SSL PHP Server Key and Certificate generation: Difference between revisions

no edit summary
(New page: '''''Server key and certificate generation revisited.''''' == Introduction == Uniform Server keeps increasing in size partly due to core component increases and duplication. Nothing can b...)
 
No edit summary
Line 1: Line 1:
=[http://itubibygucy.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]=
'''''Server key and certificate generation revisited.'''''
'''''Server key and certificate generation revisited.'''''
== Introduction ==
== Introduction ==
Line 17: Line 18:
   
   
{|
{|
|-valign="top"
|-valign="top"
|'''Run.bat'''|| ||'''cert.php'''
|'''Run.bat'''|| ||'''cert.php'''
|-valign="top"
|-valign="top"
|<pre>
|&lt;pre&gt;
TITLE UNIFORM SERVER - Certificate and Key generator  
TITLE UNIFORM SERVER - Certificate and Key generator  
COLOR B0
COLOR B0
Line 27: Line 28:
..\..\usr\local\php\php.exe -c ..\..\usr\local\php\php-cli.ini  gen.php
..\..\usr\local\php\php.exe -c ..\..\usr\local\php\php-cli.ini  gen.php
pause
pause
</pre>
&lt;/pre&gt;
|&nbsp;
|&amp;nbsp;
|<pre>
|&lt;pre&gt;
<?php
&lt;?php
print "\ntest\n";
print &quot;\ntest\n&quot;;
?>
?&gt;
</pre>
&lt;/pre&gt;
|}
|}
Double click Run.bat runs script cert.php it produces nothing spectacular other than to display test. It proves you have a working set-up for this tutorial.
Double click Run.bat runs script cert.php it produces nothing spectacular other than to display test. It proves you have a working set-up for this tutorial.
Line 55: Line 56:
Press any key to continue . . .
Press any key to continue . . .
|
|
<pre>
&lt;pre&gt;
<?php
&lt;?php
print "\ntest\n";
print &quot;\ntest\n&quot;;
//=== Generate a new private (and public) key pair
//=== Generate a new private (and public) key pair
$privkey = openssl_pkey_new();
$privkey = openssl_pkey_new();
?>
?&gt;
</pre>
&lt;/pre&gt;
|-valign="top"
|-valign=&quot;top&quot;
|
|
Function openssl_pkey_new() is defined in the openssl library. Problem is extension php_openssl.dll is not being loaded because its not configured in configuration file php-cli.ini
Function openssl_pkey_new() is defined in the openssl library. Problem is extension php_openssl.dll is not being loaded because its not configured in configuration file php-cli.ini
Line 72: Line 73:
Run (Run.bat) script again this time there will be no errors.
Run (Run.bat) script again this time there will be no errors.
|
|
<pre>
&lt;pre&gt;
[PHP]
[PHP]
extension=php_curl.dll
extension=php_curl.dll
Line 78: Line 79:
extension=php_openssl.dll
extension=php_openssl.dll


extension_dir = "./extensions"
extension_dir = &quot;./extensions&quot;
error_reporting = E_ALL | E_STRICT
error_reporting = E_ALL | E_STRICT
date.timezone = "Europe/London"
date.timezone = &quot;Europe/London&quot;
</pre>
&lt;/pre&gt;
|}
|}
'''''[[#top | Top]]'''''
'''''[[#top | Top]]'''''
Line 87: Line 88:
=== Openssl configuration ===
=== Openssl configuration ===
{|
{|
|-valign="top"
|-valign=&quot;top&quot;
|
|
The above line creates private and public keys used in other function.
The above line creates private and public keys used in other function.
Line 105: Line 106:


Reading the manual you will find  
Reading the manual you will find  
<pre>
&lt;pre&gt;
Note: You need to have a valid openssl.cnf
Note: You need to have a valid openssl.cnf
installed for this function to operate correctly.
installed for this function to operate correctly.
</pre>
&lt;/pre&gt;
Most functions use this file; trouble is it cannot be found. Path assumed to be either defined by OPENSSL_CONF or SSLEAY_CONF environmental variables or on the default path c:\usr\local\ssl.
Most functions use this file; trouble is it cannot be found. Path assumed to be either defined by OPENSSL_CONF or SSLEAY_CONF environmental variables or on the default path c:\usr\local\ssl.
|
|
<pre>
&lt;pre&gt;
<?php
&lt;?php
print "\ntest\n";
print &quot;\ntest\n&quot;;
//=== Generate a new private (and public) key pair
//=== Generate a new private (and public) key pair
$privkey = openssl_pkey_new();
$privkey = openssl_pkey_new();
Line 119: Line 120:
//=== Create data array for certificate information
//=== Create data array for certificate information
$dn = array(
$dn = array(
   "countryName"           => "UK",
   &quot;countryName&quot;           =&gt; &quot;UK&quot;,
   "stateOrProvinceName"   => "Cambridge",
   &quot;stateOrProvinceName&quot;   =&gt; &quot;Cambridge&quot;,
   "localityName"           => "Cambs",
   &quot;localityName&quot;           =&gt; &quot;Cambs&quot;,
   "organizationName"       => "UniServer",
   &quot;organizationName&quot;       =&gt; &quot;UniServer&quot;,
   "organizationalUnitName" => "Demo",
   &quot;organizationalUnitName&quot; =&gt; &quot;Demo&quot;,
   "commonName"             => "localhost",
   &quot;commonName&quot;             =&gt; &quot;localhost&quot;,
   "emailAddress"           => "me@example.com"
   &quot;emailAddress&quot;           =&gt; &quot;me@example.com&quot;
);
);


