != $private_modulus) {
+		if(!empty($this->csr)) {
+			$csr_filename = tempnam('/tmp', 'csr-test-');
+			$csr_file = fopen($csr_filename, 'w');
+			fwrite($csr_file, $this->csr);
+			fclose($csr_file);
+			exec('openssl req -pubkey -noout -in '.escapeshellarg($csr_filename).' 2>/dev/null | openssl sha1', $csr_modulus);		
+			unlink($csr_filename);
+		} else {
+			$csr_modulus = $cert_modulus;
+		}
+
+		if(empty($cert_modulus) || $cert_modulus != $fullchain_modulus || $fullchain_modulus != $private_modulus || $private_modulus != $csr_modulus) {
 			throw new InvalidArgumentException("Certificate doesn't look valid");
 		} else if(count($serial) == 1 && count($enddate) == 1 && 
 				preg_match('|^serial=(.*)$|', $serial[0], $matches_fp) &&
@@ -116,6 +127,56 @@ public function get_openssl_info() {
 		}
 	}
 
+	/**
+	* Create Signing Request using openssl
+	*/
+	public function create_openssl_certificate_signing_request($subject, $key_type) {
+		$csr_filename = tempnam('/tmp', 'csr-test-');
+		$private_filename = tempnam('/tmp', 'private-test-');
+
+		switch($key_type) {
+			case 'rsa8192':
+				exec('openssl genrsa -out '.escapeshellarg($private_filename).' 8192');
+				break;
+			case 'rsa4096':
+				exec('openssl genrsa -out '.escapeshellarg($private_filename).' 4096');
+				break;
+			case 'rsa2048':
+				exec('openssl genrsa -out '.escapeshellarg($private_filename).' 2048');
+				break;
+			case 'ecdsa521':
+				exec('openssl ecparam -genkey -name secp521r1 -out '.escapeshellarg($private_filename));
+				break;
+			case 'ecdsa384':
+				exec('openssl ecparam -genkey -name secp384r1 -out '.escapeshellarg($private_filename));
+				break;
+			case 'ecdsa256':
+				exec('openssl ecparam -genkey -name secp256r1 -out '.escapeshellarg($private_filename));
+				break;
+			case 'ed25519':
+				exec('openssl genpkey -algorithm Ed25519 -out '.escapeshellarg($private_filename));
+				break;
+			default:
+				throw new InvalidKeyTypeException();
+				break;
+		}
+		exec('openssl req -new -key '.escapeshellarg($private_filename).' -out '.escapeshellarg($csr_filename).' -subj '.escapeshellarg($subject), $output, $return_var);
+		if($return_var != 0) {
+			throw new InvalidCertificateSubject();
+		}
+
+        $this->private = file_get_contents($private_filename);
+        $this->cert = "";
+        $this->fullchain = "";
+        $this->signing_request = 1;
+		$this->csr = file_get_contents($csr_filename);
+		$this->serial = '';
+		$this->expiration = date('Y-m-d H:i:s', time());
+		
+		unlink($csr_filename);	
+		unlink($private_filename);
+	}
+
 	/**
 	* List all profiles using this certificate.
 	* @param array $include list of extra data to include in response - currently unused
@@ -168,3 +229,6 @@ public function list_dependent_profiles($include = array(), $filter = array()) {
 	}
 }
 class CertificateInUseException extends Exception {}
+class InvalidKeyTypeException extends Exception {}
+class InvalidCertificateSubject extends Exception {}
+	
diff --git a/model/certificatedirectory.php b/model/certificatedirectory.php
index 035b3db..ba43137 100644
--- a/model/certificatedirectory.php
+++ b/model/certificatedirectory.php
@@ -9,10 +9,12 @@ class CertificateDirectory extends DBDirectory {
 	*/
 	public function add_certificate(Certificate $certificate) {
 		global $event_dir;
-		$certificate->get_openssl_info();
+		if(!$certificate->csr) {
+			$certificate->get_openssl_info();
+		}
 		try {
-			$stmt = $this->database->prepare("INSERT INTO certificate SET name = ?, private = ?, cert = ?, fullchain = ?, serial = ?, expiration = ?, owner_id = ?");
-			$stmt->bind_param('ssssssd', $certificate->name, $certificate->private, $certificate->cert, $certificate->fullchain, $certificate->serial, $certificate->expiration, $certificate->owner_id);
+			$stmt = $this->database->prepare("INSERT INTO certificate SET name = ?, private = ?, cert = ?, fullchain = ?, serial = ?, expiration = ?, owner_id = ?, signing_request = ?, csr = ?");
+			$stmt->bind_param('ssssssdds', $certificate->name, $certificate->private, $certificate->cert, $certificate->fullchain, $certificate->serial, $certificate->expiration, $certificate->owner_id, $certificate->signing_request, $certificate->csr);
 			$stmt->execute();
 			$certificate->id = $stmt->insert_id;
 			$stmt->close();
@@ -80,7 +82,7 @@ public function list_certificates($include = array(), $filter = array()) {
 		$where = array();
 		$bind = array("");
 		foreach($filter as $field => $value) {
-			if($value) {
+			if($value || $value == 0) {
 				switch($field) {
 				case 'name':
 					$where[] = "certificate.name REGEXP ?";
@@ -97,6 +99,11 @@ public function list_certificates($include = array(), $filter = array()) {
 					$bind[0] = $bind[0] . "d";
 					$bind[] = $value;
 					break;
+				case 'signing_request':
+					$where[] = "certificate.signing_request = ?";
+					$bind[0] = $bind[0] . "d";
+					$bind[] = $value;
+					break;
 				}
 			}
 		}
diff --git a/model/migrationdirectory.php b/model/migrationdirectory.php
index d3d9677..94c2b43 100644
--- a/model/migrationdirectory.php
+++ b/model/migrationdirectory.php
@@ -6,7 +6,7 @@ class MigrationDirectory extends DBDirectory {
 	/**
 	* Increment this constant to activate a new migration from the migrations directory
 	*/
-	const LAST_MIGRATION = 3;
+	const LAST_MIGRATION = 4;
 
 	public function __construct() {
 		parent::__construct();
diff --git a/templates/certificate.php b/templates/certificate.php
index 1dbb761..6836684 100644
--- a/templates/certificate.php
+++ b/templates/certificate.php
@@ -10,7 +10,11 @@
 	<?php if($this->get('admin')) { ?>
 		<li><a href="#usage" data-toggle="tab">Usage</a></li>
 		<li><a href="#log" data-toggle="tab">Log</a></li>
+		<?php if($this->get('certificate')->signing_request) { ?>
+		<li><a href="#upload" data-toggle="tab">Upload Certificate</a></li>
+		<?php } else { ?>
 		<li><a href="#migrate" data-toggle="tab">Migration</a></li>
+		<?php } ?>
 	<?php } ?>
 </ul>
 
@@ -27,6 +31,8 @@
 			<dd><pre><?php out($this->get('certificate')->cert)?></pre></dd>
 			<dt>Fullchain (PEM Format)</dt>
 			<dd><pre><?php out($this->get('certificate')->fullchain)?></pre></dd>
+			<dt>CSR (PEM Format)</dt>
+			<dd><pre><?php out($this->get('certificate')->csr)?></pre></dd>
 		</dl>
 
 		<form method="post" action="<?php outurl($this->data->relative_request_url) ?>" class="form-horizontal">
@@ -110,6 +116,23 @@
 		</table>
 	</div>
 
+	<?php if($this->get('certificate')->signing_request) { ?>
+	<div class="tab-pane fade" id="upload">
+		<h2 class="sr-only">Upload certificate</h2>
+		<form method="post" action="<?php outurl($this->data->relative_request_url)?>">
+			<?php out($this->get('active_user')->get_csrf_field(), ESC_NONE) ?>
+			<div class="form-group">
+				<label for="cert">Cert (PEM Format)</label>
+				<textarea id="cert" name="cert" cols="40" rows="5" class="form-control" required></textarea>
+			</div>
+			<div class="form-group">
+				<label for="fullchain">Fullchain (PEM Format)</label>
+				<textarea id="fullchain" name="fullchain" cols="40" rows="5" class="form-control" required></textarea>
+			</div>
+			<button type="submit" name="upload_certificate" value="1" class="btn btn-primary">Add certificate</button>
+		</form>
+	</div>
+	<?php } else { ?>
 	<div class="tab-pane fade" id="migrate">
 		<h2 class="sr-only">Migrate</h2>
 		<div class="panel panel-default">
@@ -143,4 +166,5 @@
 			<button type="submit" name="migrate" value="1" class="btn btn-primary">Migrate</button>
 		</form>
 	</div>
+	<?php } ?>
 </div>
diff --git a/templates/certificates.php b/templates/certificates.php
index 47ec78e..1dda255 100644
--- a/templates/certificates.php
+++ b/templates/certificates.php
@@ -1,7 +1,8 @@
 <h1>Certificates</h1>
 <ul class="nav nav-tabs">
 	<li><a href="#list" data-toggle="tab">Certificate list</a></li>
-	<li><a href="#add" data-toggle="tab">Add certificate</a></li>
+	<li><a href="#add" data-toggle="tab">Add Signing Request</a></li>
+	<li><a href="#upload" data-toggle="tab">Upload certificate</a></li>
 </ul>
 
