security/acme-client: Add Support for OCSP Must Staple generation

security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml

@@ -44,6 +44,12 @@
         <type>dropdown</type>
         <help><![CDATA[Specify the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384.]]></help>
     </field>
+    <field>
+        <id>certificate.ocsp</id>
+        <label>OCSP Must Staple</label>
+        <type>checkbox</type>
+        <help>Generate and add OCSP Must Staple extension to the certificate.</help>
+    </field>
     <field>
         <id>certificate.restartActions</id>
         <label>Restart Actions</label>

security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml

@@ -214,6 +214,10 @@
                         <key_ec384>ec-384</key_ec384>
                     </OptionValues>
                 </keyLength>
+                <ocsp type="BooleanField">
+                    <default>0</default>
+                    <Required>N</Required>
+                </ocsp>
                 <restartActions type="ModelRelationField">
                     <Model>
                         <actions>

security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php

@@ -809,6 +809,11 @@ function run_acme_validation($certObj, $valObj, $acctObj)
         $key_length = substr_replace($key_length, '-', 2, 0);
     }
 
+    // if OCSP Extension is turned on pass --ocsp parameter to acme client
+    if (isset($certObj->ocsp)) {
+        $acme_args[] = "--ocsp";
+    }
+
     // Run acme client
     // NOTE: We "export" certificates to our own directory, so we don't have to deal
     // with domain names in filesystem, but instead can use the ID of our certObj.