SSL PHP Server Key and Certificate generation: Difference between revisions
SSL PHP Server Key and Certificate generation (view source)
Revision as of 08:33, 24 November 2010
, 24 November 2010Reverted edits by Upazixorys (Talk); changed back to last version by Ric
Upazixorys (talk | contribs) No edit summary |
m (Reverted edits by Upazixorys (Talk); changed back to last version by Ric) |
||
| Line 1: | Line 1: | ||
'''''Server key and certificate generation revisited.''''' | '''''Server key and certificate generation revisited.''''' | ||
== Introduction == | == Introduction == | ||
| Line 18: | Line 17: | ||
{| | {| | ||
|-valign= | |-valign="top" | ||
|'''Run.bat'''||& | |'''Run.bat'''|| ||'''cert.php''' | ||
|-valign= | |-valign="top" | ||
| | |<pre> | ||
TITLE UNIFORM SERVER - Certificate and Key generator | TITLE UNIFORM SERVER - Certificate and Key generator | ||
COLOR B0 | COLOR B0 | ||
| Line 28: | Line 27: | ||
..\..\usr\local\php\php.exe -c ..\..\usr\local\php\php-cli.ini gen.php | ..\..\usr\local\php\php.exe -c ..\..\usr\local\php\php-cli.ini gen.php | ||
pause | pause | ||
</pre> | |||
|& | | | ||
| | |<pre> | ||
<?php | |||
print | print "\ntest\n"; | ||
? | ?> | ||
</pre> | |||
|} | |} | ||
Double click Run.bat runs script cert.php it produces nothing spectacular other than to display test. It proves you have a working set-up for this tutorial. | Double click Run.bat runs script cert.php it produces nothing spectacular other than to display test. It proves you have a working set-up for this tutorial. | ||
| Line 56: | Line 55: | ||
Press any key to continue . . . | Press any key to continue . . . | ||
| | | | ||
<pre> | |||
<?php | |||
print | print "\ntest\n"; | ||
//=== Generate a new private (and public) key pair | //=== Generate a new private (and public) key pair | ||
$privkey = openssl_pkey_new(); | $privkey = openssl_pkey_new(); | ||
? | ?> | ||
</pre> | |||
|-valign= | |-valign="top" | ||
| | | | ||
Function openssl_pkey_new() is defined in the openssl library. Problem is extension php_openssl.dll is not being loaded because its not configured in configuration file php-cli.ini | Function openssl_pkey_new() is defined in the openssl library. Problem is extension php_openssl.dll is not being loaded because its not configured in configuration file php-cli.ini | ||
| Line 73: | Line 72: | ||
Run (Run.bat) script again this time there will be no errors. | Run (Run.bat) script again this time there will be no errors. | ||
| | | | ||
<pre> | |||
[PHP] | [PHP] | ||
extension=php_curl.dll | extension=php_curl.dll | ||
| Line 79: | Line 78: | ||
extension=php_openssl.dll | extension=php_openssl.dll | ||
extension_dir = | extension_dir = "./extensions" | ||
error_reporting = E_ALL | E_STRICT | error_reporting = E_ALL | E_STRICT | ||
date.timezone = | date.timezone = "Europe/London" | ||
</pre> | |||
|} | |} | ||
'''''[[#top | Top]]''''' | '''''[[#top | Top]]''''' | ||
| Line 88: | Line 87: | ||
=== Openssl configuration === | === Openssl configuration === | ||
{| | {| | ||
|-valign= | |-valign="top" | ||
| | | | ||
The above line creates private and public keys used in other function. | The above line creates private and public keys used in other function. | ||
| Line 106: | Line 105: | ||
Reading the manual you will find | Reading the manual you will find | ||
<pre> | |||
Note: You need to have a valid openssl.cnf | Note: You need to have a valid openssl.cnf | ||
installed for this function to operate correctly. | installed for this function to operate correctly. | ||
</pre> | |||
Most functions use this file; trouble is it cannot be found. Path assumed to be either defined by OPENSSL_CONF or SSLEAY_CONF environmental variables or on the default path c:\usr\local\ssl. | Most functions use this file; trouble is it cannot be found. Path assumed to be either defined by OPENSSL_CONF or SSLEAY_CONF environmental variables or on the default path c:\usr\local\ssl. | ||
