6 files changed, 193 insertions, 0 deletions
diff --git a/security/certmonger/Makefile b/security/certmonger/Makefile
new file mode 100644
index 000000000000..6b810d2ffe9c
--- /dev/null
+++ b/security/certmonger/Makefile
@@ -0,0 +1,42 @@
+PORTNAME=	certmonger
+DISTVERSION=	0.79.20
+PORTREVISION=	1
+CATEGORIES=	security
+MASTER_SITES=	https://pagure.io/certmonger/archive/${DISTVERSION}/
+
+MAINTAINER=	crees@FreeBSD.org
+COMMENT=	Daemon to enrol with a CA and renew SSL certificates
+WWW=		https://pagure.io/certmonger
+
+LICENSE=	GPLv3
+LICENSE_FILE=	${WRKSRC}/LICENSE
+
+LIB_DEPENDS=	libcurl.so:ftp/curl		\
+		libdbus-1.so:devel/dbus		\
+		libidn2.so:dns/libidn2		\
+		libjansson.so:devel/jansson	\
+		libldap.so:net/openldap26-client \
+		libnspr4.so:devel/nspr		\
+		libnss3.so:security/nss		\
+		libpopt.so:devel/popt		\
+		libtalloc.so:devel/talloc	\
+		libtevent.so:devel/tevent	\
+		libuuid.so:misc/libuuid
+
+USES=		autoreconf gettext gnome gssapi:mit iconv pkgconfig ssl
+USE_GNOME=	libxml2
+USE_RC_SUBR=	${PORTNAME}
+GNU_CONFIGURE=	yes
+CONFIGURE_ARGS+=	${ICONV_CONFIGURE_ARG}
+CFLAGS+=	-L${PREFIX}/lib -lintl
+
+# There appears to be some hardcoded gettext dependencies
+#OPTIONS_DEFINE=	NLS
+
+post-install:
+		${MV}	${STAGEDIR}${ETCDIR}/${PORTNAME}.conf \
+			${STAGEDIR}${ETCDIR}/${PORTNAME}.conf.sample
+		${RMDIR} ${STAGEDIR}/var/lib/${PORTNAME}/cas
+		${RMDIR} ${STAGEDIR}/var/lib/${PORTNAME}/requests
+
+.include <bsd.port.mk>
diff --git a/security/certmonger/distinfo b/security/certmonger/distinfo
new file mode 100644
index 000000000000..425f176df586
--- /dev/null
+++ b/security/certmonger/distinfo
@@ -0,0 +1,3 @@
+TIMESTAMP = 1747746478
+SHA256 (certmonger-0.79.20.tar.gz) = 23645a5c1b284d73df448dbb97366c1b6e639223fc9465e7834fa5c5fef3f01e
+SIZE (certmonger-0.79.20.tar.gz) = 962445
diff --git a/security/certmonger/files/certmonger.in b/security/certmonger/files/certmonger.in
new file mode 100644
index 000000000000..5b7a7fafa4bd
--- /dev/null
+++ b/security/certmonger/files/certmonger.in
@@ -0,0 +1,26 @@
+#!/bin/sh
+#
+# PROVIDE: certmonger
+# REQUIRE: dbus
+# KEYWORD: shutdown
+#
+# Add the following lines to /etc/rc.conf to enable Certmonger
+#
+# dbus_enable=yes
+# certmonger_enable=yes
+#
+
+. /etc/rc.subr
+
+name=certmonger
+rcvar=certmonger_enable
+desc="Certificate monitor and PKI enrolment client"
+load_rc_config $name
+
+: ${certmonger_enable:=no}
+
+command="%%PREFIX%%/sbin/certmonger"
+pidfile=/var/run/certmonger.pid
+command_args="-p $pidfile"
+
+run_rc_command $*
diff --git a/security/certmonger/files/patch-src_util-o.c b/security/certmonger/files/patch-src_util-o.c
new file mode 100644
index 000000000000..dbd041aae460
--- /dev/null
+++ b/security/certmonger/files/patch-src_util-o.c
@@ -0,0 +1,24 @@
+This can be removed once FreeBSD 13 stops being supported
+
+--- src/util-o.c.orig	2024-06-10 21:15:16 UTC
++++ src/util-o.c
+@@ -19,6 +19,7 @@
+ 
+ #include <sys/types.h>
+ #include <sys/stat.h>
++#include <sys/param.h>
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <grp.h>
+@@ -551,7 +552,11 @@ util_EVP_PKEY_dup(EVP_PKEY *pkey,
+ 
+ static EVP_PKEY *
+ util_EVP_PKEY_dup(EVP_PKEY *pkey,
++#if __FreeBSD_version >= 1400092
+ 		  int (*i2d)(const EVP_PKEY *, unsigned char **),
++#else
++		  int (*i2d)(EVP_PKEY *, unsigned char **),
++#endif
+ 		  EVP_PKEY *(*d2i)(int, EVP_PKEY **, const unsigned char **, long))
+ {
+ 	EVP_PKEY *k;
diff --git a/security/certmonger/pkg-descr b/security/certmonger/pkg-descr
new file mode 100644
index 000000000000..57bfb56e9369
--- /dev/null
+++ b/security/certmonger/pkg-descr
@@ -0,0 +1,27 @@
+Certmonger is primarily concerned with getting you or your system
+enrolled with a certificate authority (CA) and keeping you enrolled.