 <!-- Tab panes -->
@@ -56,7 +57,35 @@
 	</div>
 
 	<div class="tab-pane fade" id="add">
-		<h2 class="sr-only">Add certificate</h2>
+		<h2 class="sr-only">Add Signing Request</h2>
+		<form method="post" action="<?php outurl($this->data->relative_request_url)?>">
+			<?php out($this->get('active_user')->get_csrf_field(), ESC_NONE) ?>
+			<div class="form-group">
+				<label for="name">Name</label>
+				<input type="text" id="name" name="name" class="form-control" required>
+			</div>
+			<div class="form-group">
+				<label for="subject">Subject</label>
+				<input type="text" id="subject" name="subject" class="form-control" placeholder="/CN=&#60;domain&#62;" required>
+			</div>
+			<div class="form-group">
+				<label for="key_type">Key Type</label>
+				<select id="key_type" name="key_type" class="browser-default custom-select form-control" required>
+					<option value="rsa8192" label="RSA 8192">
+					<option value="rsa4096" label="RSA 4096" selected>
+					<option value="rsa2048" label="RSA 2048">
+					<option value="ecdsa521" label="ECDSA Secp 521">
+					<option value="ecdsa384" label="ECDSA Secp 384">
+					<option value="ecdsa256" label="ECDSA Secp 256">
+					<option value="ed25519" label="EdDSA Ed25519">
+				</select>
+			</div>
+			<button type="submit" name="add_signing_request" value="1" class="btn btn-primary">Add certificate</button>
+		</form>
+	</div>
+
+	<div class="tab-pane fade" id="upload">
+		<h2 class="sr-only">Upload certificate</h2>
 		<form method="post" action="<?php outurl($this->data->relative_request_url)?>">
 			<?php out($this->get('active_user')->get_csrf_field(), ESC_NONE) ?>
 			<div class="form-group">
@@ -79,7 +108,7 @@
 				<label for="fullchain">Fullchain (PEM Format)</label>
 				<textarea id="fullchain" name="fullchain" cols="40" rows="5" class="form-control" required></textarea>
 			</div>
-			<button type="submit" name="add_certificate" value="1" class="btn btn-primary">Add certificate</button>
+			<button type="submit" name="upload_certificate" value="1" class="btn btn-primary">Add certificate</button>
 		</form>
 	</div>
 </div>
diff --git a/templates/invalid_key_type.php b/templates/invalid_key_type.php
new file mode 100644
index 0000000..eb41fee
--- /dev/null
+++ b/templates/invalid_key_type.php
@@ -0,0 +1,4 @@
+<h1>Invalid Script Type</h1>
+<div class="alert alert-danger">
+<p>"<?php out($this->get('type'))?>" doesn't look like a valid key type. Please <a href="" class="navigate-back">go back</a> and try again.</p>
+</div>
diff --git a/templates/invalid_subject.php b/templates/invalid_subject.php
new file mode 100644
index 0000000..23c79fb
--- /dev/null
+++ b/templates/invalid_subject.php
@@ -0,0 +1,4 @@
+<h1>Invalid Certifcate Subject</h1>
+<div class="alert alert-danger">
+<p>"<?php out($this->get('subject'))?>" doesn't look like a valid certificate subject. Please <a href="" class="navigate-back">go back</a> and try again.</p>
+</div>
diff --git a/views/certificate.php b/views/certificate.php
index 018c04a..20295f9 100644
--- a/views/certificate.php
+++ b/views/certificate.php
@@ -9,7 +9,34 @@
 	require('views/error403.php');
 	die;
 }
-if(isset($_POST['delete_certificate'])) {
+if(isset($_POST['upload_certificate'])) {
+    $cert = getParameterOrDie($_POST, 'cert');
+    $fullchain = getParameterOrDie($_POST, 'fullchain');
+    
+	$certificate->cert = $cert;
+	$certificate->fullchain = $fullchain;
+	$certificate->signing_request = 0;
+
+	try {
+		$certificate->get_openssl_info();
+		$certificate->update();
+		$alert = new UserAlert;
+		$alert->content = 'Certificate \'<a href="'.rrurl('/certificates/'.urlencode($certificate->name)).'" class="alert-link">'.hesc($certificate->name).'</a>\' successfully created.';
+		$alert->escaping = ESC_NONE;
+		$active_user->add_alert($alert);
+		redirect('#view');
+	} catch(CertificateAlreadyExistsException $e) {
+		$alert = new UserAlert;
+		$alert->content = 'Certificate \'<a href="'.rrurl('/certificates/'.urlencode($certificate->name)).'" class="alert-link">'.hesc($certificate->name).'</a>\' is already known by SSL Cert Authority.';
+		$alert->escaping = ESC_NONE;
+		$alert->class = 'danger';
+		$active_user->add_alert($alert);
+		redirect('#add');
+	} catch(InvalidArgumentException $e) {
+		$content = new PageSection('certificate_upload_fail');
+	}
+}
+else if(isset($_POST['delete_certificate'])) {
 	try {
 		$certificate->delete();
 		$alert = new UserAlert;
@@ -60,7 +87,7 @@
 		$content->set('admin', $active_user->admin);
 		$content->set('filter', $filter);
 		$content->set('certificate', $certificate);
-		$content->set('all_certificates', $certificate_dir->list_certificates());
+		$content->set('all_certificates', $certificate_dir->list_certificates(array(), array("signing_request" => 0)));
 		$content->set('profiles', $profiles);
 		$content->set('log', $certificate->get_log());
 		$head = '<link rel="alternate" type="application/json" href="'.urlencode($router->vars['name']).'/format.json" title="JSON for this page">'."\n";
diff --git a/views/certificates.php b/views/certificates.php
index 4e10273..5b64f7f 100644
--- a/views/certificates.php
+++ b/views/certificates.php
@@ -1,5 +1,38 @@
 <?php
-if(isset($_POST['add_certificate'])) {
+if(isset($_POST['add_signing_request'])) {
+    $name = getParameterOrDie($_POST, 'name');
+    $subject = getParameterOrDie($_POST, 'subject');
+    $key_type = getParameterOrDie($_POST, 'key_type');
+
+    $certificate = new Certificate;
+    $certificate->name = $name;
+    $certificate->owner_id = $active_user->id;
+
+    try {
+        $certificate->create_openssl_certificate_signing_request($subject, $key_type);
+        $certificate_dir->add_certificate($certificate);
+        $alert = new UserAlert;
+        $alert->content = 'Certificate \'<a href="'.rrurl('/certificates/'.urlencode($certificate->name)).'" class="alert-link">'.hesc($certificate->name).'</a>\' successfully created.';
+        $alert->escaping = ESC_NONE;
+        $active_user->add_alert($alert);
+        redirect('#add');
+    } catch(CertificateAlreadyExistsException $e) {
+        $alert = new UserAlert;
+        $alert->content = 'Certificate \'<a href="'.rrurl('/certificates/'.urlencode($certificate->name)).'" class="alert-link">'.hesc($certificate->name).'</a>\' is already known by SSL Cert Authority.';
+        $alert->escaping = ESC_NONE;
+        $alert->class = 'danger';
+        $active_user->add_alert($alert);
+        redirect('#add');
+    } catch(InvalidKeyTypeException $e) {
+        error_log($e);
+        $content = new PageSection('invalid_key_type');
+        $content->set('type', $key_type);
+    } catch(InvalidCertificateSubject $e) {
+        error_log($e);
+        $content = new PageSection('invalid_subject');
+        $content->set('subject', $subject);
+    }
+} else if(isset($_POST['upload_certificate'])) {
     $name = getParameterOrDie($_POST, 'name');
     $private = getParameterOrDie($_POST, 'private');
     $password = getParameterOrDie($_POST, 'password');
@@ -24,6 +57,8 @@
         $certificate->cert = $cert;
         $certificate->fullchain = $fullchain;
         $certificate->owner_id = $active_user->id;
+        $certificate->signing_request = 0;
+        $certificate->csr = '';
     
         try {
             $certificate_dir->add_certificate($certificate);
diff --git a/views/profile.php b/views/profile.php
index 7bec01c..6b23981 100644
--- a/views/profile.php
+++ b/views/profile.php
@@ -155,7 +155,7 @@
 			$content = new PageSection('profile');
 			$content->set('filter', $filter);
 			$content->set('profile', $profile);
-			$content->set('all_certificates', $certificate_dir->list_certificates());
+			$content->set('all_certificates', $certificate_dir->list_certificates(array(), array("signing_request" => 0)));
 			$content->set('all_servers', $server_dir->list_servers());
 			$content->set('all_services', $service_dir->list_services());
 			$content->set('servers', $servers);
diff --git a/views/profiles.php b/views/profiles.php
index 093e2de..a862010 100644
--- a/views/profiles.php
+++ b/views/profiles.php
@@ -91,7 +91,7 @@
         $content = new PageSection('profiles');
         $content->set('filter', $filter);
         $content->set('profiles', $profiles);
-        $content->set('all_certificates', $certificate_dir->list_certificates());
+        $content->set('all_certificates', $certificate_dir->list_certificates(array(), array("signing_request" => 0)));
         $content->set('all_servers', $server_dir->list_servers());
         $content->set('all_services', $service_dir->list_services());
 		$head = '<link rel="alternate" type="application/json" href="profiles.json" title="JSON for this page">'."\n";

From 3b54d6b41ae5d5d270d70acbd4ba840f4f01804c Mon Sep 17 00:00:00 2001
From: Marc Mettke <mmettke@novomind.com>
Date: Mon, 13 May 2019 15:57:26 +0200
Subject: [PATCH 3/4] Client Certificate authenticaton

