发表新帖
发表新帖

Does OpenSSL really need a path to openssl.conf?

后端 未结
关注
3 2066
一整个雨季
一整个雨季 2021-02-07 10:47

I want to create a self-signed-certificate in PHP 5.x. with my own (alternative) openssl configuration which should be defined by my PHP code. The PHP script will run on differe

相关标签:
3条回答
  • 慢半拍i
    2021-02-07 11:33

    The answer to this relates to the role of SSL. It is a "shell" around the html/http conversation between client and server. Apache runs it. It's not really "in" PHP land. When you elect to recreate the key pair all you are really doing is kicking Apache in the shins to force the client /server to re-initiate their conversation with a new pair of SSL key pairs.

    In some senses this might be seen as a bit like remaking a session_id

    My question: Is there a reason why I have to specify the path to openssl.conf explicitly, because it seems to work fine without it:

    The creation of a self signed certificate is not being done here, a re-creation of it is. therefore when you don't supply a path, it's fine with it because it's already had a path from Apache.

    0 讨论(0)
  • [愿得一人]
    2021-02-07 11:33

    Creating a self-signed cert in PHP without OpenSSL (requires phpseclib, a pure PHP X.509 implementation)...

    <?php
include('File/X509.php');
include('Crypt/RSA.php');

// create private key / x.509 cert for stunnel / website
$privKey = new Crypt_RSA();
extract($privKey->createKey());
$privKey->loadKey($privatekey);

$pubKey = new Crypt_RSA();
$pubKey->loadKey($publickey);
$pubKey->setPublicKey();

$subject = new File_X509();
$subject->setPublicKey($pubKey);
$subject->setDNProp('id-at-organizationName', 'phpseclib demo cert');
$subject->setDomain('www.whatever.com');

$issuer = new File_X509();
$issuer->setPrivateKey($privKey);
$issuer->setDN($subject->getDN());

$x509 = new File_X509();
$x509->setStartDate('-1 month');
$x509->setEndDate('+1 year');
$x509->setSerialNumber(chr(30));

$result = $x509->sign($issuer, $subject);
echo "the stunnel.pem contents are as follows:\r\n\r\n";
echo $privKey->getPrivateKey();
echo "\r\n";
echo $x509->saveX509($result);
echo "\r\n";
    0 讨论(0)
  • 爱一瞬间的悲伤
    2021-02-07 11:35

    There are many configuration settings in OpenSSL that can't be defined in PHP by $configargs (the PHP parameters you pass to the OpenSSL functions).

    If you don't specify an alternative openssl configuration file, it will automatically take the default openssl.cnf.

    Recommendation: Since your script will run on different servers, you should always use your own openssl.cnf.

    Just create a simple text file and put the following 4 lines in it. Then pass the path to it to the OpenSSL function you are using (look at your second example above).

    distinguished_name  = req_distinguished_name
[req_distinguished_name]
[v3_req]
[v3_ca]

    It seems that these 4 lines are the minimum openssl.cnf must contain.

    0 讨论(0)
 看不清?
提交回复
热议问题