+
+To do this, the certmonger daemon runs in the background, taking guidance from
+client tools (via a D-Bus API, a command-line tool is provided which uses it).
+
+The daemon:
+
+    can generate key pairs if you don't already have one
+    can use a key pair to generate a certificate signing request
+    can submit the signing request to a CA
+    can wait for the CA to decide whether or not to issue the certificate
+    can store an issued certificate in a specified location
+    can monitor the certificate to see if it's about to expire
+    can warn you or simply log that a certificate is about to expire
+    can attempt to get a new certificate when a certificate is about to expire
+
+The goal is to have certmonger do what you need it to do based on what you've
+told it you need.  If you already have a certificate, it will be happy to just
+check on it periodically and warn you when it's about to expire. If you tell it
+where the private key is, and where the CA is, it can go ahead and try to
+re-enroll if you like.
+
+Keys and certificates can be stored and read in any of these formats:
+
+    PEM-formatted files
+    NSS database (dbm or sql)
diff --git a/security/certmonger/pkg-plist b/security/certmonger/pkg-plist
new file mode 100644
index 000000000000..fa555dcc03b1
--- /dev/null
+++ b/security/certmonger/pkg-plist
@@ -0,0 +1,71 @@
+bin/getcert
+bin/ipa-getcert
+bin/local-getcert
+bin/selfsign-getcert
+@sample %%ETCDIR%%/certmonger.conf.sample
+etc/dbus-1/system.d/org.fedorahosted.certmonger.conf
+libexec/certmonger/certmonger-session
+libexec/certmonger/dogtag-ipa-renew-agent-submit
+libexec/certmonger/dogtag-submit
+libexec/certmonger/ipa-submit
+libexec/certmonger/local-submit
+libexec/certmonger/scep-submit
+sbin/certmonger
+share/dbus-1/services/org.fedorahosted.certmonger.service
+share/locale/bg/LC_MESSAGES/certmonger.mo
+share/locale/ca/LC_MESSAGES/certmonger.mo
+share/locale/cs_CZ/LC_MESSAGES/certmonger.mo
+share/locale/da/LC_MESSAGES/certmonger.mo
+share/locale/de/LC_MESSAGES/certmonger.mo
+share/locale/es/LC_MESSAGES/certmonger.mo
+share/locale/eu/LC_MESSAGES/certmonger.mo
+share/locale/fr/LC_MESSAGES/certmonger.mo
+share/locale/gu/LC_MESSAGES/certmonger.mo
+share/locale/hu/LC_MESSAGES/certmonger.mo
+share/locale/id/LC_MESSAGES/certmonger.mo
+share/locale/it/LC_MESSAGES/certmonger.mo
+share/locale/ja/LC_MESSAGES/certmonger.mo
+share/locale/ka/LC_MESSAGES/certmonger.mo
+share/locale/ko/LC_MESSAGES/certmonger.mo
+share/locale/lt/LC_MESSAGES/certmonger.mo
+share/locale/nb/LC_MESSAGES/certmonger.mo
+share/locale/nl/LC_MESSAGES/certmonger.mo
+share/locale/pl/LC_MESSAGES/certmonger.mo
+share/locale/pt/LC_MESSAGES/certmonger.mo
+share/locale/pt_BR/LC_MESSAGES/certmonger.mo
+share/locale/ru/LC_MESSAGES/certmonger.mo
+share/locale/si/LC_MESSAGES/certmonger.mo
+share/locale/sv/LC_MESSAGES/certmonger.mo
+share/locale/ta/LC_MESSAGES/certmonger.mo
+share/locale/tr/LC_MESSAGES/certmonger.mo
+share/locale/uk/LC_MESSAGES/certmonger.mo
+share/locale/zh_CN/LC_MESSAGES/certmonger.mo
+share/locale/zh_TW/LC_MESSAGES/certmonger.mo
+share/man/man1/getcert-add-ca.1.gz
+share/man/man1/getcert-add-scep-ca.1.gz
+share/man/man1/getcert-list-cas.1.gz
+share/man/man1/getcert-list.1.gz
+share/man/man1/getcert-modify-ca.1.gz
+share/man/man1/getcert-refresh-ca.1.gz
+share/man/man1/getcert-refresh.1.gz
+share/man/man1/getcert-rekey.1.gz
+share/man/man1/getcert-remove-ca.1.gz
+share/man/man1/getcert-request.1.gz
+share/man/man1/getcert-resubmit.1.gz
+share/man/man1/getcert-start-tracking.1.gz
+share/man/man1/getcert-status.1.gz
+share/man/man1/getcert-stop-tracking.1.gz
+share/man/man1/getcert.1.gz
+share/man/man1/ipa-getcert.1.gz
+share/man/man1/local-getcert.1.gz
+share/man/man1/selfsign-getcert.1.gz
+share/man/man5/certmonger.conf.5.gz
+share/man/man8/certmonger-dogtag-ipa-renew-agent-submit.8.gz
+share/man/man8/certmonger-dogtag-submit.8.gz
+share/man/man8/certmonger-ipa-submit.8.gz
+share/man/man8/certmonger-local-submit.8.gz
+share/man/man8/certmonger-scep-submit.8.gz
+share/man/man8/certmonger.8.gz
+@dir /var/lib/certmonger/local
+@dir /var/lib/certmonger
+@dir /var/lib