Source Code : Managing X.509 certificates using PHP
Managing X.509 certificates using PHP
req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca dirstring_type = nobmp [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = AU countryName_min = 2 countryName_max = 2 localityName = Locality Name (eg, city) organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg, YOUR name) commonName_max = 64 emailAddress = Email Address emailAddress_max = 40 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints = CA:true
Name it as openssl.cnf and put in the same folder, where you want to work
with certificates.
Here are some basic actions you can perform with X.509 certificates.
Create certificate with public key, private key and certificate's signature:
// Returns a cer encoded SSL certificate function create_identity_cer( $countryName, $stateOrProvinceName, $localityName, $organizationName, $organizationalUnitName, $commonName, $emailAddress, $foafLocation) { // Create the DN array for the openssl function calls if ($countryName) $dn = array("countryName" => $countryName);
if ($stateOrProvinceName) { if ($dn) $dn = array_merge($dn, array("stateOrProvinceName" => $stateOrProvinceName)); else $dn = array("stateOrProvinceName" => $stateOrProvinceName); }
if ($localityName) { if ($dn) $dn = array_merge($dn, array("localityName" => $localityName)); else $dn = array("localityName" => $localityName); }
if ($organizationName) { if ($dn) $dn = array_merge($dn, array("organizationName" => $organizationName)); else $dn = array("organizationName" => $organizationName); }
if ($organizationalUnitName) { if ($dn) $dn = array_merge($dn, array("organizationalUnitName" => $organizationalUnitName)); else $dn = array("organizationalUnitName" => $organizationalUnitName); }
if ($commonName) { if ($dn) $dn = array_merge($dn, array("commonName" => $commonName)); else $dn = array("commonName" => $commonName); }
if ($emailAddress) { if ($dn) $dn = array_merge($dn, array("emailAddress" => $emailAddress)); else $dn = array("emailAddress" => $emailAddress); }
// if the $dn array is NULL at this point set country name to the default of GB if (!$dn) $dn = array("countryName" => "GB");
// Setup the contents of the subjectAltName if ($foafLocation) $SAN="URI:$foafLocation";
if ($emailAddress) { if ($SAN) $SAN.=",email:$emailAddress"; else $SAN="email:$emailAddress"; }
// Export the subjectAltName to be picked up by the openssl.cnf file if ($SAN) { putenv("SAN=$SAN"); }
// Create the array to hold the configuration options for the openssl function calls // You may need to change the slash "\" (for windows) to "/" for linux $config = array('config'=>dirname(__file__) . '\\openssl.cnf');
if ($SAN) { // TODO - This should be more easily configured //$config = array_merge($config, array('x509_extensions' => 'usr_cert')); }
// Generate a new private (and public) key pair $privkey = openssl_pkey_new($config);
if ($privkey==FALSE) { // Show any errors that occurred here while (($e = openssl_error_string()) !== false) { echo $e . "\n"; print "
if (!$csr) { // Show any errors that occurred here while (($e = openssl_error_string()) !== false) { echo $e . "\n"; print "
"; } }
// You will usually want to create a self-signed certificate at this // point until your CA fulfills your request. // This creates a self-signed cert that is valid for 365 days $sscert = openssl_csr_sign($csr, null, $privkey, 365, $config);
if ($sscert==FALSE) { // Show any errors that occurred here while (($e = openssl_error_string()) !== false) { echo $e . "\n"; print "
"; } }
if (openssl_x509_export($sscert, $certout)==FALSE) { // Show any errors that occurred here while (($e = openssl_error_string()) !== false) { echo $e . "\n"; print "
"; } } $pkout = ""; if (openssl_pkey_export($privkey, $pkout,"test123", $config)==FALSE) { // Show any errors that occurred here while (($e = openssl_error_string()) !== false) { echo $e . "\n"; print "
After this script, there should be 3 files generated, cer file, which is your
certificate with public key, pem while, which stores your private key and simple
txt file containing signature, by which we can verify your certificate.
So now let's verify certificate. Let's create php file with these contents:
/******************************* * Modify these parameters *******************************/ $foafLocation = "as07142"; /******************************* * End modifications *******************************/
// fetch public key from certificate and ready it $pubkeyid = openssl_pkey_get_public($cert);
// state whether signature is okay or not $ok = openssl_verify($cert, $sig, $pubkeyid); if ($ok == 1) { echo "
Verified
"; } elseif ($ok == 0) { echo "
Not Verified
"; } else { echo "
Error cheking signature
"; } // free the key from memory openssl_free_key($pubkeyid); ?>
Verification verifies if subject and issuer is the same person, you can
modify it to fit your needs. And then we verify if certificate itself using
signature.
Next thing we can do is to encrypt any information using our public key in
certificate and then decrypt it with our private key. Meaning anyone can take
your certificate and encrypt information with it, and only you could decrypt it
using your private key.