| | | | ||
<pre> | |||
<?php | |||
print | print "\ntest\n"; | ||
//=== Generate a new private (and public) key pair | //=== Generate a new private (and public) key pair | ||
$privkey = openssl_pkey_new(); | $privkey = openssl_pkey_new(); | ||
| Line 120: | Line 119: | ||
//=== Create data array for certificate information | //=== Create data array for certificate information | ||
$dn = array( | $dn = array( | ||
"countryName" => "UK", | |||
"stateOrProvinceName" => "Cambridge", | |||
"localityName" => "Cambs", | |||
"organizationName" => "UniServer", | |||
"organizationalUnitName" => "Demo", | |||
"commonName" => "localhost", | |||
"emailAddress" => "me@example.com" | |||
); | ); | ||
| Line 133: | Line 132: | ||
//== Create a self-signed certificate valid for 365 days | //== Create a self-signed certificate valid for 365 days | ||
$sscert = openssl_csr_sign($csr, | $sscert = openssl_csr_sign($csr, "my secret", $privkey, 365); | ||
? | ?> | ||
</pre> | |||
|} | |} | ||
Uniform Server is portable hence the above default path is not applicable. Using environmental variables is not always a predictable solution. | Uniform Server is portable hence the above default path is not applicable. Using environmental variables is not always a predictable solution. | ||
| Line 153: | Line 152: | ||
|- | |- | ||
| | | | ||
<pre> | |||
####################################################################### | ####################################################################### | ||
# File name: openssl.cnf | # File name: openssl.cnf | ||
| Line 195: | Line 194: | ||
keyUsage = digitalSignature, keyEncipherment | keyUsage = digitalSignature, keyEncipherment | ||
extendedKeyUsage = serverAuth, nsSGC, msSGC | extendedKeyUsage = serverAuth, nsSGC, msSGC | ||
nsComment = | nsComment = "OpenSSL Certificate for SSL Web Server" | ||
[ v3_req ] | [ v3_req ] | ||
| Line 206: | Line 205: | ||
keyUsage = cRLSign, keyCertSign | keyUsage = cRLSign, keyCertSign | ||
extendedKeyUsage = serverAuth, clientAuth | extendedKeyUsage = serverAuth, clientAuth | ||
nsComment = | nsComment = "OpenSSL CA Certificate" | ||
</pre> | |||
|} | |} | ||
| Line 220: | Line 219: | ||
We are interested only in defining a path to our configuration file. First absolute path is calculated and assigned to key. | We are interested only in defining a path to our configuration file. First absolute path is calculated and assigned to key. | ||
<pre> | |||
//== Determine path | //== Determine path | ||
$ssl_path = getcwd(); | $ssl_path = getcwd(); | ||
| Line 227: | Line 226: | ||
//== Create a configuration array containing path to openssl.cnf | //== Create a configuration array containing path to openssl.cnf | ||
$config = array( | $config = array( | ||
"config" => "$ssl_path/openssl.cnf" | |||
); | ); | ||
</pre> | |||
'''''[[#top | Top]]''''' | '''''[[#top | Top]]''''' | ||
| Line 239: | Line 238: | ||
|- | |- | ||
| | | | ||
<pre> | |||
//=== Create data array for certificate information | //=== Create data array for certificate information | ||
$dn = array( | $dn = array( | ||
"countryName" => "UK", | |||
"stateOrProvinceName" => "Cambridge", | |||
"localityName" => "Cambs", | |||
"organizationName" => "UniServer", | |||
"organizationalUnitName" => "Demo", | |||
"commonName" => "localhost", | |||
"emailAddress" => "me@example.com" | |||
); | ); | ||
</pre> | |||
'''''Note'':''' Common name for a real signed certificate would be what a user would type into a browser e.g '''www.fred.com''' | '''''Note'':''' Common name for a real signed certificate would be what a user would type into a browser e.g '''www.fred.com''' | ||
| Line 256: | Line 255: | ||
=== Function openssl_pkey_new === | === Function openssl_pkey_new === | ||