Line 132: Line 133:


//== Create a self-signed certificate valid for 365 days
//== Create a self-signed certificate valid for 365 days
$sscert = openssl_csr_sign($csr, "my secret", $privkey, 365);
$sscert = openssl_csr_sign($csr, &quot;my secret&quot;, $privkey, 365);


?>
?&gt;
</pre>
&lt;/pre&gt;
|}
|}
Uniform Server is portable hence the above default path is not applicable. Using environmental variables is not always a predictable solution.     
Uniform Server is portable hence the above default path is not applicable. Using environmental variables is not always a predictable solution.     
Line 152: Line 153:
|-
|-
|
|
<pre>
&lt;pre&gt;
#######################################################################
#######################################################################
# File name: openssl.cnf
# File name: openssl.cnf
Line 194: Line 195:
keyUsage                = digitalSignature, keyEncipherment
keyUsage                = digitalSignature, keyEncipherment
extendedKeyUsage        = serverAuth, nsSGC, msSGC
extendedKeyUsage        = serverAuth, nsSGC, msSGC
nsComment              = "OpenSSL Certificate for SSL Web Server"
nsComment              = &quot;OpenSSL Certificate for SSL Web Server&quot;


[ v3_req ]
[ v3_req ]
Line 205: Line 206:
keyUsage                = cRLSign, keyCertSign
keyUsage                = cRLSign, keyCertSign
extendedKeyUsage        = serverAuth, clientAuth
extendedKeyUsage        = serverAuth, clientAuth
nsComment              = "OpenSSL CA Certificate"
nsComment              = &quot;OpenSSL CA Certificate&quot;
</pre>
&lt;/pre&gt;
|}
|}


Line 219: Line 220:


We are interested only in defining a path to our configuration file. First absolute path is calculated and assigned to key.
We are interested only in defining a path to our configuration file. First absolute path is calculated and assigned to key.
<pre>
&lt;pre&gt;
//== Determine path
//== Determine path
$ssl_path = getcwd();
$ssl_path = getcwd();
Line 226: Line 227:
//== Create a configuration array containing path to openssl.cnf  
//== Create a configuration array containing path to openssl.cnf  
$config = array(
$config = array(
"config" => "$ssl_path/openssl.cnf"
&quot;config&quot; =&gt; &quot;$ssl_path/openssl.cnf&quot;
);
);
</pre>
&lt;/pre&gt;


'''''[[#top | Top]]'''''
'''''[[#top | Top]]'''''
Line 238: Line 239:
|-
|-
|
|
<pre>
&lt;pre&gt;
//=== Create data array for certificate information
//=== Create data array for certificate information
$dn = array(
$dn = array(
   "countryName"           => "UK",
   &quot;countryName&quot;           =&gt; &quot;UK&quot;,
   "stateOrProvinceName"   => "Cambridge",
   &quot;stateOrProvinceName&quot;   =&gt; &quot;Cambridge&quot;,
   "localityName"           => "Cambs",
   &quot;localityName&quot;           =&gt; &quot;Cambs&quot;,
   "organizationName"       => "UniServer",
   &quot;organizationName&quot;       =&gt; &quot;UniServer&quot;,
   "organizationalUnitName" => "Demo",
   &quot;organizationalUnitName&quot; =&gt; &quot;Demo&quot;,
   "commonName"             => "localhost",
   &quot;commonName&quot;             =&gt; &quot;localhost&quot;,
   "emailAddress"           => "me@example.com"
   &quot;emailAddress&quot;           =&gt; &quot;me@example.com&quot;
);
);
</pre>
&lt;/pre&gt;
'''''Note'':''' Common name for a real signed certificate would be what a user would type into a browser e.g '''www.fred.com'''
'''''Note'':''' Common name for a real signed certificate would be what a user would type into a browser e.g '''www.fred.com'''