---
 examples/nginx-client-cert/README.md          |  58 ++++++++
 examples/nginx-client-cert/docker-compose.yml |  97 +++++++++++++
 examples/nginx-client-cert/nginx.conf         |  38 ++++++
 examples/shared/config-client-cert/ca.key     |  27 ++++
 examples/shared/config-client-cert/ca.pem     |  19 +++
 examples/shared/config-client-cert/ca.srl     |   1 +
 examples/shared/config-client-cert/cert-sync  |  27 ++++
 .../shared/config-client-cert/cert-sync.pfx   | Bin 0 -> 3141 bytes
 .../shared/config-client-cert/cert-sync.pub   |   1 +
 examples/shared/config-client-cert/config.ini | 129 ++++++++++++++++++
 .../shared/config-client-cert/proceme.pfx     | Bin 0 -> 3133 bytes
 .../shared/config-client-cert/rainbow.pfx     | Bin 0 -> 3133 bytes
 requesthandler.php                            |   9 ++
 13 files changed, 406 insertions(+)
 create mode 100644 examples/nginx-client-cert/README.md
 create mode 100644 examples/nginx-client-cert/docker-compose.yml
 create mode 100644 examples/nginx-client-cert/nginx.conf
 create mode 100644 examples/shared/config-client-cert/ca.key
 create mode 100644 examples/shared/config-client-cert/ca.pem
 create mode 100644 examples/shared/config-client-cert/ca.srl
 create mode 100644 examples/shared/config-client-cert/cert-sync
 create mode 100644 examples/shared/config-client-cert/cert-sync.pfx
 create mode 100644 examples/shared/config-client-cert/cert-sync.pub
 create mode 100644 examples/shared/config-client-cert/config.ini
 create mode 100644 examples/shared/config-client-cert/proceme.pfx
 create mode 100644 examples/shared/config-client-cert/rainbow.pfx