Function openssl_pkey_new() generates a new private and public key pair. | Function openssl_pkey_new() generates a new private and public key pair. | ||
<pre> | |||
resource openssl_pkey_new ([ array $configargs ] ) | resource openssl_pkey_new ([ array $configargs ] ) | ||
</pre> | |||
Code: | Code: | ||
{| | {| | ||
|- | |- | ||
| | | | ||
<pre> | |||
//=== Generate a new private (and public) key pair | //=== Generate a new private (and public) key pair | ||
$privkey = openssl_pkey_new($config); | $privkey = openssl_pkey_new($config); | ||
</pre> | |||
|} | |} | ||
| Line 273: | Line 272: | ||
Function openssl_csr_new() generates a new CSR (Certificate Signing Request) based on the information provided by dn, | Function openssl_csr_new() generates a new CSR (Certificate Signing Request) based on the information provided by dn, | ||
<pre> | |||
mixed openssl_csr_new (array $dn, resource & | mixed openssl_csr_new (array $dn, resource &$privkey [,array $configargs [,array $extraattribs ]] ) | ||
</pre> | |||
Code: | Code: | ||
{| | {| | ||
|- | |- | ||
| | | | ||
<pre> | |||
//=== Generate a certificate signing request | //=== Generate a certificate signing request | ||
$csr = openssl_csr_new($dn, $privkey, $config); | $csr = openssl_csr_new($dn, $privkey, $config); | ||
</pre> | |||
|} | |} | ||
| Line 289: | Line 288: | ||
=== Function openssl_csr_sign === | === Function openssl_csr_sign === | ||
Function openssl_csr_sign() generates an x509 certificate resource from the given CSR. | Function openssl_csr_sign() generates an x509 certificate resource from the given CSR. | ||
<pre> | |||
resource openssl_csr_sign(mixed $csr, mixed $cacert, mixed $priv_key, int $days[,array $configargs[,int $serial = 0 ]]) | resource openssl_csr_sign(mixed $csr, mixed $cacert, mixed $priv_key, int $days[,array $configargs[,int $serial = 0 ]]) | ||
</pre> | |||
Code: | Code: | ||
{| | {| | ||
|- | |- | ||
| | | | ||
<pre> | |||
//== Create a self-signed certificate valid for 365 days | //== Create a self-signed certificate valid for 365 days | ||
$sscert = openssl_csr_sign($csr, null, $privkey, 365, $config); | $sscert = openssl_csr_sign($csr, null, $privkey, 365, $config); | ||
</pre> | |||
|} | |} | ||
Essentially that completes certificate and key generation! They are currently resources these require extracting to appropriate files. Following function perform this task: | Essentially that completes certificate and key generation! They are currently resources these require extracting to appropriate files. Following function perform this task: | ||
| Line 307: | Line 306: | ||
Function openssl_pkey_export_to_file()saves an ascii PEM encoded verion of key into the file named by outfilename. | Function openssl_pkey_export_to_file()saves an ascii PEM encoded verion of key into the file named by outfilename. | ||
<pre> | |||
bool openssl_pkey_export_to_file(mixed $key,string $outfilename[,string $passphrase[,array $configargs]]) | bool openssl_pkey_export_to_file(mixed $key,string $outfilename[,string $passphrase[,array $configargs]]) | ||
</pre> | |||
This function is a quick way to kill Apache stone dead! To prevent this ensure you use NULL for $passphrase. | This function is a quick way to kill Apache stone dead! To prevent this ensure you use NULL for $passphrase. | ||
| Line 316: | Line 315: | ||
|- | |- | ||
| | | | ||
<pre> | |||
//== Create key file. Note no passphrase | //== Create key file. Note no passphrase | ||
openssl_pkey_export_to_file($privkey, | openssl_pkey_export_to_file($privkey,"server.key",NULL, $config); | ||
</pre> | |||
|} | |} | ||
| Line 326: | Line 325: | ||
Function openssl_x509_export_to_file() exports a certificate to file | Function openssl_x509_export_to_file() exports a certificate to file | ||
<pre> | |||
