Merge pull request #5154 from apritcha1/master

security/acme-client: add support for ACME profiles

security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml

@@ -78,6 +78,12 @@
         <type>checkbox</type>
         <help>Generate and add OCSP Must Staple extension to the certificate. When this option is enabled and issueance/renewal requests fail, then this extension is probably not supported by the CA.</help>
     </field>
+    <field>
+        <id>certificate.profile</id>
+        <label>Certificate Profile</label>
+        <type>text</type>
+        <help><![CDATA[Optional. Specify the ACME Certificate Profile to use (e.g. "shortlived"). See CA documentation for available profiles.]]></help>
+    </field>
     <field>
         <label>Advanced Settings</label>
         <type>header</type>

security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php

@@ -226,7 +226,12 @@ class LeCertificate extends LeCommon
         $cert = array();
         $cert['refid'] = uniqid();
         $cert['caref'] = (string)$ca['refid'];
-        $cert['descr'] = (string)$cert_cn . ' (ACME Client)';
+        if (empty($cert_cn)) {
+            // Fallback to configured name if Common Name is empty (e.g. for IP certificates)
+            $cert['descr'] = (string)$this->config->name . ' (ACME Client)';
+        } else {
+            $cert['descr'] = (string)$cert_cn . ' (ACME Client)';
+        }
         $import_log_message = 'imported';
         $cert_found = false;
 
@@ -648,6 +653,9 @@ class LeCertificate extends LeCommon
             $val->setRenewal((int)$renewInterval);
             $val->setForce($this->force);
             $val->setOcsp((string)$this->config->ocsp == 1 ? true : false);
+            if (!empty((string)$this->config->profile)) {
+                $val->setProfile((string)$this->config->profile);
+            }
             // strip prefix from key value
             $val->setKey(substr($this->config->keyLength, 4));
             $val->prepare();

security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php

@@ -280,6 +280,15 @@ abstract class Base extends \OPNsense\AcmeClient\LeCommon
         $this->acme_args[] = $ocsp == true ? '--ocsp' : null;
     }
 
+    /**
+     * set certificate profile
+     * @param $profile string profile name
+     */
+    public function setProfile(string $profile)
+    {
+        $this->acme_args[] = LeUtils::execSafe('--cert-profile %s', $profile);
+    }
+
     /**
      * set renewal interval
      * @param $interval int specifies the renewal interval in days

security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml

@@ -260,6 +260,11 @@
                     <Default>0</Default>
                     <Required>N</Required>
                 </ocsp>
+                <profile type="TextField">
+                    <Required>N</Required>
+                    <Mask>/^.{1,255}$/u</Mask>
+                    <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
+                </profile>
                 <restartActions type="ModelRelationField">
                     <Model>
                         <actions>