diff --git a/examples/nginx-client-cert/README.md b/examples/nginx-client-cert/README.md
new file mode 100644
index 0000000..f3548e4
--- /dev/null
+++ b/examples/nginx-client-cert/README.md
@@ -0,0 +1,58 @@
+# Example: nginx + client certificate
+
+This Example shows how to use sca with nginx and client certificate using docker.
+
+## Prepare setup
+
+1. Start system using `docker-compose up -d`
+1. Add pfx [certificates](../shared/config-client-cert/) to your browser
+1. Visit https://localhost
+1. Login using one of the following credentials (Only cert-sync account exists at first):
+
+|Username|Type|
+|---|---|
+|cert-sync|admin|
+|rainbow|admin|
+|proceme|user|
+
+If something goes wrong, check the log using:
+```
+docker logs -f nginx-client-cert_sca_1
+```
+
+## Using sca
+
+_The `cert-sync` user should only be used for the first setup. Afterwards its best to create a dedicated account per user._
+
+1. Login using the admin account `cert-sync`.
+1. Create user `rainbow` as admin and user `proceme` as user at https://localhost/users#add
+1. Add the server `nginx.example.com` and `httpd.example.com` at https://localhost/servers#add
+1. Sca should be able to connect to both systems. You can verify this by checking whether there is an `Synced successfully` next to the servers. 
+1. Add the scripts [check_loport.sh](../scripts/check_loport.sh), [restart_httpd.sh](../scripts/httpd/restart_httpd.sh), [restart_nginx.sh](../scripts/nginx/restart_nginx.sh) and [status_pidfile.sh](../scripts/status_pidfile.sh)
+1. Add two services called `nginx_8443` and `httpd_8444`. Both should use `check_loport.sh`, `status_pidfile.sh` and their respective restart script
+1. Add the following two variables to both services.
+   * nginx_8443:
+      * Name: `PID_FILE`
+      * Value: `/run/nginx/nginx.pid`
+      * Name: `PORT`
+      * Value: `8443`
+   * httpd_8444:
+      * Name: `PID_FILE`
+      * Value: `/var/run/apache2/httpd.pid`
+      * Name: `PORT`
+      * Value: `8444`
+1. Add the certificates from [certificates](../certificates)
+1. Add two profiles. `nginx_demo` with `nginx.example.com` and `nginx_8443` as well as `httpd_demo` with `httpd.example.com` and `httpd_8444`. Both with certifcate `test1`.
+1. Go to https://localhost/servers#list and use `Sync listed servers now`. After the confirmation it should only take a few seconds until both servers should be set to `Synced successfully`.
+1. Visit https://localhost:8443/ and https://localhost:8444/ and take a look at the certificate it should be valid till 2020-01-01. Now visit [certificate test1](https://localhost/certificates/test1#migrate) and migrate it to `test2`. Afterwards synchronise the servers again. After reloading both pages, the certificate should now be valid till 2021-01-01.
+
+## Add access for new users
+
+1. Generate private key: `openssl genrsa -out <username>.key 2048`
+1. Generate certificate signing request: `openssl req -new -key <username>.key -out <username>.csr -subj "/CN=<username>"`
+1. Generate certificate using the ca: `openssl x509 -req -in <username>.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out <username>.pem -days 36500 -sha256`
+1. Generate pfx: `openssl pkcs12 -export -out <username>.pfx -inkey <username>.key -in <username>.pem -certfile ca.pem`
+
+## View synchronisation logs
+
+The Web UI only shows very rudimentary error messages. For more information connect to the php container using `docker exec -it nginx-client-cert_sca-php_1 /bin/ash`. In there, you can use the this command to follow the log file of the synchronisation daemon: `tail -f /var/log/cert/sync.log`.
diff --git a/examples/nginx-client-cert/docker-compose.yml b/examples/nginx-client-cert/docker-compose.yml
new file mode 100644
index 0000000..9edfeb8
--- /dev/null
+++ b/examples/nginx-client-cert/docker-compose.yml
@@ -0,0 +1,97 @@
+version: '2.2'
+services:
+  test-nginx:
+    image: alpine
+    command: /bin/ash -c "(id cert-sync || adduser -h /var/local/cert-sync -S -D -s /bin/sh cert-sync) && mkdir -p /var/run/nginx/ && chmod 711 /var/local/cert-sync && cp /key /var/local/cert-sync/cert-sync && chown cert-sync:nogroup /var/local/cert-sync/cert-sync && chmod 644 /var/local/cert-sync/cert-sync && apk add openssh openssl nginx sudo && ssh-keygen -A && sed -i -e '/#StrictModes/ s/.*/StrictModes no/' /etc/ssh/sshd_config && sed -i -e '/AuthorizedKeysFile/ s/.*/AuthorizedKeysFile \/var\/local\/cert-sync\/%u/' /etc/ssh/sshd_config && passwd cert-sync -d test && passwd root -d test && echo 'cert-sync ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers && /usr/sbin/sshd -D"
+    restart: always
+    expose:
+      - "22"
+    ports:
+      - "8443:8443"
+    depends_on:
+      - sca-php
+    volumes:
+      - ../shared/config-client-cert/cert-sync.pub:/key:ro
+      - ../shared/nginx-demo.conf:/etc/nginx/conf.d/default.conf:ro
+    networks:
+      net:
+        aliases:
+         - nginx.example.com
+
+  test-httpd:
+    image: alpine
+    command: /bin/ash -c "(id cert-sync || adduser -h /var/local/cert-sync -S -D -s /bin/sh cert-sync) && chmod 711 /var/local/cert-sync && cp /key /var/local/cert-sync/cert-sync && chown cert-sync:nogroup /var/local/cert-sync/cert-sync && chmod 644 /var/local/cert-sync/cert-sync && apk add openssh openssl apache2 apache2-ssl sudo && ssh-keygen -A && sed -i -e '/#StrictModes/ s/.*/StrictModes no/' /etc/ssh/sshd_config && sed -i -e '/AuthorizedKeysFile/ s/.*/AuthorizedKeysFile \/var\/local\/cert-sync\/%u/' /etc/ssh/sshd_config && passwd cert-sync -d test && passwd root -d test && echo 'cert-sync ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers && /usr/sbin/sshd -D"
+    restart: always
+    expose:
+      - "22"
+    ports:
+      - "8444:8444"
+    depends_on:
+      - sca-php
+    volumes:
+      - ../shared/config-client-cert/cert-sync.pub:/key:ro
+      - ../shared/httpd-demo.conf:/etc/apache2/conf.d/demo.conf:ro
+    networks:
+      net:
+        aliases:
+         - httpd.example.com