bool openssl_x509_export_to_file(mixed $x509, string $outfilename [,bool $notext ]) | bool openssl_x509_export_to_file(mixed $x509, string $outfilename [,bool $notext ]) | ||
</pre> | |||
The optional parameter notext if it is FALSE, additional human-readable information is included in the output. | The optional parameter notext if it is FALSE, additional human-readable information is included in the output. | ||
| Line 337: | Line 336: | ||
|- | |- | ||
| | | | ||
<pre> | |||
//== Create server certificate | //== Create server certificate | ||
openssl_x509_export_to_file($sscert, | openssl_x509_export_to_file($sscert, "server.crt", FALSE ); | ||
</pre> | |||
|} | |} | ||
'''''[[#top | Top]]''''' | '''''[[#top | Top]]''''' | ||
| Line 346: | Line 345: | ||
==== Function openssl_csr_export_to_file ==== | ==== Function openssl_csr_export_to_file ==== | ||
Function openssl_csr_export_to_file()exports a CSR to a file | Function openssl_csr_export_to_file()exports a CSR to a file | ||
<pre> | |||
bool openssl_csr_export_to_file(resource $csr, string $outfilename[, bool $notext = true ]) | bool openssl_csr_export_to_file(resource $csr, string $outfilename[, bool $notext = true ]) | ||
</pre> | |||
Code: | Code: | ||
| Line 354: | Line 353: | ||
|- | |- | ||
| | | | ||
<pre> | |||
//== Create a signing request file | //== Create a signing request file | ||
openssl_csr_export_to_file($csr, | openssl_csr_export_to_file($csr, "server.csr"); | ||
</pre> | |||
|} | |} | ||
'''''[[#top | Top]]''''' | '''''[[#top | Top]]''''' | ||
| Line 366: | Line 365: | ||
|- | |- | ||
| | | | ||
<pre> | |||
<?php | |||
//== Determine path | //== Determine path | ||
| Line 375: | Line 374: | ||
//== Create a configuration array containing path to openssl.cnf | //== Create a configuration array containing path to openssl.cnf | ||
$config = array( | $config = array( | ||
"config" => "$ssl_path/openssl.cnf" | |||
); | ); | ||
//=== Create data array for certificate information | //=== Create data array for certificate information | ||
$dn = array( | $dn = array( | ||
"countryName" => "UK", | |||
"stateOrProvinceName" => "Cambridge", | |||
"localityName" => "Cambs", | |||
"organizationName" => "UniServer", | |||
"organizationalUnitName" => "Demo", | |||
"commonName" => "localhost", | |||
"emailAddress" => "me@example.com" | |||
); | ); | ||
| Line 399: | Line 398: | ||
//== Create key file. Note no passphrase | //== Create key file. Note no passphrase | ||
openssl_pkey_export_to_file($privkey, | openssl_pkey_export_to_file($privkey,"server.key",NULL, $config); | ||
//== Create server certificate | //== Create server certificate | ||
openssl_x509_export_to_file($sscert, | openssl_x509_export_to_file($sscert, "server.crt", FALSE ); | ||
//== Create a signing request file | //== Create a signing request file | ||
openssl_csr_export_to_file($csr, | openssl_csr_export_to_file($csr, "server.csr"); | ||
? | ?> | ||
</pre> | |||
|} | |} | ||
Run the script, you can manually copy key and certificate to the server. | Run the script, you can manually copy key and certificate to the server. | ||
| Line 449: | Line 448: | ||
For example this extract from Nano_5_6_7 httpd.conf | For example this extract from Nano_5_6_7 httpd.conf | ||
<pre> | |||
# Example: | # Example: | ||
# LoadModule foo_module modules/mod_foo.so | # LoadModule foo_module modules/mod_foo.so | ||
# | # | ||
Loadfile | Loadfile "C:/Nano_5_6_7/UniServer/usr/local/php/ssleay32.dll" | ||
Loadfile | Loadfile "C:/Nano_5_6_7/UniServer/usr/local/php/libeay32.dll" | ||
Loadfile | Loadfile "C:/Nano_5_6_7/UniServer/usr/local/php/libmysql.dll" | ||
LoadModule actions_module modules/mod_actions.so | LoadModule actions_module modules/mod_actions.so | ||
LoadModule alias_module modules/mod_alias.so | LoadModule alias_module modules/mod_alias.so | ||
</pre> | |||
It gives a saving of 1.51 MB | It gives a saving of 1.51 MB | ||