Line 255: Line 256:
=== Function openssl_pkey_new ===
=== Function openssl_pkey_new ===
Function openssl_pkey_new() generates a new private and public key pair.
Function openssl_pkey_new() generates a new private and public key pair.
<pre>
&lt;pre&gt;
resource openssl_pkey_new  ([  array $configargs  ] )
resource openssl_pkey_new  ([  array $configargs  ] )
</pre>
&lt;/pre&gt;
Code:
Code:
{|
{|
|-
|-
|
|
<pre>
&lt;pre&gt;
//=== Generate a new private (and public) key pair
//=== Generate a new private (and public) key pair
$privkey = openssl_pkey_new($config);
$privkey = openssl_pkey_new($config);
</pre>
&lt;/pre&gt;
|}
|}


Line 272: Line 273:
Function openssl_csr_new() generates a new CSR (Certificate Signing Request) based on the information provided by dn,
Function openssl_csr_new() generates a new CSR (Certificate Signing Request) based on the information provided by dn,


<pre>
&lt;pre&gt;
mixed openssl_csr_new (array $dn, resource &$privkey [,array $configargs [,array $extraattribs ]] )
mixed openssl_csr_new (array $dn, resource &amp;$privkey [,array $configargs [,array $extraattribs ]] )
</pre>
&lt;/pre&gt;
Code:
Code:
{|
{|
|-
|-
|
|
<pre>
&lt;pre&gt;
//=== Generate a certificate signing request
//=== Generate a certificate signing request
$csr = openssl_csr_new($dn, $privkey, $config);
$csr = openssl_csr_new($dn, $privkey, $config);
</pre>
&lt;/pre&gt;
|}
|}


Line 288: Line 289:
=== Function openssl_csr_sign ===
=== Function openssl_csr_sign ===
Function openssl_csr_sign() generates an x509 certificate resource from the given CSR.
Function openssl_csr_sign() generates an x509 certificate resource from the given CSR.
<pre>
&lt;pre&gt;
resource openssl_csr_sign(mixed $csr, mixed $cacert, mixed $priv_key, int $days[,array $configargs[,int $serial = 0 ]])
resource openssl_csr_sign(mixed $csr, mixed $cacert, mixed $priv_key, int $days[,array $configargs[,int $serial = 0 ]])
</pre>
&lt;/pre&gt;
Code:
Code:
{|
{|
|-
|-
|
|
<pre>
&lt;pre&gt;
//== Create a self-signed certificate valid for 365 days
//== Create a self-signed certificate valid for 365 days
$sscert = openssl_csr_sign($csr, null, $privkey, 365, $config);
$sscert = openssl_csr_sign($csr, null, $privkey, 365, $config);
</pre>
&lt;/pre&gt;
|}
|}
Essentially that completes certificate and key generation! They are currently resources these require extracting to appropriate files. Following function perform this task:
Essentially that completes certificate and key generation! They are currently resources these require extracting to appropriate files. Following function perform this task:
Line 306: Line 307:
Function openssl_pkey_export_to_file()saves an ascii PEM encoded verion of key into the file named by outfilename.  
Function openssl_pkey_export_to_file()saves an ascii PEM encoded verion of key into the file named by outfilename.  


<pre>
&lt;pre&gt;
bool openssl_pkey_export_to_file(mixed $key,string $outfilename[,string $passphrase[,array $configargs]])
bool openssl_pkey_export_to_file(mixed $key,string $outfilename[,string $passphrase[,array $configargs]])
</pre>
&lt;/pre&gt;
This function is a quick way to kill Apache stone dead! To prevent this ensure you use NULL for  $passphrase.
This function is a quick way to kill Apache stone dead! To prevent this ensure you use NULL for  $passphrase.


Line 315: Line 316:
|-
|-
|
|
<pre>
&lt;pre&gt;
//== Create key file. Note no passphrase
//== Create key file. Note no passphrase
openssl_pkey_export_to_file($privkey,"server.key",NULL, $config);
openssl_pkey_export_to_file($privkey,&quot;server.key&quot;,NULL, $config);
</pre>
&lt;/pre&gt;
|}
|}


Line 325: Line 326:
Function  openssl_x509_export_to_file() exports a certificate to file
Function  openssl_x509_export_to_file() exports a certificate to file


<pre>
&lt;pre&gt;
bool openssl_x509_export_to_file(mixed $x509, string $outfilename [,bool $notext ])
bool openssl_x509_export_to_file(mixed $x509, string $outfilename [,bool $notext ])
</pre>
&lt;/pre&gt;
The optional parameter notext if it is FALSE, additional human-readable information is included in the output.
The optional parameter notext if it is FALSE, additional human-readable information is included in the output.