+
+  mail:
+    image: mwader/postfix-relay
+    restart: always
+    environment:
+    - POSTFIX_myhostname=sca.example.de
+    - POSTFIX_mynetworks=0.0.0.0/0
+    expose:
+      - "25"
+    networks:
+      - net
+
+  sca-db:
+    image: mariadb
+    restart: always
+    environment:
+    - MYSQL_ROOT_PASSWORD=root-password
+    - MYSQL_DATABASE=sca-db
+    - MYSQL_USER=sca-user
+    - MYSQL_PASSWORD=password
+    volumes:
+      - db:/var/lib/mysql:rw
+    networks:
+      - net
+
+  sca-php:
+    build:
+      context: ../../docker
+    restart: always
+    depends_on:
+      - sca-db
+      - mail
+    volumes:
+      - ../../:/sca/:rw
+      - ../shared/config-client-cert/:/sca/config/:rw
+      - ../shared/ssmtp.conf:/etc/ssmtp/ssmtp.conf:ro
+      - html:/public_html:rw
+    networks:
+      - net
+
+  sca:
+    image: nginx:alpine
+    restart: always
+    ports:
+      - "443:443"
+    depends_on:
+      - sca-php
+    volumes:
+      - html:/sca/public_html:ro
+      - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
+      - ../shared/config-client-cert/ca.pem:/ca.pem:ro
+      - ../shared/config-client-cert/ca.key:/ca.key:ro
+    networks:
+      - net
+      
+networks:
+  net:
+volumes:
+  html:
+  db:
diff --git a/examples/nginx-client-cert/nginx.conf b/examples/nginx-client-cert/nginx.conf
new file mode 100644
index 0000000..224b604
--- /dev/null
+++ b/examples/nginx-client-cert/nginx.conf
@@ -0,0 +1,38 @@
+
+server {
+	listen 443 ssl;
+	server_name sca.example.com;
+
+	root /sca/public_html;
+	index init.php;
+
+    ssl_certificate /ca.pem;
+    ssl_certificate_key /ca.key;
+
+	ssl_client_certificate /ca.pem;
+	ssl_verify_client optional;
+
+	if ($ssl_client_verify != SUCCESS) {
+		return 403;
+	}
+
+	location / {
+		try_files $uri $uri/ @php;
+	}
+
+	location @php {
+		rewrite ^/(.*)$ /init.php/$1 last;
+	}
+
+	location /init.php {
+		# Mitigate https://httpoxy.org/ vulnerabilities
+		fastcgi_param HTTP_PROXY "";
+		fastcgi_pass sca-php:9000;
+
+        fastcgi_split_path_info ^(.+\.php)(/.*)$;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param HTTPS on;
+        fastcgi_param X-SSL-CERT-DN $ssl_client_s_dn;
+	}
+}
diff --git a/examples/shared/config-client-cert/ca.key b/examples/shared/config-client-cert/ca.key
new file mode 100644
index 0000000..b159fe4
--- /dev/null
+++ b/examples/shared/config-client-cert/ca.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAw/KvOhxTDfj/4qKpWciY3ER+d9XW91tDj6OMWLGKP7bUjpnW
+yJ2MiuINhM5FvCmS1C7G2hew0G735Dklo9ubjqih/VoodFZOH7C/ZV2WZcX5yfqL
+w2eA1mT6a/XdtXc9AkNYjXQTv3HAW0nDHQjpoNYvz2Mzk7ricVtzNpn2H5YKQrDi
+6O36185kLqz/MUq5uMlDZL8+Qc2uEUwJ5PUgRt2SiEtbUocKaqlwzl3Fw1bfuTsg
+mPpuMszxQ3ZcVB/a4yNst08Gt6N5SQg9V/ZtHxwKhVDF/YxYXD3/jXaeWmPA+My5
+Z3SfvBPi35KAw66nett7tFea0tUkuLPchRks7wIDAQABAoIBACl1LVHUMFZienFP
+DRmr8XuZGlDsc4D+VDsN1WHmnmOAoVRShDkJ7HRuA4I3ylVXTnOKOhRmsshG0jf9
+R1N14WG7mBpseuayY/EcikI+HNYHnyP22J9NRNsXnkw9Rt1gDw5thUzYZF07CgHG
+h3ubKSMYbiEo0f7NqZ9mQ+gnhwWDcH3/l9DW6E1XHqtnnh3tda1YzUKu4hUutVrg
+7CyHt+sAiVoipwBgRJvucSAKd/Z11E3/OLczLPdjizcYYtb6h+sWictC+sncUJo+
+scM1LKrGI5pfMXggwGb2Blxoxk8bg0FHGeeBRsVjkRzE4/tzY3vfBWi9dsT0wxcH
+dygyjeECgYEA4FczEeTDlbPDJUkFLkMR2bYIcL/uftBF9bY+2Kv42/WrIAxa6CpU
+ZAu207kDVODb1m+GGcI7SkebuxArWcfflobNx6HlbyU9N8PK4P2Ab+Aw29IE23RJ
+6s0qXjI08pBWBc7eecSTUKVLtmfNc/zA4m5tufcuY8eP38erNB7WSUkCgYEA35m8
+/5IN8R5LWNh30pm+9NvAcT7c/iQCog+I+1v9/nqeTFQPchqo8F1XLWnrL7H3FvQM
+25eR+meem+Et84f6uJH6Wa/RYwyZrwd8k3Jx2yDPXv0YOWuRXQ8M4rSX/PPIMeZH
+GtkQYg5bWM7zAeo0IZiMmjJhm7r3uexe/BPQPHcCgYBp/Wi4dH9fU/3HuNcEw1VE
+qbcVJejU6yuSahcJIT7DFS9TReMROyaB2fL31rpXOKFEj44oz1ZZwrk1yO7iTQc6
+w9enELsoJszkctGAOOScdqw+vtvinu9pSqNQu6G+VCkAN3tuxkvfVykNNb+go/Kx
+SAD5UmoNZDR6QoiFaGhPWQKBgGwErRUZzbpp1CR7joci1ukbMACFSeVMKCl6L8ae
+TjmdqtNc2Ila77oOnYrG3GMSKjfgdkWvF0pMvIa5ZaV8T1bSzop9MT4UXDn99+ST
+KQWe+A7/XbB/kp3OI39xlusQKepRQJBrxEpafS6N6z9FkSGZvHLRW+4LiJk84zYL
+rFFJAoGAGgUN9V/sy+u+JgKJHC8/nChDjCJvarh1Gv62Gq4M2JqKz7TQz1QI3oxa
+pNqkUt4VeLVLPqxRU3mTIQymcD/A27AxKlSiCqFnpuLpRRsZA8UwlxxwbOylW/ZS
+NwatYZ/4WT9lFKaBfa+vfdbzH8wTk65mLI9zy/G/UeWtU4ngpoA=
+-----END RSA PRIVATE KEY-----
diff --git a/examples/shared/config-client-cert/ca.pem b/examples/shared/config-client-cert/ca.pem
new file mode 100644
index 0000000..f1ce2e9
--- /dev/null
+++ b/examples/shared/config-client-cert/ca.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFTCCAf2gAwIBAgIUYOdgcuAxbSmgsOVGuAGje+IZSHQwDQYJKoZIhvcNAQEL
+BQAwGTEXMBUGA1UEAwwOY2EuZXhhbXBsZS5jb20wIBcNMTkwNTEyMDgyMjEwWhgP
+MjExOTA0MTgwODIyMTBaMBkxFzAVBgNVBAMMDmNhLmV4YW1wbGUuY29tMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw/KvOhxTDfj/4qKpWciY3ER+d9XW
+91tDj6OMWLGKP7bUjpnWyJ2MiuINhM5FvCmS1C7G2hew0G735Dklo9ubjqih/Voo
+dFZOH7C/ZV2WZcX5yfqLw2eA1mT6a/XdtXc9AkNYjXQTv3HAW0nDHQjpoNYvz2Mz
+k7ricVtzNpn2H5YKQrDi6O36185kLqz/MUq5uMlDZL8+Qc2uEUwJ5PUgRt2SiEtb
+UocKaqlwzl3Fw1bfuTsgmPpuMszxQ3ZcVB/a4yNst08Gt6N5SQg9V/ZtHxwKhVDF
+/YxYXD3/jXaeWmPA+My5Z3SfvBPi35KAw66nett7tFea0tUkuLPchRks7wIDAQAB
+o1MwUTAdBgNVHQ4EFgQUMm+/8ikUlL2AScmi026LjQ6RX2MwHwYDVR0jBBgwFoAU
+Mm+/8ikUlL2AScmi026LjQ6RX2MwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
+AQsFAAOCAQEACvjKjDk8bw0OuzKxyL+aWNcIIZdEj91uVad0k2U69NQ9Oq2TLf8X
+hDNTSQzpx3ddMzV2H0qribCbOKMfgTiy3HJrsbFWpwnH0NhDNI75wQRyJzclxnKb
+jMtbXKH/DooY9Znk01lcfnDVQ7xbk3hhDBH6YFubf5LGNO/B6SzUGnkV772YpA1k
+LbW5lMpNRuwbPNooDBOyaNqPg0OqqACG3LPcrz0bGC9+OsNf0yF3hZyUjvhL9ZR0
+Zglle/a+kMORJ0LCSUJh3Nac8lb0pY1SxrRiUh0Y5TYsiIU82xNKwxQHRo9H/aIU
+GDCpiPFJTF2Ulu1IJpAnci0MyT1vzOaErA==
+-----END CERTIFICATE-----
diff --git a/examples/shared/config-client-cert/ca.srl b/examples/shared/config-client-cert/ca.srl
new file mode 100644
index 0000000..6eb3784
--- /dev/null
+++ b/examples/shared/config-client-cert/ca.srl
@@ -0,0 +1 @@
+26A3FAE83BED0F4CC887B0C103E6067F534A8BC2
diff --git a/examples/shared/config-client-cert/cert-sync b/examples/shared/config-client-cert/cert-sync
new file mode 100644
index 0000000..5ec63cc
--- /dev/null
+++ b/examples/shared/config-client-cert/cert-sync
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAqatsYGwteC4X+aIsNThluXZlh9SbdQTB3Zy8EoRcgKSEQdvw
+sn56e3SLCTtLVGYCD7l5bTvjuJIG0VGKGG8ZYiESHQRBqm6t0zWEJMiOC0mUt3xW
+4YJcVFhsk54WhVMWW7Irjx+wk9VbX4OellU0FZSjAs+hSernAOnVoSNXnSaC5hoq
+98QWdlUwI+pOkKfyII4YYcSaPByNA/dx4Hy4cVqIaVIvDf4SiYHnqbCCZbSZcrQD
+W/pLnq6s4e3LvYNaB2BWLlbad8YuJRBRSp9C3thV1EmYIDQdlk6sg0fkFGYi+jWF
+WKatA0u7Krt5Dh3BeeNgFqegfsb3E1P8+gUp6QIDAQABAoIBADdzCIYylGGUXs18
+jIoQFl6YLPJJL0z88waj9GrwyvJX0clcQbtzzj+OhOnNcP7yH3ZYHTDvw6pMPuIl
+jcYSeO8y86J8A6HZbgF6mecTjChwMaQNhK9KVTZTd5h+r8l+r+3juoyZxLFrpuL+
+NtPWoKD05JlEled8V2ZbBTAWRsnahepwwIdVK9kroK/Z/O91YXHxsKkW8tr0BPAR
+mJNFOZnMxKymyXZ05J9pEq+q054nDHdpOcKF6z1dNuVVpPvtPlJ+BfNZqLcQ87/3
+4AiX7hFEyiRQw6v5JXUXH1IkNuD3BpjFMAr5/g1damsWXw+rkeYk5uS44Em46LeU
+hk2J8ykCgYEA1B9eZEI/xpejcXDLTR7NihF2kk3YmiHjnqvVRPV97/JlMw1kmulb
+ga1Y4y7YLv0TT2lWTZ9U5d+aIGTLqDd2fFvUYwAojeibf8TIPxWj47IK1sG7K7/4
+fwtxzuYJ6TmehwKFLMqxW/RN8bxmXZOQyc0vdbWdc30filRpdJfkyMMCgYEAzMQG
+NIc3WObmaNzT1qlC7svba0VWpE7Tve9yUlfQUzqiEPMWKxCxoxiSdjxKh3ZeFaGM
+vb+EvvHryZVwO6Ym8YO3c7Or96/38dlpzR2USPPsE/z7q4Ai7p8s2OnpUdTN+Sbz
+rUvWFZD+aTTzYaPHiknGGE4oTt90ksXhsHKR9+MCgYBZchzIZBMmd7zI0go4K9v5
+82EvUjoazF2CA+07VdVT/79ipqwckngul10a9x7buYWR/9YPhzcyc3Y3YKlr9m81
+Azfswx1WsZYYa28RAtwH4ISniCuXyCxNzhKgbuoQ+WX6gjqL57CgGMVhQNNddCMi
+pS31Ea8iCsno9608J+ymJwKBgAupDgFnwcsaOvy1top+0QTwLuqI5EovAvfJ7uSp
+g39500jLzvNc3ADBoXWCMWxNXUY2EOGtSk3lUNwF2oJLD+So74VzMdPE/YWUL+Yy
+TQNqgIMS4PH/Nf4IqnEfwN2cFK6ffTjdHK/Vtecf0Mw6m15QnSs9KCZ1qxnAkv2N
+SKqpAoGBAKb7H7PEoBlC0SfrdQIoqKcHX62IEVSS/bzeKRgOF8dNGeJkMLJeOzgK
+uAdi8XYReKp6xkMz2KArfR55nkqGmqPHa9czxLcRh0afdccjK4kEgiCA3sGz80Hp
+2r7EBnR6AK5aBTNDnpv2TQdOCTed5QBwHUWUWlD36xDayW/+cehH
+-----END RSA PRIVATE KEY-----
diff --git a/examples/shared/config-client-cert/cert-sync.pfx b/examples/shared/config-client-cert/cert-sync.pfx
new file mode 100644
index 0000000000000000000000000000000000000000..8663f905ce16cc0eccb128cfb2400e8b7dde1037
GIT binary patch
literal 3141
zcmV-L47&3$f($_d0Ru3C3<m}YDuzgg_YDCD0ic2l_ymFr^e}=8@Gyb~rv?cshDe6@
z4FLxRpn?XNFoFh@0s#Opf(DHS2`Yw2hW8Bt2LUh~1_~;MNQU<f0So~KFb)I=c%DYE
zQzlD00s;sCfPw~KgX@_5jyvEf={#W5w<`fo%+2HQ51yM0s3T;R5_djHn0u5^oB36`
zqw;ta4)wu>S)9=)N>hX|q2ktGZYftU1uj&y>jyrt_AoIGh96pA6fm5=2?USAs}t;T
zQd0yX>731xZIH)!1yDIF;|QF&(EfCG241DBZH0LEo7|Y;pbnj=(cWRC^T9=Xq%@*0
z9i1K8X9Bt9fl#Zf(40LN1;>rabiAutkggLjtcebqG}`1Ba4&@K6(DU>(1`T}e>fV6
z&YqINpqzwdmIDz){>r2Y%eY~{w{^BsM+3L~a$hX?ww3F{AETNEx!Lm5*Aw_ERVH+>
zcN_uoo}zlJlKOhhkt>NqPBR#%8AT9s<ku3<4F2%iphX|I%YYO@V5Dvmh9lQJJDP%x
zoHWq$2B)UMb%}*pXbWmRGCazR!tJsjy|Mie7Dcn)&BhfOCo@|esT5M~yN=;K7rIGn
zJMJ+JpDcSD_y;fcjPPXWCg$bM<uBz#xRW<ckIs-H-I%{0q!I)?@+FuHU$^`ohIR|>
zn<l}Vx55S%j(fJGz&o1&s&nz0kD!Z1lEZLI_g52~8t@{@PtAb;Q^rD7yNiph=lcl<
z2Nhk=Qqd(0)_E-Qn3CL>b*n>(?;hB0bG(-m%hXO!(Tm`FpYu+a$_(7k`V`y~Faoyb
zPMt1dI?K=!;>Sy7?jId}(tTXVD#k9e*OgsZHM22>u&F-Zexfp$85081hN=KIkKQv0
zLe&!$OKZX}7`K9k`$>&xO$L5@j+2Ld=A1QpZD896f?_=V{KmN6`0!z4JKb)p)4(6#
zYqulcLs9458~@KF;ji<3R$XD!%@}R_a7B!3UX(qE)wzTKCKjYKu>tD<ilwdThP9Ib
z6wBTc6ykaF6oM;^r|$G<l?m&0Ga6g*$1`yseyfnRkK5d;D+guc&gyCH3L!~5Zdct5
zIGVPmZ^iHK9bt_pCUTP;?g8iOlHdG}5WHaI6P*l|Qxi<)E0gB;)^ED$bmm)|#&yw5
zgc9@eh#r;qxKh0hDgffR?QawWn0**8PK!OO{2h17M3@ikU0k=Eez4$$DSb55uD@7w
zRHmPUI~_8<rQM5SNXUM`L{h$+)YmNww@bGCMaW^83}Ye9G{sr_c+ktfii~y<-o1U8
z@I>-^IayM<#3)ji{5D)Ug<vDhG8+n9!!8_QF8qr&GWl#1&faw;35tQ(%Mv%KqzOou
zm3H-^NClP3KX{>W-d12{02X=+R^jy=Zu~p*V}0=;o@swWdx~N7fTwEQTG}DpH3-)?
zfi~hi)`A8JG&AwrkMQkyy>Nx}lHtnkZ9XVestBNZkmkr+$-dR<L!hrFQXw(XLvh-I
z9D!;-?>_*}Z`6%K>_^D=!(k(KSGM6qU9ZF`X{I1sdj#3Y#guT$WBw$I8oumhfRjm_
zO~F*M#g+{t9xhD$r!6V@;W*C!goBfjxSptW9tnrMgyr-HfP5LMdHI|_IWkhhfj+iH
zJb^viPU4+M6?es>Lj@bZwx3aB^$NsSfYI^!7AJ1DHFw^Sr^!vUl5F7QVM{w0{sp!n
z3=-bB<^Yc`tMQ!p((Hb6K?<RgY0go`dMX9;RWrvsw7kR$pDMJP=3_w65q1!W4G+0h
zyrKL>>Hx(2R>ZBMgrxH|`tI<Flt|MMgRk3=CxiHx;a{=NOq%7sSmOTnPLxvjN``lu
zLkuosEb!xD^(BZMOhxL0=r#Us=-=2O_WL|1<5N&1&1R0tM|b!c_;>$HBRwd5kJAI|
zc0&Sf_FNWY8EmK@9(OaV#HkcN2$o~&Y&{B^aFSnIqk{v1s=KjOu|u3&AF5_%P<o2c
z_D0X-?guZ?6OU}|Hq59p26sGw@cD@+^li!<gyjyGn+>~c4f;Ao19XJib2V8ZOd#4W
zJCqj`w+#{)+xZI|wl$;`uO;cxbf{`Uh?cE4@f~FzHmbz$ROZ<~Z(a?yO^gz1X6U!$
zxpl0m;DD+Zuah4`Jxa7h)GsEBL0?EWLVI2~ze|9dxGWK6Ra99X+pe3EvVZ$qw72~v
zHwuEdu|~UyTKEVa!c&K)He6EB+sn=HnL>!h07Ld)9Vw0;6pzXKh|#MeqphnO^U%X`
zcN)&wM^oPFs}^YjCRLC<-c3H~A1Td&4p8<Yh{_-!FoFd^1_>&LNQU<f0S5t~f(0@J
zf(0%xf(0rtf(0f93o3?4hW8Bt3<?1Ppn?SMFoFc?FdPO7Duzgg_YDCI0Ru1&1PJVL
zkyG@^R(Jve2ml0v1jt>~hw`Q!s7=j>5QSe8#_>DAnoq{3xV!YKu=^NC<(H9=OuAkc
zFJFiiXIWF|=|AJo5m0rtS((u99cPDO->dc781;R=V0g^yz~X}ST<i#_h8{77&&Vcm
zOdj>*Qog@!l^zRA2<#Ap<(nauAc+QCl2qdIf8&(F1&9A)SBLkFsih@i)FZUU;6-ua
zodqy9V3_T{-oV9ni2L2zVO^{?5`CV!X64Z#MNV_ZdgJ>6oItYBjsdarv+-;xfx80y
z<4`fj%~QE@hhyOnUAM+rNf<XxZsFK`5B%Rh?Bi2~o0MK)o`bCvOyg)#|GEt2a%4e&
zqhY~pDzsO4#O5t~1t2bT1Nj*98YxVJP=e3+wsrJOOYacShHjZbsbqtae8@h`Utg#_
z;bvSQA;nbz{8@0FHRH;J>K`z3*HBAToq@D@Y++NoFi9x;1NaW8@S*=(j%Q7Hf!-)6
zi!%<R={$s-3wCn>u4vsRzYnPAl^simJ7;m{PIvv^h3iPG5r1!W^4b$v<=oJ;fK{u8
zYf@m9&%UiE#Xs@q^JXZ-3bH1Kv<I<i+5!vSH+j7nz4r&}dNW4oBw$F$M_JPviWl0f
zVW=i|m65i6wAnj~Xnli=a^3<>L3dk$GLcA%xrs;ObykBFngmqA+m5tSCXJi8+`mMf
zm(;C#i$SS}7(Bv4R+5izE(Aq=^r}#ys-icQ-}A_FpgvGp@i~HMiiw<1D7+M5Hd(Y1
z{@@_V<ztKQdT^87I-}9vUun8eAAS-VtFo)xj>0&HAz2(>^d!Xy7>u;mU<O(v$%?WD
z86NkjXkP(t^Nn&X)>~-qax2*GOjbvhR#{cfY=P);w!TjlBP^DZ`)pKeSBEuCEmOk2
zgOQFV9fTLl<>L;i>5jr=TZ8Zo1EUVej|&H_35(5m`3iuq#VdTj-h=QuCCpv@2Uk6d
z`K{auQ~Z%KU4a9BlqOJaVI288{7T=AZCPji_11H!tWcGiEWK!p<_9vzr8(5eA{Ywl
z^vt7u&`QQJF^B(lQafcT7aAz_Y;g+0>MKD{K>^95DC_&E0HwH$nM-^Po6!Hy48+*r
zOUW0apy9F;ce^-b-@M9}&svv=cr{-8MlLW`9alT9F8j-?lRX=S)aBrG3K~?z_68>t
zD-5RJGO!>nOepu>S^-fdu`Mna6Ofr06sMYYG)U#$+$Q=+Yh<l>q1zOap*a&0@c;Bg
z{?1!jJs3^bHC!K54+}Ks7~vQw4PI3!o)f{+P>QEkDcsVK)CT1YAYDy@KxTfV&>Lm~
zz>X~EOfV<rVe?o^=Vh`xgThgZQxh#0mL%#vd;W3|Ohge5to$Q1tT29T_+g$k5b}1m
zE|_-TE@}#)sSLFy7Npgu_%T<$t7mO7K@~Mk+oE(MGYod{YjCS_f<A&TZ5{66!^lX^
z+<pv13EF<12GzC+?=pqC{!*)z3l^i*ebTOgQkAKa_v8No?30cdN}cuX%I&`W#xno4
zpbbtP`MC-MT%JykkvZBCJuugNaqpO|YK4L%dn9R=NF9HggHXJGN5sO@*?F3Sax&{>
zK-uQeBkFatWLnYh%6`?W%m5Mk5gRpIGzd*)o$An<*E@<3PD`sB1$Z$fFe3&DDuzgg
z_YDCF6)_eB6tkE22%~3z&z&QxP;W5iHDXaa5HK+?AutIB1uG5%0vZJX1Qc43sJ9Pe
fT_QPrv9RY7$#KF<dHVzi*id=_pgVyP0s;sC(xKPV