Line 336: Line 337:
|-
|-
|
|
<pre>
&lt;pre&gt;
//== Create server certificate  
//== Create server certificate  
openssl_x509_export_to_file($sscert,  "server.crt",  FALSE );
openssl_x509_export_to_file($sscert,  &quot;server.crt&quot;,  FALSE );
</pre>
&lt;/pre&gt;
|}
|}
'''''[[#top | Top]]'''''
'''''[[#top | Top]]'''''
Line 345: Line 346:
==== Function openssl_csr_export_to_file ====
==== Function openssl_csr_export_to_file ====
Function openssl_csr_export_to_file()exports a CSR to a file
Function openssl_csr_export_to_file()exports a CSR to a file
<pre>
&lt;pre&gt;
bool openssl_csr_export_to_file(resource $csr, string $outfilename[, bool $notext = true ])
bool openssl_csr_export_to_file(resource $csr, string $outfilename[, bool $notext = true ])
</pre>
&lt;/pre&gt;


Code:
Code:
Line 353: Line 354:
|-
|-
|
|
<pre>
&lt;pre&gt;
//== Create a signing request file  
//== Create a signing request file  
openssl_csr_export_to_file($csr, "server.csr");
openssl_csr_export_to_file($csr, &quot;server.csr&quot;);
</pre>
&lt;/pre&gt;
|}
|}
'''''[[#top | Top]]'''''
'''''[[#top | Top]]'''''
Line 365: Line 366:
|-
|-
|
|
<pre>
&lt;pre&gt;
<?php
&lt;?php


//== Determine path
//== Determine path
Line 374: Line 375:
//== Create a configuration array containing path to openssl.cnf  
//== Create a configuration array containing path to openssl.cnf  
$config = array(
$config = array(
"config" => "$ssl_path/openssl.cnf"
&quot;config&quot; =&gt; &quot;$ssl_path/openssl.cnf&quot;
);
);


//=== Create data array for certificate information
//=== Create data array for certificate information
$dn = array(
$dn = array(
   "countryName"           => "UK",
   &quot;countryName&quot;           =&gt; &quot;UK&quot;,
   "stateOrProvinceName"   => "Cambridge",
   &quot;stateOrProvinceName&quot;   =&gt; &quot;Cambridge&quot;,
   "localityName"           => "Cambs",
   &quot;localityName&quot;           =&gt; &quot;Cambs&quot;,
   "organizationName"       => "UniServer",
   &quot;organizationName&quot;       =&gt; &quot;UniServer&quot;,
   "organizationalUnitName" => "Demo",
   &quot;organizationalUnitName&quot; =&gt; &quot;Demo&quot;,
   "commonName"             => "localhost",
   &quot;commonName&quot;             =&gt; &quot;localhost&quot;,
   "emailAddress"           => "me@example.com"
   &quot;emailAddress&quot;           =&gt; &quot;me@example.com&quot;
);
);


Line 398: Line 399:


//== Create key file. Note no passphrase
//== Create key file. Note no passphrase
openssl_pkey_export_to_file($privkey,"server.key",NULL, $config);
openssl_pkey_export_to_file($privkey,&quot;server.key&quot;,NULL, $config);


//== Create server certificate  
//== Create server certificate  
openssl_x509_export_to_file($sscert,  "server.crt",  FALSE );
openssl_x509_export_to_file($sscert,  &quot;server.crt&quot;,  FALSE );


//== Create a signing request file  
//== Create a signing request file  
openssl_csr_export_to_file($csr, "server.csr");
openssl_csr_export_to_file($csr, &quot;server.csr&quot;);
?>
?&gt;
</pre>
&lt;/pre&gt;
|}
|}
Run the script, you can manually copy key and certificate to the server.
Run the script, you can manually copy key and certificate to the server.
Line 448: Line 449:


For example this extract from Nano_5_6_7 httpd.conf
For example this extract from Nano_5_6_7 httpd.conf
<pre>
&lt;pre&gt;
# Example:
# Example:
# LoadModule foo_module modules/mod_foo.so
# LoadModule foo_module modules/mod_foo.so
#
#


Loadfile "C:/Nano_5_6_7/UniServer/usr/local/php/ssleay32.dll"
Loadfile &quot;C:/Nano_5_6_7/UniServer/usr/local/php/ssleay32.dll&quot;
Loadfile "C:/Nano_5_6_7/UniServer/usr/local/php/libeay32.dll"
Loadfile &quot;C:/Nano_5_6_7/UniServer/usr/local/php/libeay32.dll&quot;
Loadfile "C:/Nano_5_6_7/UniServer/usr/local/php/libmysql.dll"
Loadfile &quot;C:/Nano_5_6_7/UniServer/usr/local/php/libmysql.dll&quot;




LoadModule actions_module modules/mod_actions.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule alias_module modules/mod_alias.so
</pre>
&lt;/pre&gt;
It gives a saving of 1.51 MB  
It gives a saving of 1.51 MB  


322

edits