literal 0
HcmV?d00001

diff --git a/examples/shared/config-client-cert/cert-sync.pub b/examples/shared/config-client-cert/cert-sync.pub
new file mode 100644
index 0000000..1a104d5
--- /dev/null
+++ b/examples/shared/config-client-cert/cert-sync.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpq2xgbC14Lhf5oiw1OGW5dmWH1Jt1BMHdnLwShFyApIRB2/Cyfnp7dIsJO0tUZgIPuXltO+O4kgbRUYoYbxliIRIdBEGqbq3TNYQkyI4LSZS3fFbhglxUWGyTnhaFUxZbsiuPH7CT1Vtfg56WVTQVlKMCz6FJ6ucA6dWhI1edJoLmGir3xBZ2VTAj6k6Qp/IgjhhhxJo8HI0D93HgfLhxWohpUi8N/hKJgeepsIJltJlytANb+kuerqzh7cu9g1oHYFYuVtp3xi4lEFFKn0Le2FXUSZggNB2WTqyDR+QUZiL6NYVYpq0DS7squ3kOHcF542AWp6B+xvcTU/z6BSnp root@sca.example.com
diff --git a/examples/shared/config-client-cert/config.ini b/examples/shared/config-client-cert/config.ini
new file mode 100644
index 0000000..8e06098
--- /dev/null
+++ b/examples/shared/config-client-cert/config.ini
@@ -0,0 +1,129 @@
+; SCA Cert Authority config file
+[web]
+enabled = 1
+baseurl = https://sca.example.com
+logo = /logo-header-itmettke.png
+; footer may contain HTML. Literal & " < and > should be escaped as &amp;
+; &quot; &lt; $gt;
+footer = 'Developed by <a href="https://github.com/mettke/ssl-cert-authority">Marc Mettke</a>'
+
+[general]
+; Use timeout --version to find out the current version
+; used on e.g. debian
+; timeout_util = GNU coreutils
+; used on e.g. alpine
+timeout_util = BusyBox
+
+[security]
+; Determine what happens if multiple servers have the same SSH host key:
+;  0: Allow sync to proceed
+;  1: Abort sync of affected servers and report an error
+; It is not recommended to leave this set to '0' indefinitely
+host_key_collision_protection = 1
+
+
+; Hostname verification is a supplement to SSH host key verification for
+; making sure that the sync process has connected to the server that it
+; expected to.
+
+; Determine how hostname verification is performed:
+;  0: Do not perform hostname verification
+;  1: Compare with the result of `hostname -f`
+;  2: Compare with /var/local/cert-sync/.hostnames, fall back to `hostname -f`
+;     if the file does not exist
+;  3: Compare with /var/local/cert-sync/.hostnames, abort sync if the file
+;     does not exist
+; The last option provides the most solid verification, as a server will only
+; be synced to if it has been explicitly allowed on the server itself.
+hostname_verification = 0
+
+[email]
+enabled = 1
+; The mail address that outgoing mails will be sent from
+from_address = sca@example.com
+from_name = "SCA Cert Authority system"
+; Where to mail security notifications to
+report_address = reports@example.com
+report_name = "SCA Cert Authority reports"
+; Where users should contact for help
+admin_address = admin@example.com
+admin_name = "SCA Cert Authority administrators"
+; You can use the reroute directive to redirect all outgoing mail to a single
+; mail address - typically for temporary testing purposes
+;reroute = test@example.com
+
+[database]
+; Connection details to the MySQL database
+hostname = sca-db
+port     = 3306
+username = sca-user
+password = password
+database = sca-db
+
+[ldap]
+enabled = 0
+; Address to connect to LDAP server
+host = ldaps://ldap.example.com:636
+; Use StartTLS for connection security (recommended if using ldap:// instead
+; of ldaps:// above)
+starttls = 0
+; LDAP subtree containing USER entries
+dn_user = "ou=users,dc=example,dc=com"
+; LDAP subtree containing GROUP entries
+dn_group = "ou=groups,dc=example,dc=com"
+; Set to 1 if the LDAP library should process referrals. In most cases this
+; is not needed, and for AD servers it can cause errors when querying the
+; whole tree.
+follow_referrals = 0
+
+; Leave bind_dn empty if binding is not required
+bind_dn =
+bind_password =
+
+; User attributes
+user_id = uid
+user_name = cn
+user_email = mail
+
+; If inactive users exist in your LDAP directory, filter with the following
+; settings:
+; Field to filter on:
+;user_active = organizationalstatus
+; Use *one* of user_active_true or user_active_false
+; user_active_true means user is active if the user_active field equals its
+; value
+;user_active_true = 'current'
+; user_active_false means user is active if the user_active field does not
+; equal its value
+;user_active_false = 'former'
+
+; Group membership attributes. Examples below are for typical setups:
+;
+; POSIX groups
+;  group_member = memberUid
+;  group_member_value = uid
+;
+; Group-of-names groups
+;  group_member = member
+;  group_member_value = dn
+;
+; Attribute of group where members are stored
+group_member = memberUid
+; User attribute to compare with
+group_member_value = uid
+
+; Members of admin_group are given full admin access to SSH Key Authority web
+; interface
+admin_group_cn = sca-administrators
+
+[inventory]
+; SCA Cert Authority will read the contents of the file /etc/uuid (if it
+; exists) when syncing with a server. If a value is found, it can be used as a
+; link to an inventory system.
+; %s in the url directive will be replaced with the value found in /etc/uuid
+;url = "https://inventory.example.com/device/%s"
+
+[gpg]
+; SCA Cert Authority can GPG sign outgoing emails sent from the
+; email.from_address. To do this it needs to know an appropriate key ID to use
+;key_id = 0123456789ABCDEF0123456789ABCDEF01234567
diff --git a/examples/shared/config-client-cert/proceme.pfx b/examples/shared/config-client-cert/proceme.pfx
new file mode 100644
index 0000000000000000000000000000000000000000..c60cff37c58cf5e8b3b856ce2563be60b978001a
GIT binary patch
literal 3133
zcmV-D48rp;f($tV0Ru3C3;zZQDuzgg_YDCD0ic2l@C1Sj>@b20=rDo?p9TpkhDe6@
z4FLxRpn?XFFoFh*0s#Opf(C^K2`Yw2hW8Bt2LUh~1_~;MNQU<f0So~KFb)I=ow~e6
z!AkBB0s;sCfPw~CM5<Me;{5zQj*J5zX(nSSJ1BS(C9-PlUC$!ac`q!xM;>VE(dy}Y
zK+l3aZ}|O-FcxAChFH;c=kHVeYMjq)-41NoQ-x0nkS?8=aF00I3mFJYT%cT?3wSeP
ze`l@(1Hg)wOu^6Y@|wU`-tB|=hItV{a^l-U>N+wICjb7m4}=~&3Aip~br<vp1$8wB
z*eMCP(46Fn&HROVPd=2v)-g@O^kkaXJ3`C&f$a^QOT)*b-Lf|3h#j>LQ4L?_Vu+5k
zkzLzXgRj>03uJ}FdILc=2>>ff7+i;;EP4d;hq>BfnPA#~BFK|)ek(v@Ib;1l+(*UC
zL`kHtS<>32)^jhtxf1kjSLIPt6FIlu%=#|1MI;LnRW`t3Cw+zFR=+RIUL5O3ud3w}
z_P-+OrTL@i26Re1`@WzObw$e5Nf>K}-+LvYA(qn#eZyf=bz9Sz4VNB|%G$*GZ0{KR
z{g=4uZWoz@^hu#Lbnj%TbQP(KZ;BJ-2V;7xqstu<IYqD;&2I0N0!K0LjV?aKbsP*t
z^CJIkXljkT*o{%TOfaRuvTIMn@@<~7%?&qSf`9<Rnz_HPJkvk(6B&rE2^t-;blO0Q
zsz7U=)KYI2d}jC%))QmdW#H7{szHiQ^wnQtEO#5@6@hgO_KJaXk&xabUJdWn{kvkY
z;92ssVh?1g?z-=MFHdN*32?A39REtmM|zK-dt!Y!z<+t(aL5qf`|T0YH!@3cLva@K
zYznt);ApVX{K8hKX9LI{*v#?<TSUxar5>6{ka+%5SusgdJAAV};G0Oy;JRX10FQm6
z&0v1**Gr<TvGS$0B|pOIDP&Q${;n%XQeimaG83|CkCVp$=KN22uyz|u1UmBonGGFq
zv0^{%;S2fm*QlMxB!j!s@g9D2WWunKrH?C+;BU$<qjBQT*qnP+i8DlI#f7Ut&nh<(
zTUIV>O{eOFrEBV&f|^X|4bfFsw@7u<1*1{Egcp?MVyRTOi5m1Q$spXe6<sF05r!NY
zfXj*|Zn|Ubd6`zUI7Cb<wVs3aplY3%aOR)vovUV)6&V{HGLolhVj{IP){YbfQ&5hN
zN^%C`pf@y9&yb_|>nh65%_2xb@T|7gn}-$R*2s+eK{%H0j<PJzoq@9EF%#h*kp3yu
zmHlfg{)v3ekIxQhBcG~g{6iz2t|c4p&zYz^$<%?uS?&Ab2%-QM6KlVo&{T4hV?zNY
zex;*T_#Qumr}n5vSo)AbUg|E{tuGgn?qpP?(QY4YeY45nxPCapl2=v+W{~bBQ}2aB
z4W^ajH2HMMde%ev)z~Y}rRlfZtwa(_G5l7t<(Q<?|99z>wPb;jfS=^FU}@YTa2mt!
zEuz~uArtZIS5RJ&AQBPzZ0lm#q@n8hV*|PATKMwp-Zjs{3fM1>9Yo|oxQi*QPb)Li
z6c)^3T?<`tiF&=tiQfQn8axh&3$lCCbiP!k*R<6|YoOfCzVQRSSf)%mg_qWMrA4*8
z8O&;ITWT?1h{umjTMpS8r~qSmHY33rM8K2+WWe<gS!=psmWaq}*_ohBV@=k`&PMzW
zk(MZ6Ah3KT8Ub<UwqI)qIJD8K{exvf-|8WG?7230lO=w<iJaS;stfFDfhuS(<LAZt
z*$XdG{C<9>J^DucO718ND{$dFg#TUnH_pR>g=_;>I2YOC71})?Dm=Z%PkbtLMZUX@
zr9Va)9gd?)&?V^bN!f{$Oj}?#!vu62&IPjAfG&F=T0!;@#u?Evw8;B64GPTeI^o1%
z_+BT?=wPpAa@cN3SX9phxsD2fSYJ;(kIOSczd%U8zpODuQ<QPAQkfXyeN4}hZpZI8
z%z<(=oS?&Bg$eK}TXzAvj37b{Bn0R?5!a7I{_b#02}5Bak(jH8luxj?8B2%`9?Nrx
zaqKn@>z<y-l`Yn>!~(vQ9tymb8qvhA1-smP#!qpMbZwQl;b0bz*9O3y9{xSir%6Fc
z_yqOo3nU0ytFnGq?y^FC#GoDL#Op@0YCLN*R6%fQv7h5YXX;JYUz{GDz0?!0yU)7E
z7-hfXaW$+yn<>I@1&$&j9bk!D-uUtSgCF8=JxhRx49^xJfaO8PBHt~3Jp+gu?18q)
zOiK{N{6(!l!WytJkUl%6YP9WY_~Gt*FoFd^1_>&LNQU<f0S5t~f(0@Jf(0%xf(0rt
zf(0f93o3?4hW8Bt3<?1Ppn?SMFoFc?FdPO7Duzgg_YDCI0Ru1&1PGrdL~o;H@QDHf
z2ml0v1jvfMkeJE(`;m8Eimr(V_3K1oHW;XO_t|0|HPM-%pF|nS-seB}l-1%K_GRw#
zmg-9AJFtIUWf{$T5y5oB!lCo#e$tfGLF`hun7<s<C5GnW$*5|Ok6_qM<?tshZN*1T
z9Z%KCHe1fF<b{4R$Zu#Hf^~`>@SoPaN6T36p=!--^GC@Bi|Hz6oR&qQ26z9l#b<1E
zkssJMEQ{7{chhe{t<jVZk+MZd;rWsbxJ&OB<xqhduI{jjG`=I9#fGv(;^!Elt0O6M
z&QMv{m;Tc+1s+fL?+(6Eyx==dTa5~i^(Iln#~qQ|aRw=9Zivl{ejxn;_+U^g`OfR)
z6}Qc;lGKuaP-vk2#ICcwC_6t*!%~Zudw*qHIns8*BIY=7A3o?ex(SHUmEzaK#IBgZ
z23zINz#a_&C;blx@mg*!jzRx)c?*J5l!&y|!*poOOxw7#&EfFUiTkb(rIv}fYzlhw
zeltxEg3)UWcn^g{AffM<*muvnkEO+G{KFjOL*)lQh5=27{m4peEDsMLVQdQZk<n_F
zgqv{tmC7V@NY|d&olDgpM!l4Q<H5JE&<~^x>t6Ij&+tvmDGEv$U~ah%2lcpolJyrm
zt2|HIC$t;U`#ic0vezMVj%~`G&0y>{z5fWckd-7Xbc*T8%xD%tH@s=N)|;|voQtJ!
zO;9-@2J4O?0C{6)ea<eQd`J{CPp+EL{_Bqf<7gJck$w6JHnn`~T)PJOsK{A6;cDq8
z>f>B@4k(8Wm(D6dpo$++F{<L~z7l2_&k|jqMcr8tx1n+hLQIOU;pY{VJIn-HtA|gw
zpwW+CDAzA^8izR$GAk(9%?Am*6u@VHD0GBx90LL%<WNWfBbBOTShl5U5y#4Twa1@o
zu~{6uIaaO&jwp+N>o&sXu^jK{96QOh>=-ZH+aZw74IxSP9Rdr^!5J%-!qkNsdAZQ0
z3;DC3+s#IvdR+!~L<ZP^Xg7bSVqgLGaND>?J_hQ6l(h1VH);MG!~7q#`2Nlo7hhDi
z0~Xmi)&wa;!<R~jMcVcWq#AXD`U0h1fc8{{L=&m#);p$fip$sC3;rL5`&ToBu*(Ml
ztzt0SV+1a0wp|r0E&<=Y30n<m;wy{tMV_Fb)F}93elymq+avJ|i~RA^?w_TnnOLyx
zZbi*r7%FVkAsF#N$ru*{LTt?W8V_ipm{B=y0xhD)AFvlJieEHEyB4<Gvl#VM+iO{`
zJrDxlfMr#=N5hkbN@M)gEO0PO7uW1O?vZWU;Exu@P9Ne1z}ec+J3+zSGU+IpE~k>_
zQnqn7x2@@!nVBuR_aLg7kC{k@Be^4d){Vuq3KXL|hRcFQ7=CVuVK%U11?py00I0a1
zUWt`N;FRWvCg~r^Vd=qFQW1lb=*$mod*xT>75OG^lw4f1!Bhv)GQ*F!{QSZJ1Jd^7
zh%Ss2!0%#8x{XODdbkZfE~XrH+GrO^kcIW^RptUzyXNXS8nHly>yyC{Ivmu0yM_Ry
z2OoN!16}xWo<l0RjRRCLu+_V703YKJYY4Apj()ObKXQv(`CnK|5|_AM0V9YDXX|^9
ziKlFC{EtTQZ`ZB}sf@?E(wBl`p`@oHH$_WW+?|It3S%)PFe3&DDuzgg_YDCF6)_eB
z6kSH)yeXd$z8`giYd3(wI<g8kqcAZrAutIB1uG5%0vZJX1Qf}Ii!5k40LZ(3eRUsk
XT!fd4Q(puKx&uEwRpki90s;sC+Z5us

literal 0
HcmV?d00001

diff --git a/examples/shared/config-client-cert/rainbow.pfx b/examples/shared/config-client-cert/rainbow.pfx
new file mode 100644
index 0000000000000000000000000000000000000000..c10e4a019dc146067b830cde5b0436214bff7f4f
GIT binary patch
literal 3133
zcmV-D48rp;f($tV0Ru3C3;zZQDuzgg_YDCD0ic2l@C1Sj>@b20=rDo?p9TpkhDe6@
z4FLxRpn?XFFoFh*0s#Opf(C^K2`Yw2hW8Bt2LUh~1_~;MNQU<f0So~KFb)I=dCJM_
zcRC*t0s;sCfPw~CPQ<Ih0h?K9SY@gD88rmhD_nGyFBqP=5)P{DA7tpu1lArbQ}!aV
z9>%+11uKLUs2By}2TQNs_QaF&OL3&}B9L<l4!lPKe$x4#tWMRU3@7i+SzS>_Dq%qJ
z$z&VKAaFh8TP$HDb^0WzfQj{|T6v~_3pO*-6$X=Nl+hg@p4J<?U`(vjFkTM`p|tXa
z3Q=BMe!cW<nnL;}`M5r<7MxA-r%m0@{nk5rxNqg3z}x~ebX5b0iS*}L{Z;)(<Vh+Z
ztnq(?BmAmg_<)^b{D>Rf!K0+V4u^O&bbl7K^d%wEa`|bMSu?hewRjz4%vRvy)rj`P
z_Ze0o2k{0dn{$;w>MLb9Ai&K$mNNy6n@8%n3vf)1R47QT!oqfqy>jhf`tGpaQ-}N=
z&iaqkJ;G~=4}DCqL1Z`mK#1VDqW>TXt2|FZ!{H0|oZ|%<Po_xsl0E#Xr4VU9MRGZt
z@V#==LD^Y{VSA`|{Lr|Rf=wAnXfJ!ESX<2zr`{JOM5^Lj-b5pT?E}F3MsRM4P+7(T
zs&fy0C1H34F@>T4p8u^ds7GUo_iQFGAY;{2VKzYUOU1nl-W7eAZ07+6{s}PZXIA!n
zPtH<4Xq>)e&IG=tgiyu>tGxqa4%G@(Q%({iGXiaeGzz=Kp{1AlOgE|SOU4*Xcz*SH
zeiH^R3sUHOr@*K4oZ~LYioLq=;sLi8r$D{P5|=IhSS?IKB6og>-#U09g)Ni4n=N!q
z)m4i+0?4RImWc4@)jQ=#;)OyYAIay-=`WX@gau^Chyuc+@oz@qzwdxdQ_LIu#Nbju
z9&Va_1GRC=Rc$v`Qxgkq7E+^Y+kg^?B9`ZD&T~>&m@s8ZyO?ZWGo-ae6YKJ9sg&;z
z)+ca|m;Q2EdIXgz=i_UujG8J*L0~74yF#&AN-{dn^o;Xs$!+XJDpm&%9U5Zw`}dA<
z>Inl43apKhC?_Dt70scv;ZYzwn|zcRQ+l+H1f34}>8y5<EV&anSyd(lKqb;*ZTHQS
zBpEi;vni{OVk$P3H1Mb|1bnSBB7(FyK35dff5IGA+-?CC76PTVf2M?e6r69aLPo0V
z@L$Najvt~_?T10g-%X8b7qC{?y|(pos`P);W!c!{9vC-b!S|ZdeFNkBY~v!bb%P24
z3lM!iZ;~r?c}BI$BXCDiV$(;${MdGRmTMgc<JE;k<Q?HX&@to;VhbJ3=@GBc^ZvbJ
z<kY9dun8S^eacb5&mlJ8DS(G62lSDQ+`fqZ;qnwtQ7PY%rZLI*ic5_j(E=I__9V5=
zA6)4G_SePHj??SrbUVw)Z>rRJI!go(@Qym;Gy9*02@xuX5O7x6=DORM2Yonf)2Yx$
zO-}!`U2If;Lnqks$w!V;-`83!>8NkFPTC+Ue(dymewn+<UEja3XOYuPAp!vej`Ecm
zHp}yT2jg2Ku{gV?PyA@zf_xen<Fo<#3UF}8AwixSAc931uB;|EmJJ^~RP;oBTrQT*
zOmNDmO*1C*^e~t+o?FkYu^U0io)rO&eO*&9gA$pf4X;L4dEO;?t5V)@ON6bK+{G>7
zP0dUGR+tE{7A??<S>rzm9n)VLL9guct0e4p@?tFx1m`^|BoCcLf2dGYwHj!LjW(tK
zpgw1>`r?EYuIQbf9{jYRD6l4_8*2Xm^~|>TnHlpL8p)_JdK{yvhL##-%zkIfPcCkp
zpjX2+>hN3<^0cdn^1gf5T%4^uGW<`3(;I(ep};IuxQZ&YK&jH^-IIF{!?9Fe2BM{d
z9qOls;*Oo^Vs02S<@5m=5QxHUW#ODkUz4<G2EdN&NWUhV%->N0c+v`2shtYPZ}lQr
z5BIjI{P$#Fq{U7@2yWW;;A`bp2G<mjtL}Wl$Xx(y1#yV18rU6Kj%vpCKMK>J$C<H%
zZIhm(SKX%ca>({iWV{9xKwL*RLJ$?g(sdXV5#P5{C;FU<YKH7C7YtET>PCDuVv6B7
zXfO@{JSAKPcB8tXf|X!ml3gqUZlIot6GJ6}4Xz*GM5%~4{v}<|Tum(Ks7#3XRl6>-
z34JDVj@X*WqNn-a)H^SDoj^a%$T@QfL}X6+9K_X6zZ&#F1KXq7$Cad=#fU{7iwEz`
znnql(CEuG@+_jOTKKs{gX`O$PzIb2%FoFd^1_>&LNQU<f0S5t~f(0@Jf(0%xf(0rt
zf(0f93o3?4hW8Bt3<?1Ppn?SMFoFc?FdPO7Duzgg_YDCI0Ru1&1PE-3(Bz7Vp2Y$J
z2ml0v1jtzEMJnxm*K84*NammW6d)0p8|~hG3}CHzj7ctFKo+nheQ)GQ#1kZ8FMijw
zcF+`>cMP!+ja4J*^Mti3Y@+cZl2QaQ=72Ci!ZjC$0Y9IZsB07d;s6Y&=Rt!(`DD|!
zhnLaYYV(+dQ`3kOof!mLk@l2<+$jQFx;$8K^5L{R#7L4f80OO!Ktd|gEN?p+yygf)
z{cvZRb79JA@niE+YWld<`~&eR$R71_?J;T5AmI;8pkQd}viH>ae&OfpyRn!+DDGOK
z3@=0&w(ZZlF8*VovDglVHr}pe5GMgV$T8Hs`0*4FgD&)wENE-s{Q?M2oS|Jl6+Dg5
zL_$kEw`TlWc1Ew4+Epo^?_in=Hg4A4#DsSRX1EOW8PQB*ecNt1wH2hHg~7D6J~;1<
z4_NBH=vpGmX7Yt6S;jPI0kKH;CdF+Y2fk9QvFfzcqu>4n$a{=Fl_<rG$Vj3r-#4cU
zcO9ZKc_M(&`(}{QPdUL-KKQWtx;qNs2tC}XVPT%V+Vst^vm98-vaMy*)o+6gMPE}A
z!lS_KJnJ$EjinfD-4L1T38$2BF|*$KVyDcv`2bm<2*aj-@`cjmfdB<|dfXE#I=e$=
z6UFs0>f-SezW&JFEoQd=Vu#IfFYSFWm?PGXJ`-u&NvHMcQlX!aa6o{;oS+blCO&L4
zQ8ZjI?R<X|?a#{hc;lzkcv(DXywJmoldHU}?_eO=1O|Ua5AWlYFEoA@5mYArJ}jhp
zN5^l!6$4v631<HTYRHZfSR8cpT5&{#A!@-o<gm<lXag%f&Qh3g`mJ+2<RG{!7=1dj
zxWe<%`H(>bS*fln(<X&-VP61q$MTuY9ED_g&-bdD7Fdb}jz<!-Sw}Dhv=^{<0tX+~
zt72t<D&gp4P2Xg2PM;Ei(F(I5ctY#Dht~DRmNo!a`<)MMwk+;AlJG)cm>@;jwA)l_
zp7Rch#WP7cQATv^Eovo?BO}PZ6+yuCQCHJO@ZaEkybH5@9h0{hwV>k!pNv1E6GOot
zi51j0$3e&a<%$&R8w8*i-5y(iAT8DiS{xlciFW%0QQvGz@GJl(BaO(GA#Im^B5BY?
zevyq!v-3qrnsh(xLRW6NGn#`{ZG!&3<G@eY)*#DlY8)sgIygx|R%AmHv_gh2c8U-K
zdtF+81pphNn4NcERlY-vVri}n&82Uc)vtrP@F|ahwTFQn>IF=O|7IpAMDaDjIun-L
zhbrS<<YVmh1Sm1WH)WCysZSM@=L?fHMsYhluetEA<P({9$CK+|^jD9KRP~-HC~cbr
z(ncD(zSrJ`CY?3dAaMARv#5z>F;cy`XS@|D({kL9v4%%fN(A6;yG7oC_#dh*!N`T>
zQFGY%`$PP<z|^A3kvG0Yue0HW@f61W6cXF6gyQ9h_K^w+cjJ5ORE-O2sX#1#5JOi8
zuN;jl%E;!6qo1aaUG{k-bwaW48e$j2YZ8`>31wZGC^*DqJshQjuL0Ud3O$b5+Tl=E
z|A`c)+7JmFgJzqXi~=p_KrRMQcttnFVIZ_mK@$4l1UF(PP=(+M6vi*RKhVxRLPoly
zxU7@w#{4#67gz@@)AV7Zc~((-24<!l8M6???A{X@+@moiFe3&DDuzgg_YDCF6)_eB
z6t!(uT4@BK9`Fwe=V2W_Lhje-=`b-cAutIB1uG5%0vZJX1QfM|w#k5+<hj9maGWX#
XPAh+I=NtqGq&r}0$Q!as0s;sCy`I85

literal 0
HcmV?d00001

diff --git a/requesthandler.php b/requesthandler.php
index ca7488e..26b9ccb 100644
--- a/requesthandler.php
+++ b/requesthandler.php
@@ -28,6 +28,15 @@
 		require('views/error403.php');
 		die;
 	}
+} else if(isset($_SERVER['X-SSL-CERT-DN'])) {
+	$dn = $_SERVER['X-SSL-CERT-DN'];
+	preg_match('|CN=([^,/]*)|', $dn, $matches);
+	try {
+		$active_user = $user_dir->get_user_by_uid($matches[1]);
+	} catch(UserNotFoundException $ex) {
+		require('views/error403.php');
+		die;
+	}
 } else {
 	throw new Exception("Not logged in.");
 }

From 2c82654a43962ccc41cbc669b26142138ec18274 Mon Sep 17 00:00:00 2001
From: Marc Mettke <mmettke@novomind.com>
Date: Mon, 13 May 2019 15:57:45 +0200
Subject: [PATCH 4/4] Correcting Readme for examples

---
 examples/httpd-local/README.md | 2 +-
 examples/nginx-local/README.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/examples/httpd-local/README.md b/examples/httpd-local/README.md
index e608e4d..c8d98e8 100644
--- a/examples/httpd-local/README.md
+++ b/examples/httpd-local/README.md
@@ -1,6 +1,6 @@
 # Example: httpd + htpasswd
 
-This Example shows how to use sca with httpd and ldap using docker.
+This Example shows how to use sca with httpd and htpasswd using docker.
 
 ## Prepare setup
 
diff --git a/examples/nginx-local/README.md b/examples/nginx-local/README.md
index 0627267..3cbdfb5 100644
--- a/examples/nginx-local/README.md
+++ b/examples/nginx-local/README.md
@@ -1,6 +1,6 @@
 # Example: nginx + htpasswd
 
-This Example shows how to use sca with nginx and ldap using docker.
+This Example shows how to use sca with nginx and htpasswd using docker.
 
 ## Prepare setup